Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS over TLS forwarding howto

    Scheduled Pinned Locked Moved DHCP and DNS
    57 Posts 16 Posters 20.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PertFlavus
      last edited by

      EDIT:
      Better info can be found here:
      https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

      Hey all,

      I was curious about dns over tls, so I figured I'd try it out.

      To get it to work with pfsense using DNS Resolver I made the following changes:

      1. disable forwarding mode
      2. Add these custom options:
      
      server:
      ssl-upstream: yes
      do-tcp: yes
      forward-zone:
        name: "."
        forward-addr: {ipv4address}@853
        forward-addr: {ipv6address}@853
      
      

      You can find servers to try out here:
      https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

      You can also roll your own as I did, which they also provide guides for.

      If you have ideas of a better way to do this let me know! cheers!

      1 Reply Last reply Reply Quote 0
      • C
        chrcoluk
        last edited by

        this is still on my todo list for my network :) currently using dnscrypt but I expect doing it natively in unbound will be faster.

        Thanks for your information. :)

        pfSense CE 2.8.0

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          So let me get this right… So your concerned with your privacy so your going to forward all your dns queries to some random dns server on the public net because it was on a list in some wiki article?  But your more secure because your isp can not see your queries?  Ok yeah see how that makes a lot of sense <rolleyes>This might be valid idea if every NS on the planet supported tls, and then you could actually resolve via tls.. Talk about extra overhead to something that is suppose to be QUICK! and small - why its udp..

          If your worried about someone watching and logging all your dns queries - forwarding for sure is not what you should be doing, because your just handing them every single thing you want to lookup.. So why would you not just resolve? Like unbound does out of the box on pfsense.  Now the root servers would know when you look up something for specific tld, but you wouldn't go ask them again for anything until you looked up something with a new tld, or ttl expired for the gTLD servers that own that tld.. The gTLD servers for your TLD would know what your looking for but like root they are run by multiple different orgs.. All over the planet.. And then they only get part of what you look for, just the stuff in a specific TLD.. And then only the first query for something in a domain, since once you have that cached you don't go ask them again for records that full under that specific domain, etc.

          Its nice of you to post how to do it.. But I just don't get why anyone would want too..</rolleyes>

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • V
            Velcro
            last edited by

            I too have privacy concerns and struggled with trusting OpenDNS vs using the resolver and opted to use resolver and have my DNS requests go thru my VPN only.

            I went to Services -> DNS Resolver -> General Settings tab -> Outgoing Network Interfaces -> Selected only my VPN interface (vs WAN and VPN Interface).

            Wouldn't this encrypt my DNS traffic? How is using DNScrypt or TLS any better?

            Thanks for posting PertFlavus…good discussion!

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Sending your dns through your vpn would hide it from your ISP, it would prevent your isp trying to do dns interception.  But once the query leaves your vpn endpoint it would be in the clear still.  Your vpn provider could be logging all the dns if they so desired..

              When you use a vpn, your trusting them not be logging or looking at your traffic because..

              dnscrypt just encrypts validates that your asking the forwarder your linking to.. Still run into the problem that you are giving them all of your dns queries, and have to trust them that they are giving you good data, etc. All that does just like the tls thing is hide it from your isp.. And again could prevent dns interception that your isp would be doing.

              I really do not get all this concern over dns leaks or god forbid my isp sees my that I looked up www.domain.tld

              So do you not have a smart phone - because shoot your provider and really anyone else with access using that phone knows exactly where you are 24/7

              Do you not use CC?  They know exactly what and where and when you bought a box of condoms and what beer you like, etc.

              Do you where a mask when you go outside, since the the camera's that are every where could be doing facial recognition on you.  Do you not use automatic tolling because the toll company knows exactly when you pass every toll booth.. For that matter they can track you in your car as you drive around the city via your license plate and all the speed camera's

              There is the impression of privacy, then their is reality of it all..  I personally don't really give two shits that my ISP knows that I went to forum.pfsense.org etc..  But that is just me..  What I would be more worried about is the place I get sent to for forum.pfsense.org is actually that - per the domain owners signing their records via dnssec and directly asking the listed authoritative NS..  Which brings a valid point pfsense.org be using dnssec which it is not.

