DNS over TLS forwarding howto
-
There is a chance of course you end up going to an invalid ip, but in my experience the chance of that happening is extremely tiny. The providers that set silly low TTL that last just a few seconds change so they can redirect quickly in the event of an outage and for load balancing purposes, I cannot remember this causing me a problem in the several weeks I have been using it.
-
how to know if it working?
my dig result are still using port 53
dig google.com ; <<>> DiG 9.11.2-P1 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53396 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 29 IN A 216.58.196.14 ;; AUTHORITY SECTION: google.com. 38383 IN NS ns2.google.com. google.com. 38383 IN NS ns3.google.com. google.com. 38383 IN NS ns1.google.com. google.com. 38383 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns2.google.com. 40481 IN A 216.239.34.10 ns2.google.com. 239457 IN AAAA 2001:4860:4802:34::a ns3.google.com. 62066 IN A 216.239.36.10 ns3.google.com. 241432 IN AAAA 2001:4860:4802:36::a ns4.google.com. 48518 IN A 216.239.38.10 ns4.google.com. 239690 IN AAAA 2001:4860:4802:38::a ns1.google.com. 62057 IN A 216.239.32.10 ns1.google.com. 240075 IN AAAA 2001:4860:4802:32::a ;; Query time: 76 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Mon Apr 02 13:36:49 +08 2018 ;; MSG SIZE rcvd: 303 -
server: ssl-upstream: yes do-tcp: yes forward-zone: name: "." forward-addr: {ipv4address}@853 forward-addr: {ipv6address}@853This configuration causes lookup delays for me when a Domain Override is configured, perhaps because it affects how unbound tries to connect to the override server.
I don't experience the delays with this configuration:
forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 9.9.9.9@853 forward-addr: 2620:fe::fe@853 -
Is it possible to use both DNS over TLS AND pfblockerng DNSBL in custom settings? currently I have this line under custom settings:```
server:include: /var/unbound/pfb_dnsbl.*confI tried adding the TLS code under that line but it didn't work. :( -
Is it possible to use both DNS over TLS AND pfblockerng DNSBL in custom settings? currently I have this line under custom settings:```
server:include: /var/unbound/pfb_dnsbl.*confI tried adding the TLS code under that line but it didn't work. :(Working fine here with DNSBL configured.
"it didn't work" doesn't really give us a lot to help with/from. Are you hitting an error, is there anything useful to go off of in the DNS Resolver logs?
-
I replicated your config (removed the additional "server:" line and it now works, but it took about 20 seconds until unbound started responding after applying config, thanks!
-
there is an official netgate guide on this feature now following the launch of cloudflare's service. :)
https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
-
There are some improvements in the guide provided by netgate as well compared to the original post. Rather than update my post with these changes I just edited a reference to the blog post.
I've upgraded to 2.4.4 to try out the changes for both forwarding dns over tls queries and providing to internal hosts. So far these seem to work pretty well now that the cloudflaire unbound compatibility issue is resolved.
-
Hi,
For getting DNS over TLS working do you have to change the resolver listening to 853 or you would leave that alone.
Also, would you change the firewall reroute port on LAN to 853 for using pfsense as DNS server or no,
When i use dig google.com i get , 127.0.0.1 at port 53. is this what you expect,; <<>> DiG 9.11.2-P1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5629
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 211 IN A x.x.x.x
google.com. 211 IN A x.x.x.x
google.com. 211 IN A x.x.x.x
google.com. 211 IN A x.x.x.x
google.com. 211 IN A x.x.x.x
google.com. 211 IN A x.x.x.x;; Query time: 111 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 11 16:39:42 CDT 2018
;; MSG SIZE rcvd: 135 -
I'm noticing significant slow-down using this (i.e. DNS over TLS using unbound in pfSense), compared to running a secondary DoH or DNSCrypt proxy on local machines. For example, dnscrypt-proxy v2.0.8 now supports DoH in addition to DNSCrypt. I ran some tests from my MacBook Pro, a Ghost BSD machine, an iPhone X and a Windows 10 machine; first using pfSense and then using a local proxy pointed at the same upstream server (1.0.0.1 or 9.9.9.9).
