pfSense 2.5.2 - New Fresh Guaranteed DNS OVER TLS
-
Dear Community,
First you all know the drill by now - " The Intro " - as a peace loving man and in light of the turbulent times we all must endure - here we go without no further ado - Kool and The Gang / https://www.youtube.com/watch?v=JgxWC3iZh7A and the lyrics if you care to sing along - https://genius.com/Kool-and-the-gang-love-and-understanding-lyrics and one of my favorites - The Chambers Brothers - https://www.youtube.com/watch?v=BvCH-6kOAGs - lyrics here : https://genius.com/The-chambers-brothers-love-peace-and-happiness-lyricsThis is a new updated guide designed to assist you in installing DNS Privacy DNS OVER TLS on pfSense 2.5.2 . Please disregard and do not use any guides and / or tutorials which predate this one. The setup features getdns and Stubby forwarded to and integrated with Unbound. You may refer to my earlier guide / tutorial here for additional
information regarding the benefits of DNS Privacy DNS OVER TLS - see link here - https://bit.ly/3p0AGwXOK - Here go - let's get down to the business at hand. The first thing we must do is install all the necessary packages for this to work properly. Now you need to know that when you try to view the packages on the FreeBSD servers by way of their url - for example , https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/ - you will get the 403 Forbidden message. There is a remedy / workaround that will allow you to check out exactly what are the most recent package versions for you to install. Go to https://pkgs.org/ - once there - you will see a search box in the upper right hand corner. Just enter the package you wish to find there - then go down to FreeBSD 12 ( the distributions are listed alphabetically - next click on FreeBSD amd64 ( the distro pfSense 2.5.2 is based on ) - finally, go down to the Download section and copy your download url found next to the Binary Package section.
1 - There are four dependency packages required before actually installing the getdns package. Two are available in the pfSense package repositories and two from the FreeBSD repository. Lastly the getdns package itself is also in the FreeBSD repository.
So to begin enter these commands below in the order :
A # pkg install libuv B # pkg install libyaml ( both of these will install from native pfSense 2.5.2 box ) .
The following packages must be installed from FreeBSD.
C # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libev-4.33,1.txz
D # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/libidn-1.35.txz
Now - here is where this guide diverges from its' predecessors. There is a new specific iteration of Unbound which pfSense 2.5.2 has installed.
The package is called - unbound112-1.12.0_1 . Now if you attempt to add getdns-1.5.2_4.txz package via pkg add url method - see below :( # pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz ) ### this will not work !
the installation will fail and complain that " missing dependency Unbound " is the reason.
so here is the solution to that dilemma below :enter the following command E # fetch https://pkg.freebsd.org/FreeBSD:12:amd64/quarterly/All/getdns-1.5.2_4.txz
From there you can enter command # ls -a / and you will see that getdns-1.5.2_4.txz package is now in your root directory. Next just enter the command
F # pkg install getdns-1.5.2_4.txz
follow the prompts answering " yes " to any all.
By the way, once this package is successfully installed it must remain in your root
directory otherwise DNS OVER TLS will stop working if you remove it for any reason.Now you may proceed as in the usual fashion.
2 - Now to put all of this together, The stubby.in file is located here - /usr/local/etc/rc.d/stubby by default.
