DNS over TLS forwarding howto
-
My internet could also go down, I could loose power.. There could be a zombie Apocalypse as well ;)
As to the damn thing I could do about sure, if that vps goes down I just resolve normally… No reason to pay for extra vps because I would be worried that my vps provider gets hit with a ddos ;) hehehe
I use 3 different hosts for vpses - none of them have gone down because of ddos ;) tat I can recall They have had maint, sure.. But to be honest pretty freaking impressed with the uptime.. Especially the the main one I use where I have 4 different vps int 3 different data centers, etc.
But sure yes failover planning and redundancy is part of any system that needs to be taken into account sure.
-
John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.
In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy. So I think in that case even using a 3rd party server would be worthwhile.
-
If your isp is doing dns interception and doing any sort of injection or filtering to stop you from looking up something then by all means this makes sense.. Be it dnscrypt/tls tunnel - vpn, etc. To get your data past such network.
My guess is they are attempting to block p2p sites, etc. But doesn't matter what they are blocking - blocking whatever it is to me in violation to what they are suppose to be doing which is just providing you a net connection. If you want to lookup up p0rn, p2p, whatever - and its out there.. They shouldn't be messing with your ability to look up the IP that is for sure.
But if all they are doing is logging it.. Then I don't give 2 shits.. If they want to sell it to someone that I seem to like xyz I really don't care. But they better not mess with what is to be returned from the authoritative server.. If they were doing such a thing I would be on a different isp..
-
John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.
In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy. So I think in that case even using a 3rd party server would be worthwhile.
Damn.. that's terrible.. but why do they stop at dns when they could also filter http/https? I don't suppose you know a good source that describes this? I'd be interested in learning about it. I'm really hoping tls 1.3 includes a way to encrypt sni.
-
John yes UK isps commonly block p2p and other undesirable sites, there may be other motives for them to do so also. But it is common practice in the UK sadly on the major isps.
Just wanted to point out in some parts of the world on some isps there is a definite good reason to mask out DNS traffic. :)
-
So why don't you just run through a vpn and be done with it?
Here is a question for you.. Are they actually doing interception, or is their isp dns is just not returning the stuff they want you not to go to? Its a whole different ball game to just block specific dns in your dns that your running vs intercepting users dns, or blocking outbound on 53..
-
Can also add "qname-minimisation | -strict" to reduce what gets sent during the resolving process… Should probably be an option in the pfSense Unbound GUI...
https://www.unbound.net/documentation/unbound.conf.html
https://ripe72.ripe.net/archives/video/219/qname-minimisation: <yes or="" no="">Send minimum amount of information to upstream servers to
enhance privacy. Only sent minimum required labels of the QNAME
and set QTYPE to NS when possible. Best effort approach; full
QNAME and original QTYPE will be sent when upstream replies with
a RCODE other than NOERROR, except when receiving NXDOMAIN from
a DNSSEC signed zone. Default is off.qname-minimisation-strict: <yes or="" no="">QNAME minimisation in strict mode. Do not fall-back to sending
full QNAME to potentially broken nameservers. A lot of domains
will not be resolvable when this option in enabled. Only use if
you know what you are doing. This option only has effect when
qname-minimisation is enabled. Default is off.</yes></yes>This looks incredibly easy to implement in the unbound package. I'll see if I can get a pull request for this soon. I will most likely not include a -strict option though as I don't see a reason to have it.
edit: Maybe not so easy. I saw the files to edit in https://github.com/pfsense/pfsense-packages to edit, but I can't find the xml files or the inc files in the new repo, https://github.com/pfsense/FreeBSD-ports =/
-
For me, unbound solved most of my DNS issues since I get to be my own dns server and the info comes directly from the root servers.
The only way it could get better is if I typed in all the names and IPs by hand… My hands hurt just thinking about it.
-
Hi all,
I have been following this thread and reading up a bit more on qname-minimisation. Also found some info about the topic at this source:
https://tools.ietf.org/html/rfc7816
In order to enable this feature in pfSense DNS resolver, it is as simple as adding the appropriate line(s) to unbound.conf and then restarting Unbound? If so, where is unbound.conf located in pfSense?
One thing I'm not quite sure on: Does this still offer protection when the DNS Resolver in pfSense is enabled with forwarding (to e.g. OpenDNS or Google instead of going to the root DNS servers)? Or does it not offer any privacy enhancement in that case?
Thanks in advance for your help, I really appreciate it.
