DNS over TLS for internal hosts HOWTO



  • Hey,

    Below are some custom options I used to provide DNS over TLS to internal hosts. This is still new, very much not feature complete, and I do not recommend doing this. HOWEVER! It's fun, so if you want to play with it here you go. Normal DNS continues to function.

    The only use I can see for this would be providing encrypted dns lookups over an open wifi AP, assuming clients like Android support it. It seems like this is compatible with using ssl-upstream as well.

    There may also be additional steps required in the future to authenticate the certificate, using spki or otherwise.

    #since your pfsense will be doing the resolving over unencrypted connections, use what privacy is available..
    qname-minimisation: yes
    
    #This prevents us from binding to 853, so turning off
    interface-automatic: no
    
    #These are the default All interfaces. You may wish to customize the interface
    interface: 0.0.0.0@853
    interface: ::0@853
    
    ssl-port: 853
    
    #This is the default cert used by pfsense. In order for it to be present you must have the web configurator set up for https
    ssl-service-pem: "/var/etc/cert.crt"
    ssl-service-key: "/var/etc/cert.key"
    

    To use this on a freebsd client, create the following file:
    /etc/unbound/conf.d/dns-over-tls.conf

    
    server:
            ssl-upstream: yes
            do-tcp: yes
            forward-zone:
                    name: "."
                    forward-addr: 192.168.1.1@853 #pfsense server ip
    

    More info on DNS over TLS here:
    https://dnsprivacy.org/wiki/



  • It looks like on reboot the cert is not written to the disk fast enough for the DNS Resolver, so unbound fails to start.

    Heads up on that.



  • i've follow all this and the result of dig is still on port 53:

    
     dig google.com
    
    ; <<>> DiG 9.11.2-P1 <<>> google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53396
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;google.com.                    IN      A
    
    ;; ANSWER SECTION:
    google.com.             29      IN      A       216.58.196.14
    
    ;; AUTHORITY SECTION:
    google.com.             38383   IN      NS      ns2.google.com.
    google.com.             38383   IN      NS      ns3.google.com.
    google.com.             38383   IN      NS      ns1.google.com.
    google.com.             38383   IN      NS      ns4.google.com.
    
    ;; ADDITIONAL SECTION:
    ns2.google.com.         40481   IN      A       216.239.34.10
    ns2.google.com.         239457  IN      AAAA    2001:4860:4802:34::a
    ns3.google.com.         62066   IN      A       216.239.36.10
    ns3.google.com.         241432  IN      AAAA    2001:4860:4802:36::a
    ns4.google.com.         48518   IN      A       216.239.38.10
    ns4.google.com.         239690  IN      AAAA    2001:4860:4802:38::a
    ns1.google.com.         62057   IN      A       216.239.32.10
    ns1.google.com.         240075  IN      AAAA    2001:4860:4802:32::a
    
    ;; Query time: 76 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1)
    ;; WHEN: Mon Apr 02 13:36:49 +08 2018
    ;; MSG SIZE  rcvd: 303
    
    

    any further explaination how to make it using 853?



  • Your dns server should be listening on internal tcp port 853 but you'll need a client which can use it.

    At the moment, That's probably stubby.
    https://getdnsapi.net/blog/dns-privacy-daemon-stubby/

    I didn't mess with this beyond just lab testing. One pfsense box configured to forward to another, which is set up to accept dns over tls. This is definitely not a default for a normal pc to use for dns. I would not recommend doing this until it's fully supported either as if your cert isn't there when unbound starts you won't have dns resolution.


  • Rebel Alliance Developer Netgate

    I added GUI controls for this to 2.4.4: https://redmine.pfsense.org/issues/8030



  • So far it works great, thanks jimp!



  • A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

    https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
    DNS over TLS support in Android P Developer Preview


  • Rebel Alliance Developer Netgate

    @PertFlavus:

    A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

    https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
    DNS over TLS support in Android P Developer Preview

    Nice! Now if only Google's public DNS servers would support DNS over TLS.