• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with DNS over TLS

Scheduled Pinned Locked Moved DHCP and DNS
28 Posts 5 Posters 3.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    johnpoz LAYER 8 Global Moderator @pietsnot56
    last edited by johnpoz Jan 20, 2023, 9:52 PM Jan 20, 2023, 9:49 PM

    @pietsnot56 not sure what you could be doing.. Click Click and using dot to 1.1.1.1

    test.jpg

    Even did a sniff on wan to validate talking to them over 853

    And can see in the resolver status, its only talking to them.

    resolverstatus.jpg

    edit: now back to normal resolving - not a fan of dot.

    An intelligent man is sometimes forced to be drunk to spend time with his fools
    If you get confused: Listen to the Music Play
    Please don't Chat/PM me for help, unless mod related
    SG-4860 24.11 | Lab VMs 2.8, 24.11

    1 Reply Last reply Reply Quote 0
    • P
      pietsnot56
      last edited by Jan 20, 2023, 10:12 PM

      I have similar results in status/ dns resolver with my settings.

      Those are absolutly identical to your setup.

      idem for "1.1.1.1/help"

      Debug Information
      Connected to 1.1.1.1 Yes
      Using DNS over HTTPS (DoH) No
      Using DNS over TLS (DoT) Yes
      Using DNS over WARP No
      AS Name Cloudflare
      AS Number 13335
      Cloudflare Data Center BRU
      Connectivity to Resolver IP Addresses
      1.1.1.1 Yes
      1.0.0.1 Yes
      2606:4700:4700::1111 No
      2606:4700:4700::1001 No
      1.1.1.1 FAQ Terms Privacy Policy Purge Cache

      Could there be a wrong firewall rule that makes the custom settings necessary?

      J 1 Reply Last reply Jan 20, 2023, 10:26 PM Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator @pietsnot56
        last edited by johnpoz Jan 20, 2023, 10:27 PM Jan 20, 2023, 10:26 PM

        @pietsnot56 said in Problem with DNS over TLS:

        Could there be a wrong firewall rule that makes the custom settings necessary?

        Sure wouldn't think so.. Any firewall rules would apply if using custom or not.. Are you not hitting save somewhere?

        You need to set the dns in general, before you set the unbound to forward and dot mode.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          pietsnot56
          last edited by Jan 21, 2023, 12:31 PM

          The dns settings in the “general setup” are ok.
          I have tested several times with and without the custom settings. Only “with” allows me to browsing on the internet.
          As far i can see all the rest seems working correcty : lookup, 1.1.1.1/ help, ect.
          I don’t understand that your settings doesn’t working on my firewall. ???

          J 1 Reply Last reply Jan 21, 2023, 1:20 PM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @pietsnot56
            last edited by johnpoz Jan 21, 2023, 1:22 PM Jan 21, 2023, 1:20 PM

            @pietsnot56 the gui settings do what your doing in custom..

            So I again set this back with simple click.. And then look in my unbound.conf

            cat /var/unbound/unbound.conf

            And you will see this

            # Forwarding
            forward-zone:
                    name: "."
                    forward-tls-upstream: yes
                    forward-addr: 1.1.1.1@853#cloudflare-dns.com
                    forward-addr: 1.0.0.1@853#cloudflare-dns.com
            

            then I undo the check marks and it is gone.

            while what your doing is doing the same thing really - it makes no sense that you would have to use the custom options to get those settings into your unbound.conf file

            You really should be setting the name, or your not actually going to verify your talking to clouldflare.. Are you not doing that with custom?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              pietsnot56
              last edited by Jan 21, 2023, 4:08 PM

              Hi,

              Version 2.6.0-RELEASE (amd64)
              built on Mon Jan 31 19:57:53 UTC 2022
              FreeBSD 12.3-STABLE

              The system is on the latest version.
              Version information updated at Sat Jan 21 14:35:40 -01 2023

              DNS Server Settings in General setup
              DNS Servers

              1.1.1.1
              cloudfare-dns.com
              1.0.0.1
              cloudfare-dns.com
              .......
              DNS Resolution Behavior

              Use local DNS (127.0.0.1), ignore remote DNS Servers

              A) Config file

              1 ) this is what i have with the "custom settings on" in the config file.