First though Stubby needs Unbound root.key - run this command before getting started:# su -m unbound -c /usr/local/sbin/unbound-anchor Then - A - Issue this command : # mv /usr/local/etc/rc.d/stubby /usr/local/etc/rc.d/stubby.sh Make it executable - I run two commands - it works for me: # chmod 755 /usr/local/etc/rc.d/stubby.sh
B - Yes must enable Stubby Daemon in the file - open file by : nano /usr/local/etc/rc.d/stubby.sh
go to line 27 - : ${stubby_enable="NO"} change the setting to : ${stubby_enable="YES"} -
that is all you have to do to this file. It comes pre-configured. Save and exit.3 - Now you must configure Stubby to resolve DNS OVER TLS -
A -# nano /usr/local/etc/stubby/stubby.yml
################################################################################ ######################## STUBBY YAML CONFIG FILE ############################### ################################################################################ # This is a yaml version of the stubby configuration file (it replaces the # json based stubby.conf file used in earlier versions of getdns/stubby). # # For more information see # https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby # resolution_type: GETDNS_RESOLUTION_STUB dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED tls_query_padding_blocksize: 128 edns_client_subnet_private : 1 idle_timeout: 9000 listen_addresses: - 127.0.0.1@8053 - 0::1@8053 tls_connection_retries: 5 tls_backoff_time: 900 timeout: 2000 round_robin_upstreams: 1 tls_ca_file: "/usr/local/share/certs/ca-root-nss.crt" dnssec_trust_anchors: "/usr/local/etc/unbound/root.key" # add the right path upstream_recursive_servers: ### IPV4 Servers ### ### DNS Privacy DOT Test Servers ### ## 1 - The getdnsapi.net DNS TLS Server A+ ( NLD ) - address_data: 185.49.141.37 - address_data: 2a04:b900:0:100::38 tls_auth_name: "getdnsapi.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9Q= ## 2 - The Surfnet/Sinodun DNS TLS Servers #3 A+ ( NLD ) - address_data: 145.100.185.18 - address_data: 2001:610:1:40ba:145:100:185:18 tls_port: 853 tls_auth_name: "dnsovertls3.sinodun.com" tls_pubkey_pinset: - digest: "sha256" value: 5SpFz7JEPzF71hditH1v2dBhSErPUMcLPJx1uk2svT8= ## xx - The The Surfnet/Sinodun DNS TLS Server A ( NLD ) - address_data: 145.100.185.15 - address_data: 2001:610:1:40ba:145:100:185:15 tls_auth_name: "dnsovertls.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: 62lKu9HsDVbyiPenApnc4sfmSYTHOVfFgL3pyB+cBL4= ## xx - The The Surfnet/Sinodun DNS TLS Server #1 A ( NLD ) - address_data: 145.100.185.16 - address_data: 2001:610:1:40ba:145:100:185:16 tls_auth_name: "dnsovertls1.sinodun.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cE2ecALeE5B+urJhDrJlVFmf38cJLAvqekONvjvpqUA= ## 3 - The dns.cmrg.net DNS TLS Server A+ ( CAN ) - address_data: 199.58.81.218 - address_data: 2001:470:1c:76d::53 tls_auth_name: "dns.cmrg.net" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: 3IOHSS48KOc/zlkKGtI46a9TY9PPKDVGhE3W2ZS4JZo= ## 4 - The BlahDNS Japan DNS TLS Server A+ ( JPN ) - address_data: 139.162.112.47 - address_data: 2400:8902::f03c:92ff:fe27:344b tls_auth_name: "dot-jp.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: /llFOsnvj7GcXasKrojhZl6nRnnn4D8sRuDUKEdiZzM= ## xx - The BlahDNS German DNS TLS Server A+ ( USA Hosted In DEU ) - address_data: 78.46.244.143 - address_data: 2a01:4f8:c17:ec67::1 tls_auth_name: "dot-de.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: c6xmf1GsYo1IFyxc+CWfjYo+xpSV9i98H7InJTDylsU= ## xx - The BlahDNS Finland DNS TLS Server A+ ( FIN ) - address_data: 95.216.212.177 - address_data: 2a01:4f9:c010:43ce::1 tls_auth_name: "dot-fi.