DNS over TLS for internal hosts HOWTO
-
Hey,
Below are some custom options I used to provide DNS over TLS to internal hosts. This is still new, very much not feature complete, and I do not recommend doing this. HOWEVER! It's fun, so if you want to play with it here you go. Normal DNS continues to function.
The only use I can see for this would be providing encrypted dns lookups over an open wifi AP, assuming clients like Android support it. It seems like this is compatible with using ssl-upstream as well.
There may also be additional steps required in the future to authenticate the certificate, using spki or otherwise.
#since your pfsense will be doing the resolving over unencrypted connections, use what privacy is available.. qname-minimisation: yes #This prevents us from binding to 853, so turning off interface-automatic: no #These are the default All interfaces. You may wish to customize the interface interface: 0.0.0.0@853 interface: ::0@853 ssl-port: 853 #This is the default cert used by pfsense. In order for it to be present you must have the web configurator set up for https ssl-service-pem: "/var/etc/cert.crt" ssl-service-key: "/var/etc/cert.key"To use this on a freebsd client, create the following file:
/etc/unbound/conf.d/dns-over-tls.confserver: ssl-upstream: yes do-tcp: yes forward-zone: name: "." forward-addr: 192.168.1.1@853 #pfsense server ipMore info on DNS over TLS here:
https://dnsprivacy.org/wiki/ -
It looks like on reboot the cert is not written to the disk fast enough for the DNS Resolver, so unbound fails to start.
Heads up on that.
-
i've follow all this and the result of dig is still on port 53:
dig google.com ; <<>> DiG 9.11.2-P1 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53396 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 29 IN A 216.58.196.14 ;; AUTHORITY SECTION: google.com. 38383 IN NS ns2.google.com. google.com. 38383 IN NS ns3.google.com. google.com. 38383 IN NS ns1.google.com. google.com. 38383 IN NS ns4.google.com. ;; ADDITIONAL SECTION: ns2.google.com. 40481 IN A 216.239.34.10 ns2.google.com. 239457 IN AAAA 2001:4860:4802:34::a ns3.google.com. 62066 IN A 216.239.36.10 ns3.google.com. 241432 IN AAAA 2001:4860:4802:36::a ns4.google.com. 48518 IN A 216.239.38.10 ns4.google.com. 239690 IN AAAA 2001:4860:4802:38::a ns1.google.com. 62057 IN A 216.239.32.10 ns1.google.com. 240075 IN AAAA 2001:4860:4802:32::a ;; Query time: 76 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Mon Apr 02 13:36:49 +08 2018 ;; MSG SIZE rcvd: 303any further explaination how to make it using 853?
-
Your dns server should be listening on internal tcp port 853 but you'll need a client which can use it.
At the moment, That's probably stubby.
https://getdnsapi.net/blog/dns-privacy-daemon-stubby/I didn't mess with this beyond just lab testing. One pfsense box configured to forward to another, which is set up to accept dns over tls. This is definitely not a default for a normal pc to use for dns. I would not recommend doing this until it's fully supported either as if your cert isn't there when unbound starts you won't have dns resolution.
-
I added GUI controls for this to 2.4.4: https://redmine.pfsense.org/issues/8030
-
So far it works great, thanks jimp!
-
A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.
https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
DNS over TLS support in Android P Developer Preview -
A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.
https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
DNS over TLS support in Android P Developer PreviewNice! Now if only Google's public DNS servers would support DNS over TLS.