All tests show that resolving DNS via pfSense (box and specs in my sig) is at least 2 to 3 times slower than running a DoH or dnscrypt proxy directly on the same local machines, despite them being set to forward to the same external DNS servers as pfSense.
As you can see, using my pfSense box for DNS (192.168.1.1) is very slow. As soon as I enable Stubby on macOS (TLS), Simple DNSCrypt on Windows (dnscrypt-proxy using DoH), or AdGuard Pro on iOS (dnscrypt), the time to resolve is cut in half. It's still fairly quick either way, but there is an absolute and definite noticeable difference in real world usage. Browsing is instant with Stubby/Simple DNSCrypt/AdGuard, but takes an extra second or so after hitting enter before the site is found and loaded when running DNS via pfSense.
Initially I thought it could be a protocol difference, i.e. TLS being slower than DoH or dnscrypt. However Stubby on macOS uses TLS also, and that's still twice as fast as pfSense to the same DNS server (1.0.0.1 or 9.9.9.9) and for the same lookups. The pfSense hardware is easily beefy enough and doesn't break 3% CPU usage under load, so it can't be that…
So, any ideas?
-
Rainmaker, Unbound has one real major weakness in using DNS over TLS as a forwarder. It does not re-use tcp sessions. Each query is a TLS handshake. I'm willing to bet that this is entirely responsible for the increased query time that you are observing. Stubby supports out of order queries and tcp session reuse.
I know this is an item that unbound has patches to work on but it doesn't look like a trivial change.
-
Rainmaker, Unbound has one real major weakness in using DNS over TLS as a forwarder. It does not re-use tcp sessions. Each query is a TLS handshake. I'm willing to bet that this is entirely responsible for the increased query time that you are observing. Stubby supports out of order queries and tcp session reuse.
I know this is an item that unbound has patches to work on but it doesn't look like a trivial change.
Ah, yes. I did read that on the dnsprivacy.org website a few weeks ago, but I'd forgotten all about it. That would indeed explain it. Not a big deal for now, I'll keep the local proxies running and use pfSense as a 'backup' for roaming devices, visitors etc who may not be otherwise protected. Thanks so much for taking the time to reply.
-
On further reflection, and having re-read the dnsprivacy website: It's possible to run Stubby in conjunction with Unbound to get the best of both worlds. Unbound still ultimately deals with DNS and caching, but Stubby handles the TLS and reusing sessions etc. I wonder if this could be (or would be) implemented in pfSense? Both Stubby and its dependent library getdns are in ports, so it should easily be possible to set up manually. It'd be nice to see it 'baked in' though! :)
-
just reading it here
https://www.netgate.com/blog/dns-over-tls-with-pfsense.htmlis it also currently possible to use your own DNS server in pfsense for the DNS over TLS ? and not using and other extern dns server?
-
@Music:
is it also currently possible to use your own DNS server in pfsense for the DNS over TLS ? and not using and other extern dns server?
Currently no. The DNS over TLS standard has not yet been defined for caching resolver to authoritative server yet. It is still being worked on.
-
@Music:
is it also currently possible to use your own DNS server in pfsense for the DNS over TLS ? and not using and other extern dns server?
Currently no. The DNS over TLS standard has not yet been defined for caching resolver to authoritative server yet. It is still being worked on.
I dont think that was his question.
His question as I understand it was can you setup your own DNS resolver on a server somewhere and then communicate to it from pfsense over TLS. The answer should be yes. That DNS server would still communicate with upstream authoritative servers using the standard DNS protocol, the TLS part would just be between pfsense and itself.
-
Hi All
New member to the forum but not a newbie to IT, Networking and Firewalls :P
Has anyone else noticed an issue with the following when using DNS over TLS
If you have a DynDNS service configured in the Dynamic DNS service of pfsense AND you have DNS over TLS configured, your DynDNS service DOES NOT update itself with IP Address changes?????
This sort of makes sense to me that it would not work as it sort of breaks the whole DNS over TLS reasoning but just wondered if anyone else was having these issues
Cheers
Northy