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: EVL610kmcSvN01nzJkkzl94IHiIVvW0PovbB5En2QfU= ## xx - The BlahDNS Singapore DNS TLS Server A+ ( SGP ) - address_data: 192.53.175.149 - address_data: 2400:8901::f03c:92ff:fe27:870a tls_auth_name: "dot-sg.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: B+aX4NBLfDsKlOWf8RM6rjL8yOCF9sZlHQnarDNrrWM= ## xx - The BlahDNS Switzerland DNS TLS Server A+ ( CHE ) - address_data: 45.91.92.121 - address_data: 2a05:9406::175 tls_auth_name: "dot-ch.blahdns.com" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: cxti1XR6uW483xAioP3d1ZaoGSy+obY6WaE4fW1A6Nk= ## 5 - The dns.neutopia.org DNS TLS Server A+ ( FRA ) - address_data: 89.234.186.112 tls_auth_name: "dns.neutopia.org" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: wTeXHM8aczvhRSi0cv2qOXkXInoDU+2C+M8MpRyT3OI= ## 6 - The Foundation for Applied Privacy DNS TLS Server #1 A+ ( AUT ) - address_data: 146.255.56.98 - address_data: 2a02:1b8:10:234::2 tls_auth_name: "dot1.applied-privacy.net" tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: xhQVPE+X85b9LkORuEhxfsxE1X2EbOm8v5ytxCqg5BI= ## 7 - The Secure DNS Project by PumpleX DNS TLS Server #1 A+ ( GBR ) - address_data: 51.38.83.141 tls_auth_name: "dns.oszx.co" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Am37BK5eBKSafYNJupWsoh5pokR3wwJ5zs7xvniF6XE= ## 8 - The dismail.de DNS TLS Server #1 A+ ( DEU ) - address_data: 80.241.218.68 tls_port: 853 tls_auth_name: "fdns1.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: MMi3E2HZr5A5GL+badqe3tzEPCB00+OmApZqJakbqUU= ## xx - The dismail.de DNS TLS Server #2 A+ ( USA ) - address_data: 159.69.114.157 tls_port: 853 tls_auth_name: "fdns2.dismail.de" tls_pubkey_pinset: - digest: "sha256" value: yJYDim2Wb6tbxUB3yA5ElU/FsRZZhyMXye8sXhKEd1w= ## 9 - The Lorraine Data Network DNS TLS Server A+ ( FRA ) - address_data: 80.67.188.188 tls_port: 443 tls_pubkey_pinset: - digest: "sha256" value: WaG0kHUS5N/ny0labz85HZg+v+f0b/UQ73IZjFep0nM= ## This certificate is currently expired which ## does not pose any concerns in SPKI mode ## (in practice with Stubby) ## Source : https://ldn-fai.net/serveur-dns-recursif-ouvert/ ## 10 - The ibksturm.synology.me DNS TLS Server A+ ( CHE ) - address_data: 213.196.191.96 tls_auth_name: "ibksturm.synology.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: yrMslOFXpWeLoNw0YgQk/pA5vl2mqXfBOASYLLeqDxc= ## 11 - The dns.flatuslifir.is DNS TLS Server A+ ( ISL ) - address_data: 46.239.223.80 tls_auth_name: "dns.flatuslifir.is" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: b9sJFKc+wycfm4FHB9ddNopdeKceru+sZk0w5nz4xfQ= ### Publicly Available DOT Test Servers ### ## 12 - The FEROZ SALAM DNS TLS Server A+ ( GBR ) - address_data: 46.101.66.244 tls_auth_name: "doh.li" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: ugm6mY2NNKi0I/Q+pofAgx0c31tbcW6xYAImZXr5Oqo= ## 13 - The Andrews & Arnold DNS TLS Server #1 A+ ( GBR ) - address_data: 217.169.20.23 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sS2Atff8wMigRVTxmS36FbMaXiCWsxLgD3AOtTA9eeU= ## xx - The Andrews & Arnold DNS TLS Server #2 A+ ( GBR ) - address_data: 217.169.20.22 tls_auth_name: "dns.aa.net.uk" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /jchI7afFvSaVm4DCTksJcPHyK7uvbcwNUtTNNV4Bek= ## 14 - The dns.seby.io - Vultr DNS TLS Server A+ ( AUS ) - address_data: 45.76.113.31 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: H13Su1659zEn0ZIblEShwjZO+M5gxKK2wXpVKQHgibM= ## xx - The dns.seby.io - OVH DNS TLS Server A+ ( AUS ) - address_data: 139.99.222.72 