              Should prob bring that up to them.. Since they provide unbound using dnssec as their default deployment, would be nice if their own domains were dnssec ;)  Same goes for netgate.com which I see also that they are missing their AAAA glue as well.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • BBcan177B
                BBcan177 Moderator
                last edited by

                Can also add "qname-minimisation | -strict" to reduce what gets sent during the resolving process… Should probably be an option in the pfSense Unbound GUI...

                https://www.unbound.net/documentation/unbound.conf.html
                https://ripe72.ripe.net/archives/video/219/

                qname-minimisation: <yes or="" no="">Send minimum  amount  of  information  to  upstream  servers  to
                              enhance privacy.  Only sent minimum required labels of the QNAME
                              and set QTYPE to NS when possible. Best  effort  approach;  full
                              QNAME and original QTYPE will be sent when upstream replies with
                              a RCODE other than NOERROR, except when receiving NXDOMAIN  from
                              a DNSSEC signed zone. Default is off.

                qname-minimisation-strict: <yes or="" no="">QNAME  minimisation  in strict mode. Do not fall-back to sending
                              full QNAME to potentially broken nameservers. A lot  of  domains
                              will  not be resolvable when this option in enabled. Only use if
                              you know what you are doing.  This option only has  effect  when
                              qname-minimisation is enabled. Default is off.</yes></yes>

                "Experience is something you don't get until just after you need it."

                Website: http://pfBlockerNG.com
                Twitter: @BBcan177  #pfBlockerNG
                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                1 Reply Last reply Reply Quote 0
                • P
                  PertFlavus
                  last edited by

                  @johnpoz:

                  Sending your dns through your vpn would hide it from your ISP, it would prevent your isp trying to do dns interception.  But once the query leaves your vpn endpoint it would be in the clear still.  Your vpn provider could be logging all the dns if they so desired..

                  When you use a vpn, your trusting them not be logging or looking at your traffic because..

                  dnscrypt just encrypts validates that your asking the forwarder your linking to.. Still run into the problem that you are giving them all of your dns queries, and have to trust them that they are giving you good data, etc. All that does just like the tls thing is hide it from your isp.. And again could prevent dns interception that your isp would be doing.

                  I really do not get all this concern over dns leaks or god forbid my isp sees my that I looked up www.domain.tld

                  So do you not have a smart phone - because shoot your provider and really anyone else with access using that phone knows exactly where you are 24/7

                  Do you not use CC?  They know exactly what and where and when you bought a box of condoms and what beer you like, etc.

                  Do you where a mask when you go outside, since the the camera's that are every where could be doing facial recognition on you.  Do you not use automatic tolling because the toll company knows exactly when you pass every toll booth.. For that matter they can track you in your car as you drive around the city via your license plate and all the speed camera's

                  There is the impression of privacy, then their is reality of it all..  I personally don't really give two shits that my ISP knows that I went to forum.pfsense.org etc..  But that is just me..  What I would be more worried about is the place I get sent to for forum.pfsense.org is actually that - per the domain owners signing their records via dnssec and directly asking the listed authoritative NS..  Which brings a valid point pfsense.org be using dnssec which it is not.

                  Should prob bring that up to them.. Since they provide unbound using dnssec as their default deployment, would be nice if their own domains were dnssec ;)  Same goes for netgate.com which I see also that they are missing their AAAA glue as well.

                  To be clear, I did it because I could. It was fun. I also was able to host my own dns server, which wouldn't normally be possible, as it uses a different port/tcp. My VPS provider isn't as incentivised to scrape my traffic for ad revenue like google or my ISP are. Encrypting DNS by itself does nothing to keep your internet use private by itself though because https  sends the hostname in a SNI request over plain text. That might change with TLS 1.3.

