Netgate SG-1000 microFirewall

Author Topic: DNS over TLS forwarding howto  (Read 1430 times)

0 Members and 1 Guest are viewing this topic.

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
DNS over TLS forwarding howto
« on: October 26, 2017, 11:26:31 pm »
Hey all,

I was curious about dns over tls, so I figured I'd try it out.

To get it to work with pfsense using DNS Resolver I made the following changes:
1) disable forwarding mode
2) Add these custom options:
Code: [Select]
server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
  name: "."
  forward-addr: {ipv4address}@853
  forward-addr: {ipv6address}@853

You can find servers to try out here:
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers

You can also roll your own as I did, which they also provide guides for.

If you have ideas of a better way to do this let me know! cheers!
« Last Edit: November 01, 2017, 01:51:27 pm by PertFlavus »

Offline chrcoluk

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +20/-50
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #1 on: October 27, 2017, 12:21:43 am »
this is still on my todo list for my network :) currently using dnscrypt but I expect doing it natively in unbound will be faster.

Thanks for your information. :)
pfSense 2.4
Qotom Q355G4 or Braswell N3150 with Jetway mini pcie 2x intel i350 lan - 4 gig Kingston 1333 C11 DDR3L
 - 60 gig kingston ssdnow ssd - ISP Sky UK

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #2 on: October 27, 2017, 04:08:34 am »
So let me get this right... So your concerned with your privacy so your going to forward all your dns queries to some random dns server on the public net because it was on a list in some wiki article?  But your more secure because your isp can not see your queries?  Ok yeah see how that makes a lot of sense <rolleyes>

This might be valid idea if every NS on the planet supported tls, and then you could actually resolve via tls.. Talk about extra overhead to something that is suppose to be QUICK! and small - why its udp..

If your worried about someone watching and logging all your dns queries - forwarding for sure is not what you should be doing, because your just handing them every single thing you want to lookup.. So why would you not just resolve? Like unbound does out of the box on pfsense.  Now the root servers would know when you look up something for specific tld, but you wouldn't go ask them again for anything until you looked up something with a new tld, or ttl expired for the gTLD servers that own that tld.. The gTLD servers for your TLD would know what your looking for but like root they are run by multiple different orgs.. All over the planet.. And then they only get part of what you look for, just the stuff in a specific TLD.. And then only the first query for something in a domain, since once you have that cached you don't go ask them again for records that full under that specific domain, etc.

Its nice of you to post how to do it.. But I just don't get why anyone would want too..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 187
  • Karma: +7/-0
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #3 on: October 27, 2017, 10:34:30 am »
I too have privacy concerns and struggled with trusting OpenDNS vs using the resolver and opted to use resolver and have my DNS requests go thru my VPN only.

I went to Services -> DNS Resolver -> General Settings tab -> Outgoing Network Interfaces -> Selected only my VPN interface (vs WAN and VPN Interface).

Wouldn't this encrypt my DNS traffic? How is using DNScrypt or TLS any better?

Thanks for posting PertFlavus...good discussion!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #4 on: October 27, 2017, 10:54:30 am »
Sending your dns through your vpn would hide it from your ISP, it would prevent your isp trying to do dns interception.  But once the query leaves your vpn endpoint it would be in the clear still.  Your vpn provider could be logging all the dns if they so desired..

When you use a vpn, your trusting them not be logging or looking at your traffic because..

dnscrypt just encrypts validates that your asking the forwarder your linking to.. Still run into the problem that you are giving them all of your dns queries, and have to trust them that they are giving you good data, etc. All that does just like the tls thing is hide it from your isp.. And again could prevent dns interception that your isp would be doing.

I really do not get all this concern over dns leaks or god forbid my isp sees my that I looked up www.domain.tld

So do you not have a smart phone - because shoot your provider and really anyone else with access using that phone knows exactly where you are 24/7

Do you not use CC?  They know exactly what and where and when you bought a box of condoms and what beer you like, etc.

Do you where a mask when you go outside, since the the camera's that are every where could be doing facial recognition on you.  Do you not use automatic tolling because the toll company knows exactly when you pass every toll booth.. For that matter they can track you in your car as you drive around the city via your license plate and all the speed camera's

There is the impression of privacy, then their is reality of it all..  I personally don't really give two shits that my ISP knows that I went to forum.pfsense.org etc..  But that is just me..  What I would be more worried about is the place I get sent to for forum.pfsense.org is actually that - per the domain owners signing their records via dnssec and directly asking the listed authoritative NS..   Which brings a valid point pfsense.org be using dnssec which it is not.