tls_auth_name: "dot.seby.io" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: /3AxvvuWCQmYQ4/mqHJzPL1rPC7KxaahVPmUkoSVR5A= ## 15 - The Digitale Gesellschaft DNS TLS Server #1 A+ ( CHE ) - address_data: 185.95.218.43 - address_data: 2a05:fc84::43 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: sAH7JR5A8WA+hs1ZGXPS/uq3Y1wufBi2wQ8Crk+oR2Q= ## xx - The Digitale Gesellschaft DNS TLS Server #2 A+ ( CHE ) - address_data: 185.95.218.42 - address_data: 2a05:fc84::42 tls_auth_name: "dns.digitale-gesellschaft.ch" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Fpgt86sGjlL4sbgNmd1WX0BYEIEJ7yQk9rp+uQKxI+w= ## 16 - The Antoine Aflalo DNS TLS Server #1 A+ ( USA ) - address_data: 168.235.81.167 tls_auth_name: "dns-nyc.aaflalo.me" tls_port: 853 tls_pubkey_pinset: - digest: "sha256" value: Dn58VD18MLkmmG9wvzvSs30Tu1Rd65igDLpp1odYaAc= # Set the acceptable ciphers for DNS over TLS. With OpenSSL 1.1.1 this list is # for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the #tls_ciphersuites option. This option can also be given per upstream. tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20" # Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required # for this option. This option can also be given per upstream. tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" # Set the minimum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_min_version: GETDNS_TLS1_2 # Set the maximum acceptable TLS version. Works with OpenSSL >= 1.1.1 only. # This option can also be given per upstream. tls_max_version: GETDNS_TLS1_3
When I get some time - next day or two - I will post a separate Forum entry which lists
many more DNS OVER TLS servers that are publicly available for. However, these are more than
enough to get you started.4 - In order to have pfSense 2.5.2 use default start up script ( /usr/local/etc/rc.d/stubby.sh )
at boot time it helps to create a boot time start up script for it in /etc/rc.conf.d/.
Not to prolong this - do the following :# touch /etc/rc.conf.d/stubby - create the needed new file # nano /etc/rc.conf.d/stubby - in the new file enter the following two lines:
stubby_enable="YES"
stubby_bootup_run="/usr/local/etc/rc.d/stubby.sh"Save and exit / then make the file executable - once again - works for me :
# chmod 755 /etc/rc.conf.d/stubby
5- Now you must configure your Unbound DNS Server to use Stubby for DNS Over TLS.
Go to Services > DNS RESOLVER > General Settings > Display Custom Options
In the Custom options Box - enter the following below :
server:
do-not-query-localhost: no
forward-zone:
name: "." # Allow all DNS queries
forward-addr: 127.0.0.1@8053
forward-addr: 0::1@8053Save and Apply
6 - Next -Under System > General Setup > DNS Server Settings
A - Set the first DNS Server to
127.0.0.1
add no other DNS Servers here
B - DNS Server Override - make sure this is unchecked
C - DNS Resolution Behavior
Use local DNS (127.0.0.1), fall back to remote DNS SERVERS (Default)
Save and Apply
Reboot your router or run command # /usr/local/etc/rc.d/stubby.sh restart
You are all set up and now. You are now running DNS OVER TLS with GETDNS plus STUBBY
( a fully featured TLS forwarder ) along with an Unbound DNS Caching Server. -
Why??? If someone wants to use dot they can just set that up in like 10 seconds via the gui in pfsense..
All of this for something that can be done in a couple of clicks?
If you want "stubby" to be an option in pfsense - then where is the package? That is what you should be working on vs huge amount amounts of configs that go completely against the whole point of pfsense.