-
"forwarding (to e.g. OpenDNS or Google instead of going to the root DNS servers)?"
Thought you said you read the RFC?? When you use the forwarder you do not talk to roots, you would have to send the forwarder the FULL thing your looking for, not just the pieces of the fqdn you need to find the authoritative server. So you could ask it for the record..
So in this scenario instead of asking roots hey whats the NS for .com in www.domain.com - its just asks hey whats the NS for .com
Then asks hey NS for .com whats the NS for domain.com, vs asking for NS of www.domain.comHow would that work with a forwarder?
You do not need to edit the conf file directly.. Just add it to the custom options box.
here… This simple.. see attached.
I ask the resolver hey www.testthisdomain.com and it just ask the NS for .com for testthisdomain.com vs the www.testthisdomain.com see attached sniff pic.
dig -x 192.31.80.30 +short
d.gtld-servers.net.;; QUESTION SECTION:
;com. IN NS;; ANSWER SECTION:
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
-
The spec was a good read. I removed it from the config above since forwarding to a DNS over TLS server would defeat the point, and I don't know if qname-minimisation is ignored automatically or not in this config. For now, DNS over TLS has to be explicitly enabled and does not work at all if the server's queried do not support it.
I also created an FR to add this as an option within the Advanced UI, so if anyone has anything to add… That's where I'd recommend doing it.
https://redmine.pfsense.org/issues/8028
edit: I wish i could edit these FR's for typos lol. How embarassing...
-
I added note to your FR, that I am now using the strict option as well.
If you or anyone else running the
server:
qname-minimisation: yes
qname-minimisation-strict: yesOptions in the custom option box find any domains your having a problem resolving - please post them so we can look resolving issue related to the settings or something, etc. I will post back after say a week or so if run into any problems.
-
Options in the custom option box find any domains your having a problem resolving - please post them so we can look resolving issue related to the settings or something, etc. I will post back after say a week or so if run into any problems.
Well that didn't take long. go.microsoft.com fails to resolve with qname-minimisation-strict enabled.
-
really… Let me look.
Well its a shitty cname to cname nonsense... Not good practice..
go.microsoft.com. 2810 IN CNAME go.microsoft.com.edgekey.net.
go.microsoft.com.edgekey.net. 437 IN CNAME e11290.dspg.akamaiedge.net.
e11290.dspg.akamaiedge.net. 2 IN A 23.45.146.138And if I had to guess, from my very limited understanding of the strict is the .com.edgekey.net is causing it issues.
Not like they don't warn you that strict could have issues with bad practice and naming conventions.
-
In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy. So I think in that case even using a 3rd party server would be worthwhile.
Not just UK… it happens in a number of developing countries I have lived in for various reasons. While a VPN is the best option it is not always ideal for all traffic and can cause certain issues. When I used to run Tomato firmware I used to use DNSCrypt with OpenDNS. At least this way I could be sure the DNS replies I was getting were not being intercepted and altered by my ISP. The solution to use unbound as a resolver isn't (I think) going to help against that at all.. is it?
I've read the various threads about DNSCrypt on here and don't really understand the reticence to implement it as an option. Most of the criticism seems to fall under "this isn't needed or useful against the threats in my use case scenario", because in most places ISPs are not actively intercepting…. but I believe it is useful in other use case scenarios. Personally I would like to see encryption of DNS traffic.
The desire (for me at least) is not so much about privacy but about the ability of the ISP to manipulate the DNS results and thus where I end up. I may not care that they know I'm visiting forum.pfsense.org, although I may care about some other sites in which case I'd use VPN, but I want to be sure that I'm not being sent instead to some fake site purporting to be forum.pfsense.org. I trust OpenDNS and pretty much any other major well-known western DNS provider a hell of a lot more than I trust my ISP to give clean results.
Disclaimer: I'm a newbie, be gentle :-)
-
To be honest, if on an isp that is intercepting your dns.. You should be using a vpn.. Because whatelse are they doing with your traffic if they are intercepting your dns?
If your in said country that is doing such things, really the only thing to do is vpn outside of that country before you send anything anywhere.. So that would be vpn solution.
Back to the strict setting.. Yeah seems doesn't like much of anything with MS that gets sent to the edgekey.net via cname… Couldn't get to blogs.technet.microsoft.com either I had to turn it off.
-
So why don't you just run through a vpn and be done with it?
