Call For GETDNS and STUBBY package on PfSense
-
Dear Forum Members/ Developers,
I am calling for getdns and stubby being able to be made available in and on Pfsense with an install process of stubby/getdns is as simple as:pkg install getdns
I toy with keeping up with FreeBsd distributions and this is being proposed here:
https://github.com/opnsense/tools/commit/a27087a53b5*
I am not expert by any means in FreeBsd software development or networking however you can see my contribution towards this end here: https://forum.netgate.com/topic/136322/dns-over-tls-getdns-and-stubby-amended-package-creation
Hopefully, Pfsense will make getdns package available in Pfsense repositories where stubby is also included with the package. If you feel as I do and it is possible - let's push for it. I say this because the Native Unbound DNS-Over-TLS Feature currently used in Pfsense is not the best implementation of DNS OVER TLS. Native Unbound DNS-Over-TLS in truth will have to wait until OpenSSL 1.1.x is included in FreeBsd 12 or Unbound devs to find a way to validate it without using a function only available in OpenSSL 1.1.x - PfSense is based on FreeBsd; however, we will have to wait until OpenSSL 1.1.x is used by Pfsense in order to use Native Unbound DNS-Over-TLS Feature see here:
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658
The DNS Privacy Project and The IETF recommend using getdns and stubby for DNS OVER TLS. Also, GETDNS and STUBBY are developed by NLnet Labs - the same developers who bring us Unbound, NSD, OPENDNSSEC see here: https://www.nlnetlabs.nl/ https://www.nlnetlabs.nl/projects/getdns/
So, I am advocating for the best current implementation of DNS OVER TLS and to keep pace with its' standardized current development and the obvious direction that this all important security feature is headed.Peace,
ubernupe