• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

pfSense Unbound DoT - additional setting needed?

Scheduled Pinned Locked Moved DHCP and DNS
unbounddns resolvertlsconfig
3 Posts 2 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MikeV7896
    last edited by MikeV7896 Jul 17, 2020, 1:45 AM Jul 12, 2020, 12:54 PM

    So... I came across this blog post on another site from 2018 regarding Unbound forwarding and how many articles about setting up DoT and Unbound are missing one thing: Certificate validity checks. What does this mean? It means that anyone could still intercept your DoT request and replace it with a response of their own, even with just a self-signed certificate, and Unbound would be none the wiser.

    Here's the article: https://www.ctrl.blog/entry/unbound-tls-forwarding.html

    Apparently, there are two pieces needed to completely secure Unbound DoT:

    1. Root CA Bundle (located in /etc/ssl/cert.pem)
    2. An additional piece for each forwarder line indicating the TLS domain that the server will be presenting

    pfSense is already configured with #1. But #2 is the piece that is missing. Since pfSense just takes the DNS server IP addresses from System > General, it doesn't have any info regarding the domain that should be getting returned in the TLS certificate, thus not being able to fully validate that the request is coming from the server it thinks it is.

    From the Unbound Config man page (forward-addr):

    If you leave out the '#' and auth name from the forward-addr,
    any name is accepted. The cert must also match a CA from the
    tls-cert-bundle.

    I'll be happy to open a feature request for this (if something similar isn't already open), adding the ability to specify DNS forwarders on the DNS Resolver settings page, including the domain name. Maybe the System > General servers could be automatically imported, but don't allow saving until the domain names are added if the "Use SSL/TLS for outgoing queries..." option is checked? But this seems like a pretty big piece missing to ensure that DoT is fully secured here.

    The S in IOT stands for Security

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jul 13, 2020, 7:03 PM

      System > General also includes a box to define the hostname for checking the cert validity. If you don't see that, you must be on an outdated version of pfSense.

      ae326f84-d66e-4c2e-ae47-7de954098540-image.png

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 2
      • M
        MikeV7896
        last edited by Jul 17, 2020, 1:51 AM

        Thanks for that... I had seen the DNS hostname boxes, but must've missed the text below indicating that they're related to DoT. Something might want to be mentioned on the DNS Resolver page at the SSL/TLS checkbox too, that for best security the hostnames for the servers should be entered on System > General.

        The S in IOT stands for Security

        1 Reply Last reply Reply Quote 0
        1 out of 3
        • First post
          1/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received