DoH Not working on pfSense 2.4.5
-
This post is deleted! -
For starters 853 is not doh, its dot.. If you can not talk to 9.9.9.9 over 853 then no dot will not work.
https://www.quad9.net/faq/
Does Quad9 support DNS over TLS?We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.
you have quad9 as the hostname - that is not correct, its the above dns.quad9.net per their faq.
Your wan rules have nothing to do with it.
And to be honest your floating rule has nothing to do with it either - unless your wanting clients to directly talk to quad9 on 853?
Do want clients to talk to unbound with dot as well? You have it setup to use your webgui cert? do you clients trust that cert?
You could use the tool kdig to test if dns over dot works..
user@NewUC:~$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.google.com ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305) ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62981 ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1 ;; EDNS PSEUDOSECTION: ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR ;; QUESTION SECTION: ;; www.google.com. IN A ;; ANSWER SECTION: www.google.com. 64 IN A 172.217.9.36 ;; Received 59 B ;; Time 2020-11-09 17:33:53 CST ;; From 9.9.9.9@853(TCP) in 12.3 ms
If you want to test dot from a windows machine
https://github.com/ameshkov/dnslookupC:\tools>dnslookup www.google.com tls://dns.quad9.net 9.9.9.9 dnslookup v1.4.4 dnslookup result: ;; opcode: QUERY, status: NOERROR, id: 34052 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 262 IN A 172.217.8.196 C:\tools>
I have to call out 9.9.9.9 in my tests because I locally block dot and doh names from resolving ie dns.quad9.net will not normally resolve on my network. But you can see above how easy to validate I can talk to them (had to turn off my block rules on firewall first)
-
Yes, DoT, Sorry, I had a typo. You made a lot of great points.
I was just trying to get DoT working and you nailed my mistake in hostname. I'll do some further research on the topics provided.
Thanks again for the quick reply and the very in-depth ways to check. Knew about dig but not "kdig".
-
Glad it was helpful.. And hopefully the next guy that finds this might also find useful info.
I'm a huge dig user, and really have zero use for doh or dot.. I block them specifically on my network.. I resolve - have no desire to hand all my dns to some company.. Will just resolve thank you very much. But there are useful tools to test with.
But no reason can not help others use - even if I think a horrible idea.. I wouldn't mind it too much if was fully opt in.. But these browsers and apps doing doh in the background, without fully and complete sign off from the user specifically to do it - is just horrible horrible direction.. Understanding how it works, how to validate it works - makes it easier to make sure its not viable on my network.. Its wrong - and just another way for these companies to monetize data, sorry but it has zero to do with user privacy or "security"
dot is better, because its easier to block apps and devices from using it.. But sneaking dns queries inside https normal 443 is not direction should be going..