Problem with DNS over TLS

Alejo 0 · Jan 19, 2023, 4:33 PM

The wan port on dashboard is still online (green).

That means you don't lose internet access, it probably means that your unbound can no longer resolve any query.

localhost: do you mean changing ip in the Lan rules (2° line) by "localhost"?

No, I meant in the DNS Resolver tab, that is Services > DNS Resolver > Outgoing Network Interfaces > Remove WAN and add localhost.

Uncheck DHCP doesn't help.

Doesn't help resolving your issue but it DOES help your pfSense and thus your DNS resolver. It was a recommendation take it or leave it.

Cheers

pietsnot56 · Jan 19, 2023, 4:30 PM

In general set up i have 2 DNS servers:

1.1.1.1 cloudfare-dns.com
1.0.0.1 cloudfare-dns.com

pietsnot56 · Jan 19, 2023, 4:38 PM

Is this not strange: i can replay on this forum but i can't browsing on the net?

viragomann · Jan 19, 2023, 4:47 PM

@pietsnot56
The forum IP might exist still in your DNS cache.

Uglybrian · Jan 19, 2023, 5:01 PM

I suggest that you go to Netgates U-Tube page. There he will find a video titled ‘’local DNS with PF sense 2.4.’’ at about 36 minutes in there is a DNS over TLS overview. This information is still relative today and gives you a good foundation.

viragomann · Jan 19, 2023, 5:21 PM

@pietsnot56
Configuring pfSense to use DoT on upstream requests is not really a big deal.

You have to ensure to state host names next to the DNS server IPs in System > General. The host names must match that ones the servers SSL certificate, otherwise the requests fail.

And you have to check these two boxes in the Resolvers general settings:

pietsnot56 · Jan 19, 2023, 10:59 PM

I will look to the video.

Probably there is something wrong with the certificates.
That's the next thing to investigate.
Aniway thanks a lot from Belgium.

johnpoz · Jan 19, 2023, 11:25 PM

@pietsnot56 clients don't normally do dot, dot is normally for NS to forward to some other NS.. Clients normally want to use doh.. They are completely different things.

If you want your clients to use dot to pfsense, then yeah you would need to create a cert and use that cert and your clients would need to trust it, and they would need to know and use the fqdn you setup in the cert, or the IP in the san, etc. Use or dot or doh inside your network is a bit over the top to be honest. Is your local network hostile? Is someone able to sniff your dns traffic on your local network that is not you?

If you want to use dot for unbound to forward to say clouldfare that is clickly clickly to setup..

What exactly are you trying to accomplish. Your clients would talk to unbound locally via normal dns, and then unbound would use dot to talk to cloudflare dot servers?

pietsnot56 · Jan 20, 2023, 5:42 PM

hi,

My problem seems to be resolved:

I saw in the youtube video this custom settings:

"forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853"

By adding this in the service and got this result with 1.1.1.1/help

"Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No"

Browsing on internet is ok now!

thanks for your assistance.

johnpoz · Jan 20, 2023, 6:36 PM

@pietsnot56 said in Problem with DNS over TLS:

I saw in the youtube video this custom settings:
"forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853"

That is old - you no longer need to do that, just need to click the little button. That says forward using tls, and put those in your dns via general.

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

pietsnot56 · Jan 20, 2023, 9:31 PM

hi johnpoz,

i did the test again without the customs settings and i got the same problems again.
My settings are identical as in those in
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

Could there be something else wrong?

johnpoz · Jan 20, 2023, 9:52 PM

@pietsnot56 not sure what you could be doing.. Click Click and using dot to 1.1.1.1

Even did a sniff on wan to validate talking to them over 853

And can see in the resolver status, its only talking to them.

edit: now back to normal resolving - not a fan of dot.

pietsnot56 · Jan 20, 2023, 10:12 PM

I have similar results in status/ dns resolver with my settings.

Those are absolutly identical to your setup.

idem for "1.1.1.1/help"

Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No
1.1.1.1 FAQ Terms Privacy Policy Purge Cache

Could there be a wrong firewall rule that makes the custom settings necessary?

johnpoz · Jan 20, 2023, 10:27 PM

@pietsnot56 said in Problem with DNS over TLS:

Could there be a wrong firewall rule that makes the custom settings necessary?