Here is a question for you.. Are they actually doing interception, or is their isp dns is just not returning the stuff they want you not to go to? Its a whole different ball game to just block specific dns in your dns that your running vs intercepting users dns, or blocking outbound on 53..
Performance reasons, I dont need to redirect all my traffic, just DNS queries.
You really dont seem to like DNS privacy. :)
Although I do route my iptv boxes through a VPN. I like pfsense's policy routing abilities.
I request that you please dont ask anymore why we are doing this, this thread was made by the OP to discuss a how to, not why we doing it. DNSCrypt discussions got derailed in the same way.
-
I like my dns privacy very much… Why I run my own resolver.. What I don't understand is people with their shiny hats thinking that forwarding traffic to some specific NS out on the public internet is some sort of privacy.. Just beecause they are inside a tunnel.. Passing off this sort of setup as "privacy" is BS plain and simple... Its not privacy.. It circumvention of someone interfering with your traffic, or listening in on it.. But sending all of your queries to 1 specific company does not in any way shape or form promote "privacy"
More than happy to stay out of your discussion on a public forum.. Here to promote discussion and debate on topics related to pfsense.. Have at it.. ;) As you can see trying to help with the part of this discussion that actually makes sense. Use the qname security, etc. Roots don't need my FQDN, they just need the part of the FQDN they are responsible for.. But seems companies like to break that with bad use of names, bad practice of cname to cname, etc.
Even thanked the poster a few times for the info... But seems with all your wanting of "privacy" you not up for discussion of actual point of doing such a thing.. Cuz you can state privacy all you want - its not that.. Sorry... Back to your tunneling your traffic to some specific name server and sending them every single query you want to resolve all in one place ;)
-
I thought I would take a shot at this…I have attached a screenshot of my custom options in my DNS Resolver general settings. I am also running pfBlockerNG with DNSBL enabled, a pfB_DNSBL note was added when I enabled this.
I had to change the note a little("server:" had to have its own line), added "qname-minimisation: yes", restarted DNS resolver.
Does this enhance DNS privacy with just the "qname-minimisation: yes" or does one need to also add the "qname-minimisation-strict: yes"?
Does the order matter in terms of "include: /var/unbound/pfb_dnsbl.*conf" first then "qname-minimisation: yes" in this custom options?I am using DNS resolver(unbound), with unbound "Outgoing Network Interfaces" having just my VPN provider(I deselected WAN).
I tend to be more of a "shiny hat" kinda person....not sure if it is just "go.microsoft.com.edgekey.net" sites that break but I think I can live with out these sites...does this break Linkedin? Skype as well?
Awesome conversation and post from the forum...thank you all!
 -
"forwarding (to e.g. OpenDNS or Google instead of going to the root DNS servers)?"
Thought you said you read the RFC?? When you use the forwarder you do not talk to roots, you would have to send the forwarder the FULL thing your looking for, not just the pieces of the fqdn you need to find the authoritative server. So you could ask it for the record..
So in this scenario instead of asking roots hey whats the NS for .com in www.domain.com - its just asks hey whats the NS for .com
Then asks hey NS for .com whats the NS for domain.com, vs asking for NS of www.domain.comHow would that work with a forwarder?
You do not need to edit the conf file directly.. Just add it to the custom options box.
here… This simple.. see attached.
I ask the resolver hey www.testthisdomain.com and it just ask the NS for .com for testthisdomain.com vs the www.testthisdomain.com see attached sniff pic.
dig -x 192.31.80.30 +short
d.gtld-servers.net.;; QUESTION SECTION:
;com. IN NS;; ANSWER SECTION:
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.Thanks John, that makes a lot more sense to me now. I actually went ahead and tried this out today with qname-minimisation: yes enabled, and forwarding disabled and so far I haven't had any issues with DNS lookups. I won't enable strict mode just yet as I saw that you guys ran into some issues with it.
I do have more general question through regarding the Unbound resolver though: In the past I've had the resolver enabled with forwarding and used Google's public DNS servers as the upstream DNS servers to forward queries to in order to try to improve performance. Today I disabled forwarding to try out qname-minimisation for better privacy and to be honest I've haven't really found browsing to be any slower (despite the additional lookups that may be occurring). I'm curious if everyone else thinks that the added privacy is worth a bit of a performance hit in DNS lookup speed or whether one would be better of just using a the resolver together with forwarding to a fast public DNS (e.g. Google). What does everyone think?
Thanks in advance.