              Domain overrides

              include: /var/unbound/domainoverrides.conf

              Forwarding

              forward-zone:
              name: "."
              forward-tls-upstream: yes
              forward-addr: 1.1.1.1@853#cloudfare-dns.com
              forward-addr: 1.0.0.1@853#cloudfare-dns.com

              Unbound custom options

              server:
              private-domain:"plex.direct"
              forward-zone:
              name:"."
              forward-ssl-upstream: yes
              forward-addr: 1.1.1.1@853
              forward-addr: 1.0.0.1@853
              server:include: /var/unbound/pfb_dnsbl.*conf

              1. by erasing the custom settings:

              Domain overrides

              include: /var/unbound/domainoverrides.conf

              Forwarding

              forward-zone:
              name: "."
              forward-tls-upstream: yes
              forward-addr: 1.1.1.1@853#cloudfare-dns.com
              forward-addr: 1.0.0.1@853#cloudfare-dns.com

              Unbound custom options

              server:
              private-domain:"plex.direct"
              server:include: /var/unbound/pfb_dnsbl.*conf

              3 ) by unchecking "use SSL/TLS for outgoing..."

              Domain overrides

              include: /var/unbound/domainoverrides.conf

              Forwarding

              forward-zone:
              name: "."
              forward-addr: 1.1.1.1
              forward-addr: 1.0.0.1

              B) error file with Use SSL/TLS for outgoing DNS Queries to Forwarding Servers checked on and without custm settings.
              IP6 ????

              Can this help you to expain?

              ##########################

              Unbound Configuration

              ##########################

              Server configuration

              server:

              chroot: /var/unbound
              username: "unbound"
              directory: "/var/unbound"
              pidfile: "/var/run/unbound.pid"
              use-syslog: yes
              port: 53
              verbosity: 1
              hide-identity: yes
              hide-version: yes
              harden-glue: yes
              do-ip4: yes
              do-ip6: yes
              do-udp: yes
              do-tcp: yes
              do-daemonize: yes
              module-config: "iterator"
              unwanted-reply-threshold: 0
              num-queries-per-thread: 4096
              jostle-timeout: 200
              infra-host-ttl: 900
              infra-cache-numhosts: 10000
              outgoing-num-tcp: 10
              incoming-num-tcp: 10
              edns-buffer-size: 512
              cache-max-ttl: 86400
              cache-min-ttl: 0
              harden-dnssec-stripped: yes
              msg-cache-size: 4m
              rrset-cache-size: 8m

              num-threads: 4
              msg-cache-slabs: 4
              rrset-cache-slabs: 4
              infra-cache-slabs: 4
              key-cache-slabs: 4
              outgoing-range: 4096
              #so-rcvbuf: 4m

              prefetch: no
              prefetch-key: no
              use-caps-for-id: no
              serve-expired: no
              aggressive-nsec: no

              Statistics

              Unbound Statistics

              statistics-interval: 0
              extended-statistics: yes
              statistics-cumulative: yes

              TLS Configuration

              tls-cert-bundle: "/etc/ssl/cert.pem"
              tls-port: 853
              tls-service-pem: "/var/unbound/sslcert.crt"
              tls-service-key: "/var/unbound/sslcert.key"

              Interface IP(s) to bind to

              interface-automatic: no
              interface: 0.0.0.0
              interface: 0.0.0.0@853
              interface: ::0
              interface: ::0@853

              Outgoing interfaces to be used

              outgoing-interface: 178.116.127.35

              DNS Rebinding

              For DNS Rebinding prevention

              private-address: 127.0.0.0/8
              private-address: 10.0.0.0/8
              private-address: ::ffff:a00:0/104
              private-address: 172.16.0.0/12
              private-address: ::ffff:ac10:0/108
              private-address: 169.254.0.0/16
              private-address: ::ffff:a9fe:0/112
              private-address: 192.168.0.0/16
              private-address: ::ffff:c0a8:0/112
              private-address: fd00::/8
              private-address: fe80::/10

              Set private domains in case authoritative name server returns a Private IP address

              Access lists

              include: /var/unbound/access_lists.conf

              Static host entries

              include: /var/unbound/host_entries.conf

              dhcp lease entries

              include: /var/unbound/dhcpleases_entries.conf

              Domain overrides

              include: /var/unbound/domainoverrides.conf

              Forwarding

              forward-zone:
              name: "."
              forward-tls-upstream: yes
              forward-addr: 1.1.1.1@853#cloudflare-dns.com
              forward-addr: 1.0.0.1@853#cloudflare-dns.com
              forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
              forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

              Unbound custom options

              server:include: /var/unbound/pfb_dnsbl.*conf
              server:
              private-domain: "plex.direct"

              Remote Control Config

              include: /var/unbound/remotecontrol.conf

              J 1 Reply Last reply Jan 21, 2023, 4:59 PM Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @pietsnot56
                last edited by johnpoz Jan 21, 2023, 5:00 PM Jan 21, 2023, 4:59 PM

                @pietsnot56 said in Problem with DNS over TLS:

                IP6 ????

                Where are you putting in IPv6? I do see it in your output you posted.