                  Baby steps John, baby steps. Google's going to get their info one way or another anyhow. (And probably through DNS over TLS! https://www.xda-developers.com/android-dns-over-tls-website-privacy/ ) glares at Android phone

                  I've considered just sending my internet connection through my VPS using OpenVPN but I don't think it's performance is up to snuff. I also turned off dns over tls for now because of the above points. I just figured I'd share how to do it to show it's possible, and without an FR for support.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    I see this use case scenario as prob not all that bad..

                    I run a vps somewhere.  On this vps out in the cloud I run a resolver..  I use dns over tls to talk to this resolver via forwarding from my location..

                    This hides your dns traffic from your isp.. This also hides your IP from from roots, and the authoritative servers even.

                    This allows you to use a resolver that you trust - your freaking running it ;)  Hides your dns traffic from your isp..  And prevents any so called dns leaks…

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • P
                      PertFlavus
                      last edited by

                      It's not bad, so far but you'll need more than one. Linode has $5 nodes, so if you get two in different data centers you're good to go.

                      Latency on lookup is noticeable. Quarter secondish.  My servers don't support tcp fast open and they're uncached queries, so I couldn't tell you which is causing the delay.

                      I can post my unbound server configs if you want to give it a try.

                      @BBcan177
                      qname-minimization appears to work fine, so I've updated the config. Thank you. =)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        "I can post my unbound server configs if you want to give it a try."

                        Thanks.. But have no real desire to try this at all.. Like I said I don't really care that my isp or roots can see that I go to forum.pfsense.org ;)

                        Its nice of you to share you info with the shinyhats out there.. But to me this is just waste of time.. You mean it slows down my dns.. Well sure sign me up! ;) lets give that a run hehehehehe

                        But why do you need two vps nodes?  As long as the node is up, you sure don't need 2 of them.

                        Now what bcan posted about qname-minimisation, this is good way to help out the shinyhat wearers and not add complexity and layers and latency to your dns I would think..  I might play with that a bit to see if have any issues resolving stuff I go to..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • P
                          PertFlavus
                          last edited by

                          @johnpoz:

                          Why do you need two vps nodes?  As long as the node is up, you sure don't need 2 of them.

                          Because, at some point, it won't be, and there's not a damned thing you can do about that. It's another con to the waste of time.

                          In the above config your internet will totally stop working if the dns server you forward to is inaccessible because, say, your vps provider gets ddos'd ;)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            My internet could also go down, I could loose power.. There could be a zombie Apocalypse as well ;)

                            As to the damn thing I could do about sure, if that vps goes down I just resolve normally… No reason to pay for extra vps because I would be worried that my vps provider gets hit with a ddos ;) hehehe

                            I use 3 different hosts for vpses - none of them have gone down because of ddos ;) tat I can recall  They have had maint, sure..  But to be honest pretty freaking impressed with the uptime.. Especially the the main one I use where I have 4 different vps int 3 different data centers, etc.

                            But sure yes failover planning and redundancy is part of any system that needs to be taken into account sure.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • C
                              chrcoluk
                              last edited by

                              John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.

                              In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy.  So I think in that case even using a 3rd party server would be worthwhile.

                              pfSense CE 2.8.0

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                If your isp is doing dns interception and doing any sort of injection or filtering to stop you from looking up something then by all means this makes sense..  Be it dnscrypt/tls tunnel - vpn, etc.  To get your data past such network.

                                My guess is they are attempting to block p2p sites, etc.  But doesn't matter what they are blocking - blocking whatever it is to me in violation to what they are suppose to be doing which is just providing you a net connection.  If you want to lookup up p0rn, p2p, whatever - and its out there.. They shouldn't be messing with your ability to look up the IP that is for sure.