-
@johnpoz
Hello and I hope that you are well. As to answer your question of Why??? -
there is more than one method to achieve DNS OVER TLS as you well know.
The method I detail above is the one I prefer because of see here :
DNS Privacy Project > DNS Privacy Clients
Here is a summation of what I achieve with this setup -Local forwarders Stubby Recommended: See the DNS Privacy Daemon - Stubby web page for how to use Stubby as a local DNS Privacy stub resolver on your desktop or laptop!
What is Stubby?
ANSWER: Stubby runs as a daemon on the local machine sending DNS queries to resolvers over
an encrypted TLS connections providing increased privacy for the user. Passive observers on the
network can therefore no longer see the DNS queries made by the client, which are normally send
in clear text on the wire using UDP. DNS-over-TLS was recently standardised by the IETF in RFC7858.
The DNS server the client connects to can also be authenticated if the correct information is configured
in Stubby - this prevents active attacks where a client might be directed to a server controlled by an attacker.What is the difference between using Stubby and using Unbound as a local forwarding resolver?
ANSWER: Unbound can be configured as a local forwarder using DNS-over-TLS to forward queries.
However at the moment Unbound does not have all the TCP/TLC features that Stubby has for example,
it cannot support ‘Strict’ mode, it cannot pad queries to hide query size and it opens a separate
connection for every DNS query (Stubby will re-use connections). However, Unbound is a mature and
stable daemon and many people already use it as a local resolver. While there were some early issues
the last few releases of Stubby have focussed on stability and security and have significantly improved
the usability of Stubby. We also have plans to add a small cache to stubby! Note that some users choose
to use the two together, unbound for caching and stubby for upstream TLS. -
@ubernupe Again - what your doing is not the proper way to add something to pfsense.. More than likely any and all of your "changes" files, configs would just be overwritten via an update to pfsense.
If you like stubby more than unbound - that is more than fine.. But adding it in this manner is not a good way forward.
A better "solution" if goal is using stubby vs unbound... Or even in conjunction with unbound. It would prob be better to run your stubby setup on something else in your network, a pi, a vm, a docker, etc.. other than messing with anything on pfsense. This way it has zero risk of breaking anything in pfsense, and updates to pfsense would not overwrite any changes made to use it, etc.
I don't know how long you have been using pfsense, but unbound use to be just a package you added and not part of the default install. Bind is also another option for dns on pfsense.. So I don't see why something like stubby could not be added as a package if there is enough "want" for it.. Not a fan of such complex changes to pfsense outside of the gui, etc. Your efforts might be better spent on getting stubby added as a package to pfsense.. This would allow for more people to leverage it, and also have some vetting from the developers that the package and use of it would not conflict with pfsense functionality, etc.
-
@johnpoz
Thanks for your kind and thoughtful reply - I truly appreciate your sentiments and insights. How would I go about getting stubby added as a package on pfSense ? With all due respect to you and pfSense ( and with no intent of throwing shade or trolling ) OPNsense does currently include stubby as a package and has done so for quite some time. Moreover - it is maintained by The FreeBSD Project as both a package and in the ports collection. I only mention this because stubby and getdns are pretty much fully vetted and has been so for quite some time - albeit the current maintainer has not updated the package going back for more than I or many would like ideally.
Anyway - I would like to know what you would think about adding stubby and getdns added to pfSense. Once - again - thanks for your time, advice and attention to my efforts to bring DNS Privacy to pfSense.Peace and Stay Safe
-
@ubernupe here is something to get you started
https://docs.netgate.com/pfsense/en/latest/development/develop-packages.html
You might want to reach out to a current package maintainer - @bmeeks and @BBcan177 come to mind as 2 major players for packages for pfsense.. Oh and @dennypage those are 3 names that pop into my head when it comes to packages and pfsense.. If you ask them nicely they might be willing to give you some pointers on getting started..
-
@johnpoz
Thanks my Brother - I will be on my best behavior - and use my best polite mannerable demeanor.
God Bless You and Yours - and Stay Safe