Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS over TLS for internal hosts HOWTO

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PertFlavus
      last edited by

      Hey,

      Below are some custom options I used to provide DNS over TLS to internal hosts. This is still new, very much not feature complete, and I do not recommend doing this. HOWEVER! It's fun, so if you want to play with it here you go. Normal DNS continues to function.

      The only use I can see for this would be providing encrypted dns lookups over an open wifi AP, assuming clients like Android support it. It seems like this is compatible with using ssl-upstream as well.

      There may also be additional steps required in the future to authenticate the certificate, using spki or otherwise.

      #since your pfsense will be doing the resolving over unencrypted connections, use what privacy is available..
      qname-minimisation: yes
      
      #This prevents us from binding to 853, so turning off
      interface-automatic: no
      
      #These are the default All interfaces. You may wish to customize the interface
      interface: 0.0.0.0@853
      interface: ::0@853
      
      ssl-port: 853
      
      #This is the default cert used by pfsense. In order for it to be present you must have the web configurator set up for https
      ssl-service-pem: "/var/etc/cert.crt"
      ssl-service-key: "/var/etc/cert.key"
      

      To use this on a freebsd client, create the following file:
      /etc/unbound/conf.d/dns-over-tls.conf

      
      server:
              ssl-upstream: yes
              do-tcp: yes
              forward-zone:
                      name: "."
                      forward-addr: 192.168.1.1@853 #pfsense server ip
      

      More info on DNS over TLS here:
      https://dnsprivacy.org/wiki/

      1 Reply Last reply Reply Quote 0
      • P
        PertFlavus
        last edited by

        It looks like on reboot the cert is not written to the disk fast enough for the DNS Resolver, so unbound fails to start.

        Heads up on that.

        1 Reply Last reply Reply Quote 0
        • J
          juruteknik
          last edited by

          i've follow all this and the result of dig is still on port 53:

          
           dig google.com
          
          ; <<>> DiG 9.11.2-P1 <<>> google.com
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53396
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;google.com.                    IN      A
          
          ;; ANSWER SECTION:
          google.com.             29      IN      A       216.58.196.14
          
          ;; AUTHORITY SECTION:
          google.com.             38383   IN      NS      ns2.google.com.
          google.com.             38383   IN      NS      ns3.google.com.
          google.com.             38383   IN      NS      ns1.google.com.
          google.com.             38383   IN      NS      ns4.google.com.
          
          ;; ADDITIONAL SECTION:
          ns2.google.com.         40481   IN      A       216.239.34.10
          ns2.google.com.         239457  IN      AAAA    2001:4860:4802:34::a
          ns3.google.com.         62066   IN      A       216.239.36.10
          ns3.google.com.         241432  IN      AAAA    2001:4860:4802:36::a
          ns4.google.com.         48518   IN      A       216.239.38.10
          ns4.google.com.         239690  IN      AAAA    2001:4860:4802:38::a
          ns1.google.com.         62057   IN      A       216.239.32.10
          ns1.google.com.         240075  IN      AAAA    2001:4860:4802:32::a
          
          ;; Query time: 76 msec
          ;; SERVER: 1.1.1.1#53(1.1.1.1)
          ;; WHEN: Mon Apr 02 13:36:49 +08 2018
          ;; MSG SIZE  rcvd: 303
          
          

          any further explaination how to make it using 853?

          1 Reply Last reply Reply Quote 0
          • P
            PertFlavus
            last edited by

            Your dns server should be listening on internal tcp port 853 but you'll need a client which can use it.

            At the moment, That's probably stubby.
            https://getdnsapi.net/blog/dns-privacy-daemon-stubby/

            I didn't mess with this beyond just lab testing. One pfsense box configured to forward to another, which is set up to accept dns over tls. This is definitely not a default for a normal pc to use for dns. I would not recommend doing this until it's fully supported either as if your cert isn't there when unbound starts you won't have dns resolution.

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              I added GUI controls for this to 2.4.4: https://redmine.pfsense.org/issues/8030

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • P
                PertFlavus
                last edited by

                So far it works great, thanks jimp!

                1 Reply Last reply Reply Quote 0
                • P
                  PertFlavus
                  last edited by

                  A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

                  https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
                  DNS over TLS support in Android P Developer Preview

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    @PertFlavus:

                    A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

                    https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
                    DNS over TLS support in Android P Developer Preview

                    Nice! Now if only Google's public DNS servers would support DNS over TLS.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.