                                But if all they are doing is logging it.. Then I don't give 2 shits..  If they want to sell it to someone that I seem to like xyz I really don't care.  But they better not mess with what is to be returned from the authoritative server.. If they were doing such a thing I would be on a different isp..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • P
                                  PertFlavus
                                  last edited by

                                  @chrcoluk:

                                  John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.

                                  In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy.  So I think in that case even using a 3rd party server would be worthwhile.

                                  Damn.. that's terrible.. but why do they stop at dns when they could also filter http/https? I don't suppose you know a good source that describes this? I'd be interested in learning about it. I'm really hoping tls 1.3 includes a way to encrypt sni.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    chrcoluk
                                    last edited by

                                    John yes UK isps commonly block p2p and other undesirable sites, there may be other motives for them to do so also.  But it is common practice in the UK sadly on the major isps.

                                    Just wanted to point out in some parts of the world on some isps there is a definite good reason to mask out DNS traffic. :)

                                    pfSense CE 2.8.0

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      So why don't you just run through a vpn and be done with it?

                                      Here is a question for you.. Are they actually doing interception, or is their isp dns is just not returning the stuff they want you not to go to?  Its a whole different ball game to just block specific dns in your dns that your running vs intercepting users dns, or blocking outbound on 53..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        PertFlavus
                                        last edited by

                                        @BBcan177:

                                        Can also add "qname-minimisation | -strict" to reduce what gets sent during the resolving process… Should probably be an option in the pfSense Unbound GUI...

                                        https://www.unbound.net/documentation/unbound.conf.html
                                        https://ripe72.ripe.net/archives/video/219/

                                        qname-minimisation: <yes or="" no="">Send minimum  amount  of  information  to  upstream  servers  to
                                                      enhance privacy.  Only sent minimum required labels of the QNAME
                                                      and set QTYPE to NS when possible. Best  effort  approach;  full
                                                      QNAME and original QTYPE will be sent when upstream replies with
                                                      a RCODE other than NOERROR, except when receiving NXDOMAIN  from
                                                      a DNSSEC signed zone. Default is off.

                                        qname-minimisation-strict: <yes or="" no="">QNAME  minimisation  in strict mode. Do not fall-back to sending
                                                      full QNAME to potentially broken nameservers. A lot  of  domains
                                                      will  not be resolvable when this option in enabled. Only use if
                                                      you know what you are doing.  This option only has  effect  when
                                                      qname-minimisation is enabled. Default is off.</yes></yes>

                                        This looks incredibly easy to implement in the unbound package. I'll see if I can get a pull request for this soon. I will most likely not include a -strict option though as I don't see a reason to have it.

                                        edit: Maybe not so easy. I saw the files to edit in https://github.com/pfsense/pfsense-packages to edit, but I can't find the xml files or the inc files in the new repo, https://github.com/pfsense/FreeBSD-ports =/

                                        1 Reply Last reply Reply Quote 0
                                        • K
                                          kejianshi
                                          last edited by

                                          For me, unbound solved most of my DNS issues since I get to be my own dns server and the info comes directly from the root servers.

                                          The only way it could get better is if I typed in all the names and IPs by hand…    My hands hurt just thinking about it.

                                          1 Reply Last reply Reply Quote 0
                                          • T
                                            tman222
                                            last edited by

                                            Hi all,

                                            I have been following this thread and reading up a bit more on qname-minimisation.  Also found some info about the topic at this source:

                                            https://tools.ietf.org/html/rfc7816

                                            In order to enable this feature in pfSense DNS resolver, it is as simple as adding the appropriate line(s) to unbound.conf and then restarting Unbound?  If so, where is unbound.conf located in pfSense?

                                            One thing I'm not quite sure on:  Does this still offer protection when the DNS Resolver in pfSense is enabled with forwarding (to e.g. OpenDNS or Google instead of going to the root DNS servers)?  Or does it not offer any privacy enhancement in that case?

                                            Thanks in advance for your help, I really appreciate it.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.