                And looks like you have stuff in there twice

                forward-zone:
                name: "."
                forward-tls-upstream: yes
                forward-addr: 1.1.1.1@853#cloudfare-dns.com
                forward-addr: 1.0.0.1@853#cloudfare-dns.com
                Unbound custom options
                
                server:
                private-domain:"plex.direct"
                server:include: /var/unbound/pfb_dnsbl.*conf
                
                3 ) by unchecking "use SSL/TLS for outgoing..."
                Domain overrides
                
                include: /var/unbound/domainoverrides.conf
                Forwarding
                
                forward-zone:
                name: "."
                forward-addr: 1.1.1.1
                forward-addr: 1.0.0.1
                

                One would be with tls the other would not be.. You got something messed up that is for sure..

                Your info might be easier to read if you used the code option for text so it in specific box vs just long running text..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • P
                  pietsnot56
                  last edited by Jan 21, 2023, 5:08 PM

                  @johnpoz said in Problem with DNS over TLS:

                  code option for text

                  "code option for text"
                  how or where can you chose this option?

                  J 1 Reply Last reply Jan 21, 2023, 5:20 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @pietsnot56
                    last edited by Jan 21, 2023, 5:20 PM

                    @pietsnot56

                    text.jpg

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • P
                      pietsnot56
                      last edited by Jan 21, 2023, 5:36 PM

                       that's with custom settings on config file
                      
                      ##########################
                      # Unbound Configuration
                      ##########################
                      
                      ##
                      # Server configuration
                      ##
                      server:
                      
                      chroot: /var/unbound
                      username: "unbound"
                      directory: "/var/unbound"
                      pidfile: "/var/run/unbound.pid"
                      use-syslog: yes
                      port: 53
                      verbosity: 1
                      hide-identity: yes
                      hide-version: yes
                      harden-glue: yes
                      do-ip4: yes
                      do-ip6: yes
                      do-udp: yes
                      do-tcp: yes
                      do-daemonize: yes
                      module-config: "iterator"
                      unwanted-reply-threshold: 0
                      num-queries-per-thread: 4096
                      jostle-timeout: 200
                      infra-host-ttl: 900
                      infra-cache-numhosts: 10000
                      outgoing-num-tcp: 10
                      incoming-num-tcp: 10
                      edns-buffer-size: 512
                      cache-max-ttl: 86400
                      cache-min-ttl: 0
                      harden-dnssec-stripped: yes
                      msg-cache-size: 4m
                      rrset-cache-size: 8m
                      
                      num-threads: 4
                      msg-cache-slabs: 4
                      rrset-cache-slabs: 4
                      infra-cache-slabs: 4
                      key-cache-slabs: 4
                      outgoing-range: 4096
                      #so-rcvbuf: 4m
                      
                      prefetch: no
                      prefetch-key: no
                      use-caps-for-id: no
                      serve-expired: no
                      aggressive-nsec: no
                      # Statistics
                      # Unbound Statistics
                      statistics-interval: 0
                      extended-statistics: yes
                      statistics-cumulative: yes
                      
                      # TLS Configuration
                      tls-cert-bundle: "/etc/ssl/cert.pem"
                      
                      # Interface IP(s) to bind to
                      interface-automatic: yes
                      interface: 0.0.0.0
                      interface: ::0
                      
                      # Outgoing interfaces to be used
                      outgoing-interface: 178.116.127.35
                      
                      # DNS Rebinding
                      # For DNS Rebinding prevention
                      private-address: 127.0.0.0/8
                      private-address: 10.0.0.0/8
                      private-address: ::ffff:a00:0/104
                      private-address: 172.16.0.0/12
                      private-address: ::ffff:ac10:0/108
                      private-address: 169.254.0.0/16
                      private-address: ::ffff:a9fe:0/112
                      private-address: 192.168.0.0/16
                      private-address: ::ffff:c0a8:0/112
                      private-address: fd00::/8
                      private-address: fe80::/10
                      # Set private domains in case authoritative name server returns a Private IP address
                      
                      
                      
                      # Access lists
                      include: /var/unbound/access_lists.conf
                      
                      # Static host entries
                      include: /var/unbound/host_entries.conf
                      
                      # dhcp lease entries
                      include: /var/unbound/dhcpleases_entries.conf
                      
                      
                      
                      # Domain overrides
                      include: /var/unbound/domainoverrides.conf
                      # Forwarding
                      forward-zone:
                      	name: "."
                      	forward-tls-upstream: yes
                      	forward-addr: 1.1.1.1@853#cloudfare-dns.com
                      	forward-addr: 1.0.0.1@853#cloudfare-dns.com
                      
                      
                      # Unbound custom options
                      server:
                      private-domain:"plex.direct"
                      forward-zone:
                      name:"."
                      forward-ssl-upstream: yes
                      forward-addr: 1.1.1.1@853
                      forward-addr: 1.0.0.1@853
                      server:include: /var/unbound/pfb_dnsbl.*conf
                      