Sure wouldn't think so.. Any firewall rules would apply if using custom or not.. Are you not hitting save somewhere?

You need to set the dns in general, before you set the unbound to forward and dot mode.

pietsnot56 · Jan 21, 2023, 1:20 PM

The dns settings in the “general setup” are ok.
I have tested several times with and without the custom settings. Only “with” allows me to browsing on the internet.
As far i can see all the rest seems working correcty : lookup, 1.1.1.1/ help, ect.
I don’t understand that your settings doesn’t working on my firewall. ???

johnpoz · Jan 21, 2023, 1:22 PM

@pietsnot56 the gui settings do what your doing in custom..

So I again set this back with simple click.. And then look in my unbound.conf

cat /var/unbound/unbound.conf

And you will see this

# Forwarding
forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 1.1.1.1@853#cloudflare-dns.com
        forward-addr: 1.0.0.1@853#cloudflare-dns.com

then I undo the check marks and it is gone.

while what your doing is doing the same thing really - it makes no sense that you would have to use the custom options to get those settings into your unbound.conf file

You really should be setting the name, or your not actually going to verify your talking to clouldflare.. Are you not doing that with custom?

pietsnot56 · Jan 21, 2023, 4:08 PM

Hi,

Version 2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

The system is on the latest version.
Version information updated at Sat Jan 21 14:35:40 -01 2023

DNS Server Settings in General setup
DNS Servers
1.1.1.1
cloudfare-dns.com
1.0.0.1
cloudfare-dns.com
.......
DNS Resolution Behavior

Use local DNS (127.0.0.1), ignore remote DNS Servers

A) Config file

1 ) this is what i have with the "custom settings on" in the config file.

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com

Unbound custom options

server:
private-domain:"plex.direct"
forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
server:include: /var/unbound/pfb_dnsbl.*conf

by erasing the custom settings:

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com

Unbound custom options

server:
private-domain:"plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

3 ) by unchecking "use SSL/TLS for outgoing..."

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

B) error file with Use SSL/TLS for outgoing DNS Queries to Forwarding Servers checked on and without custm settings.
IP6 ????

Can this help you to expain?

##########################

Unbound Configuration

##########################

Server configuration

server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 1
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 4096
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 512
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 4
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: no
prefetch-key: no
use-caps-for-id: no
serve-expired: no
aggressive-nsec: no

Statistics

Unbound Statistics

statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

TLS Configuration

tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/var/unbound/sslcert.crt"
tls-service-key: "/var/unbound/sslcert.key"

Interface IP(s) to bind to

interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853

Outgoing interfaces to be used

outgoing-interface: 178.116.127.35

DNS Rebinding

For DNS Rebinding prevention

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

Set private domains in case authoritative name server returns a Private IP address

Access lists

include: /var/unbound/access_lists.conf

Static host entries

include: /var/unbound/host_entries.conf

dhcp lease entries

include: /var/unbound/dhcpleases_entries.conf

Domain overrides

include: /var/unbound/domainoverrides.conf

Forwarding

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

Unbound custom options

server:include: /var/unbound/pfb_dnsbl.*conf
server:
private-domain: "plex.direct"

Remote Control Config

include: /var/unbound/remotecontrol.conf

johnpoz · Jan 21, 2023, 5:00 PM

@pietsnot56 said in Problem with DNS over TLS:

IP6 ????

Where are you putting in IPv6? I do see it in your output you posted.

And looks like you have stuff in there twice

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudfare-dns.com
forward-addr: 1.0.0.1@853#cloudfare-dns.com
Unbound custom options

server:
private-domain:"plex.direct"
server:include: /var/unbound/pfb_dnsbl.*conf

3 ) by unchecking "use SSL/TLS for outgoing..."
Domain overrides

include: /var/unbound/domainoverrides.conf
Forwarding

forward-zone:
name: "."
forward-addr: 1.1.1.1
forward-addr: 1.0.0.1

One would be with tls the other would not be.. You got something messed up that is for sure..

Your info might be easier to read if you used the code option for text so it in specific box vs just long running text..

pietsnot56 · Jan 21, 2023, 5:08 PM

@johnpoz said in Problem with DNS over TLS:

code option for text

"code option for text"
how or where can you chose this option?

johnpoz · Jan 21, 2023, 5:20 PM

@pietsnot56