DNS Resolver - SSL Handshake Fail/Server Cert Fail



  • Hello all,
    I have been using my pfSense home made box for about 6 months now learning all I can about it (double NAT'ed). About 3 weeks ago I went live with it can sent back my Comcast Modem (now using an ARRIS SB6183). I have, like most I would imagine, "broke the internet" for the house already several times! LOL

    My latest, and current, major issue is getting "SSL/TLS for outgoing DNS Queries to Forwarding Servers" to work. I have looked high and low and have come up empty handed in trying to get this going on my own. I'm sure it's that "one thing" I overlooked or clicked by accident. Can you guys/girls give me a hand?

    Issue
    For some reason, as soon as I click/enable the "SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting d2096c00-7333-431d-9be6-95ee4f2d401a-image.png
    I loose all ability to go to websites and all software is unable to get outside the house. I still have a connection on the WAN, but can use it. As soon as I disable it, all goes back to fully working.

    I did some searching and discovered that i was getting a "ssl handshake..." error and notice (see below picture). After seeing that, i have tried several things and different "Custom Options" at the bottom of the DNS Resolver settings to no avail.

    My few places I have looked for a resolution:
    unbound-tls-forwarding
    verify-tls-certs-unbound
    configure-unbound-to-validate-dns
    setup-dns-over-tls
    And let's not forget... www.google.com :-)

    I've also tired disabling pfBlocker, restarting pfSense, clearing states, cussing, swearing, not sleeping well b/c I keep thinking about this, & being in an overall grumpy mood most of the time!

    Now, i'm turning to you guys for some help and guidance.
    I have tired to give you any and all the info you may need about my system but i'm sure there is more you would like me to show, if so, please let me know.

    Thank you all in advance!

    My info
    Version: 2.4.4-RELEASE-p3 (amd64)
    PC: Pentium(R) Dual-Core CPU E5300 @ 2.60GHz; 2 CPUs: 1 package(s) x 2 core(s); AES-NI CPU Crypto: No; about 3GB Ram

    21687713-6f6c-4d02-a886-d4864744b269-image.png
    7776af73-7414-4985-84a0-d374f350f671-image.png

    9d16eaf0-99ee-474e-96c4-fd00abaaa32f-image.png

    19b5b446-6301-4462-84d9-c4b403dd3bfc-image.png

    1e04e5dc-3466-45a0-96fb-15cba31f1ad7-image.png

    1c150095-5084-4dd1-9479-ebaf4eb53730-image.png

    c22d24e0-2ede-4a98-be33-afa43d715241-image.png
    9aed1530-a726-414d-9d2d-7e23a196fd2d-image.png
    803334ca-ed0e-4261-8672-e62c3f672f8b-image.png

    And b/c I read something about "time being off".
    70be0e6b-efb3-4c10-921d-9e7626442423-image.png

    https://dnsleaktest.com
    23329acd-fc1d-45ab-83b0-d3e435a95bb0-image.png

    http://www.dnssec-or-not.com/
    0654e1b6-7edb-4855-88cc-7996e192578d-image.png

    Firewall Rules
    bf224b68-23c3-4c9f-9ffb-45ab5a7e15fd-image.png
    ec700b2c-c991-4487-b947-4d1c01fc875c-image.png
    1cc8182f-a4e4-4c56-b33d-ad375ca1f62c-image.png
    5a969450-7139-44ae-bb29-7b6dc601cf64-image.png

    Errors/Notices
    86abbb0a-39a7-4772-9847-b8c7e427e71e-image.png



  • I tried setup-dns-over-tls and the instructions in that post worked right away (DNSSEC should be disabled of course, as it make no sense to use DNSSEC when forwarding).

    The test as mentioned :

    689c5936-69e7-4685-95b8-3adb8200362b-image.png

    I could resolve just fine ....

    Several observations :

    DNS Gateway should be None I guess :
    d3d0e09e-821c-4645-801e-73b3b5a1e64e-image.png

    You have something different.

    Also : verify that you have "Verify that you selected ALL network interfaces." selected. I did.

    Your logs states -as you high lighted :

    de63d8d2-7fe5-4abc-802a-5d70de69c937-image.png

    Thus, your certs failed verification.
    I tried 'real' certs from Letenscrypyt, and the auto-created "Web" cert from pfSense :

    b0788795-ab46-4157-bac8-2d95d66bcede-image.png

    both where accepted.

    Your pfSense system time is ok ?



  • Thanks for the feedback.
    None of that seemed to help though... :-(

    Here is what I just tried:

    Changed my Gateway for both DNS Server under settings from "WAN gateway" to "None".
    Changed the my interfaces to "ALL" on the "Network interfaces" and "Outbound Interfaces".

    Not sure how to make sure my certificates are in the right location on my system.
    I tried using my other Cert but no luck.

    My results while I had "853" enabled
    1078fddb-390e-4e28-aee2-2e1c8621a6c0-image.png
    91003dde-69b5-4530-99bf-c6861c2b4109-image.png

    My Results after disabling it
    74676173-b6fd-4307-b00a-ae582fba0791-image.png
    fea48e6c-f749-4273-bd15-49fb1f311493-image.png

    Also, I verified my time is correct.
    Compared it to time.gov

    Now, I didn't do a full reset after I enabled "SSL", I'll have to try that later, but i'm pretty sure I've already done that too.



  • @Gertjan

    Are you sure about DNSSEC?

    @jimp said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

    DNSSEC is for validating authenticity (prevent spoofing, hijacked authoritative nameservers, etc).

    DNS over TLS is for encrypting transport (privacy).

    They do different things and are both are useful, especially together, for increased security and privacy.

    There is no reason you can't run both, unless whatever you are forwarding to does not support one or the other.



  • @CiscoX said in DNS Resolver - SSL Handshake Fail/Server Cert Fail:

    Are you sure about DNSSEC?

    Yep, because you (have to) trust the server you forward to.
    See the discussion, the last 20 messages or so at the bottom of that guide.

    It might probably work with DNSSEC activated.
    But, jey, we're looking here why things are not working for @ryan810cows - so I tend to stick with the guide, and taking out all the other stuff out of the equation.



  • Where did you get those host names for quad nine on the General tab



  • I just made up the Host names for quad nine.
    I thought that was just for organizational purposes.
    MAYBE that's it!!!
    I'll try it in a little while and report back!



  • Does Quad9 support DNS over TLS?

    We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.

    https://www.quad9.net/faq/



  • Interesting. I just read that too.
    Does that mean i need to put "dns.quad9.net" in both of the Host Names in the General settings of just leave them blank?



  • @ryan810cows

    that is how mine is configured



  • OMG.. That was it! I'm SOO happy that worked!!
    THANK YOU SOO SOO MUCH!! The community support here ROCKS!

    f7f2b2e4-5cf1-4b68-93bd-e11cf13cec18-image.png


Log in to reply