                      
                      ###
                      # Remote Control Config
                      ###
                      include: /var/unbound/remotecontrol.conf
                      

                      idem error file``

                      ##########################
                      # Unbound Configuration
                      ##########################
                      
                      ##
                      # Server configuration
                      ##
                      server:
                      
                      chroot: /var/unbound
                      username: "unbound"
                      directory: "/var/unbound"
                      pidfile: "/var/run/unbound.pid"
                      use-syslog: yes
                      port: 53
                      verbosity: 1
                      hide-identity: yes
                      hide-version: yes
                      harden-glue: yes
                      do-ip4: yes
                      do-ip6: yes
                      do-udp: yes
                      do-tcp: yes
                      do-daemonize: yes
                      module-config: "iterator"
                      unwanted-reply-threshold: 0
                      num-queries-per-thread: 4096
                      jostle-timeout: 200
                      infra-host-ttl: 900
                      infra-cache-numhosts: 10000
                      outgoing-num-tcp: 10
                      incoming-num-tcp: 10
                      edns-buffer-size: 512
                      cache-max-ttl: 86400
                      cache-min-ttl: 0
                      harden-dnssec-stripped: yes
                      msg-cache-size: 4m
                      rrset-cache-size: 8m
                      
                      num-threads: 4
                      msg-cache-slabs: 4
                      rrset-cache-slabs: 4
                      infra-cache-slabs: 4
                      key-cache-slabs: 4
                      outgoing-range: 4096
                      #so-rcvbuf: 4m
                      
                      prefetch: no
                      prefetch-key: no
                      use-caps-for-id: no
                      serve-expired: no
                      aggressive-nsec: no
                      # Statistics
                      # Unbound Statistics
                      statistics-interval: 0
                      extended-statistics: yes
                      statistics-cumulative: yes
                      
                      # TLS Configuration
                      tls-cert-bundle: "/etc/ssl/cert.pem"
                      tls-port: 853
                      tls-service-pem: "/var/unbound/sslcert.crt"
                      tls-service-key: "/var/unbound/sslcert.key"
                      
                      # Interface IP(s) to bind to
                      interface-automatic: no
                      interface: 0.0.0.0
                      interface: 0.0.0.0@853
                      interface: ::0
                      interface: ::0@853
                      
                      # Outgoing interfaces to be used
                      outgoing-interface: 178.116.127.35
                      
                      # DNS Rebinding
                      # For DNS Rebinding prevention
                      private-address: 127.0.0.0/8
                      private-address: 10.0.0.0/8
                      private-address: ::ffff:a00:0/104
                      private-address: 172.16.0.0/12
                      private-address: ::ffff:ac10:0/108
                      private-address: 169.254.0.0/16
                      private-address: ::ffff:a9fe:0/112
                      private-address: 192.168.0.0/16
                      private-address: ::ffff:c0a8:0/112
                      private-address: fd00::/8
                      private-address: fe80::/10
                      # Set private domains in case authoritative name server returns a Private IP address
                      
                      
                      
                      # Access lists
                      include: /var/unbound/access_lists.conf
                      
                      # Static host entries
                      include: /var/unbound/host_entries.conf
                      
                      # dhcp lease entries
                      include: /var/unbound/dhcpleases_entries.conf
                      
                      
                      
                      # Domain overrides
                      include: /var/unbound/domainoverrides.conf
                      # Forwarding
                      forward-zone:
                      	name: "."
                      	forward-tls-upstream: yes
                      	forward-addr: 1.1.1.1@853#cloudflare-dns.com
                      	forward-addr: 1.0.0.1@853#cloudflare-dns.com
                      	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
                      	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
                      
                      
                      # Unbound custom options
                      server:include: /var/unbound/pfb_dnsbl.*conf
                      server:
                      private-domain: "plex.direct"
                      
                      
                      ###
                      # Remote Control Config
                      ###
                      include: /var/unbound/remotecontrol.conf
                      
                      ```sometimes 
                      forward-addr: 1.1.1.1@853#cloudfare-dns.com
                      with #cloudfare-dns.com at the end
                      
                      and in the custom settings :
                      forward-addr: 1.1.1.1@853``
                      without #cloudfare-dns.com.
                      
                      can this help us to find the reason?
                      1 Reply Last reply Reply Quote 0
                      • P
                        pietsnot56
                        last edited by Jan 23, 2023, 8:30 AM

                        Thanks everybody,
                        I founded my error : a typo in the Dnsname!
                        This case can be closed.

                        1 Reply Last reply Reply Quote 0
                        28 out of 28
                        • First post
                          28/28
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received