Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS over TLS with SSL validation is working in 2.4.4-RELEASE!!!

    DHCP and DNS
    2
    3
    390
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bfeitell last edited by bfeitell

      Unbound in 2.4.4-RELEASE has apparently been updated to a version containing the new code to check certificates on peers when using DNS over TLS. To activate this functionality, the following should be added to the custom options section:

      server:
      tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt

      There should be a toggle in the GUI to activate this option.

      Here is what a validation looks like with logging set to "4" and newest entries first:

      0_1538301738314_Screen Shot 2018-09-30 at 5.59.44 AM.png

      Reference:
      https://www.ctrl.blog/entry/unbound-tls-forwarding

      1 Reply Last reply Reply Quote 1
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        It looks nice but it isn't actually doing anything. It won't reject a failure like it should.

        See https://redmine.pfsense.org/issues/8030

        It silently approves everything, even if it doesn't match.

        1 Reply Last reply Reply Quote 1
        • B
          bfeitell last edited by

          Yes, this is true, but I'm excited to see that things are moving in the right direction. It is still possible to confirm certs visually in the logs. This feature will be a huge asset when the code matures. I'm not sure how fast the features will make it into pfSense absent another rebase. I'm hoping that FreeBSD sees fit to propagate the code back, but I don't know their policies on backporting features like that.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy