Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense Unbound DoT - additional setting needed?

    Scheduled Pinned Locked Moved
    DHCP and DNS
    unbound dns resolver tls config
    2
    3
    955
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • MikeV7896M
      MikeV7896
      last edited by MikeV7896

      So... I came across this blog post on another site from 2018 regarding Unbound forwarding and how many articles about setting up DoT and Unbound are missing one thing: Certificate validity checks. What does this mean? It means that anyone could still intercept your DoT request and replace it with a response of their own, even with just a self-signed certificate, and Unbound would be none the wiser.

      Here's the article: https://www.ctrl.blog/entry/unbound-tls-forwarding.html

      Apparently, there are two pieces needed to completely secure Unbound DoT:

      1. Root CA Bundle (located in /etc/ssl/cert.pem)
      2. An additional piece for each forwarder line indicating the TLS domain that the server will be presenting

      pfSense is already configured with #1. But #2 is the piece that is missing. Since pfSense just takes the DNS server IP addresses from System > General, it doesn't have any info regarding the domain that should be getting returned in the TLS certificate, thus not being able to fully validate that the request is coming from the server it thinks it is.

      From the Unbound Config man page (forward-addr):

      If you leave out the '#' and auth name from the forward-addr,
      any name is accepted. The cert must also match a CA from the
      tls-cert-bundle.

      I'll be happy to open a feature request for this (if something similar isn't already open), adding the ability to specify DNS forwarders on the DNS Resolver settings page, including the domain name. Maybe the System > General servers could be automatically imported, but don't allow saving until the domain names are added if the "Use SSL/TLS for outgoing queries..." option is checked? But this seems like a pretty big piece missing to ensure that DoT is fully secured here.

      The S in IOT stands for Security

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        System > General also includes a box to define the hostname for checking the cert validity. If you don't see that, you must be on an outdated version of pfSense.

        ae326f84-d66e-4c2e-ae47-7de954098540-image.png

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 2
        • MikeV7896M
          MikeV7896
          last edited by

          Thanks for that... I had seen the DNS hostname boxes, but must've missed the text below indicating that they're related to DoT. Something might want to be mentioned on the DNS Resolver page at the SSL/TLS checkbox too, that for best security the hostnames for the servers should be entered on System > General.

          The S in IOT stands for Security

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.