Should prob bring that up to them.. Since they provide unbound using dnssec as their default deployment, would be nice if their own domains were dnssec ;)  Same goes for netgate.com which I see also that they are missing their AAAA glue as well.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline BBcan177

  • Hero Member
  • *****
  • Posts: 2554
  • Karma: +797/-5
    • View Profile
    • Click for Support
Re: DNS over TLS forwarding howto
« Reply #5 on: October 27, 2017, 11:35:12 am »
Can also add "qname-minimisation | -strict" to reduce what gets sent during the resolving process... Should probably be an option in the pfSense Unbound GUI...

https://www.unbound.net/documentation/unbound.conf.html
https://ripe72.ripe.net/archives/video/219/

Quote
       qname-minimisation: <yes or no>
              Send minimum  amount  of  information  to  upstream  servers  to
              enhance privacy.  Only sent minimum required labels of the QNAME
              and set QTYPE to NS when possible. Best  effort  approach;  full
              QNAME and original QTYPE will be sent when upstream replies with
              a RCODE other than NOERROR, except when receiving NXDOMAIN  from
              a DNSSEC signed zone. Default is off.

       qname-minimisation-strict: <yes or no>
              QNAME  minimisation  in strict mode. Do not fall-back to sending
              full QNAME to potentially broken nameservers. A lot  of  domains
              will  not be resolvable when this option in enabled. Only use if
              you know what you are doing.  This option only has  effect  when
              qname-minimisation is enabled. Default is off.
"Experience is something you don't get until just after you need it."

 | http://pfblockerng.com | Twitter @BBcan177  | #pfBlockerNG |

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #6 on: October 27, 2017, 05:29:32 pm »
Sending your dns through your vpn would hide it from your ISP, it would prevent your isp trying to do dns interception.  But once the query leaves your vpn endpoint it would be in the clear still.  Your vpn provider could be logging all the dns if they so desired..

When you use a vpn, your trusting them not be logging or looking at your traffic because..

dnscrypt just encrypts validates that your asking the forwarder your linking to.. Still run into the problem that you are giving them all of your dns queries, and have to trust them that they are giving you good data, etc. All that does just like the tls thing is hide it from your isp.. And again could prevent dns interception that your isp would be doing.

I really do not get all this concern over dns leaks or god forbid my isp sees my that I looked up www.domain.tld

So do you not have a smart phone - because shoot your provider and really anyone else with access using that phone knows exactly where you are 24/7

Do you not use CC?  They know exactly what and where and when you bought a box of condoms and what beer you like, etc.

Do you where a mask when you go outside, since the the camera's that are every where could be doing facial recognition on you.  Do you not use automatic tolling because the toll company knows exactly when you pass every toll booth.. For that matter they can track you in your car as you drive around the city via your license plate and all the speed camera's

There is the impression of privacy, then their is reality of it all..  I personally don't really give two shits that my ISP knows that I went to forum.pfsense.org etc..  But that is just me..  What I would be more worried about is the place I get sent to for forum.pfsense.org is actually that - per the domain owners signing their records via dnssec and directly asking the listed authoritative NS..   Which brings a valid point pfsense.org be using dnssec which it is not.

Should prob bring that up to them.. Since they provide unbound using dnssec as their default deployment, would be nice if their own domains were dnssec ;)  Same goes for netgate.com which I see also that they are missing their AAAA glue as well.

To be clear, I did it because I could. It was fun. I also was able to host my own dns server, which wouldn't normally be possible, as it uses a different port/tcp. My VPS provider isn't as incentivised to scrape my traffic for ad revenue like google or my ISP are. Encrypting DNS by itself does nothing to keep your internet use private by itself though because https  sends the hostname in a SNI request over plain text. That might change with TLS 1.3.

Baby steps John, baby steps. Google's going to get their info one way or another anyhow. (And probably through DNS over TLS! https://www.xda-developers.com/android-dns-over-tls-website-privacy/ ) *glares at Android phone*

I've considered just sending my internet connection through my VPS using OpenVPN but I don't think it's performance is up to snuff. I also turned off dns over tls for now because of the above points. I just figured I'd share how to do it to show it's possible, and without an FR for support.
« Last Edit: October 27, 2017, 06:02:10 pm by PertFlavus »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #7 on: October 28, 2017, 03:27:11 am »
I see this use case scenario as prob not all that bad..

I run a vps somewhere.  On this vps out in the cloud I run a resolver..  I use dns over tls to talk to this resolver via forwarding from my location..

This hides your dns traffic from your isp.. This also hides your IP from from roots, and the authoritative servers even.

This allows you to use a resolver that you trust - your freaking running it ;)  Hides your dns traffic from your isp..  And prevents any so called dns leaks...
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #8 on: October 28, 2017, 04:06:55 am »
It's not bad, so far but you'll need more than one. Linode has $5 nodes, so if you get two in different data centers you're good to go.

Latency on lookup is noticeable. Quarter secondish.  My servers don't support tcp fast open and they're uncached queries, so I couldn't tell you which is causing the delay.

I can post my unbound server configs if you want to give it a try.

@BBcan177
qname-minimization appears to work fine, so I've updated the config. Thank you. =)
« Last Edit: October 28, 2017, 04:12:02 am by PertFlavus »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #9 on: October 28, 2017, 04:22:30 am »
"I can post my unbound server configs if you want to give it a try."

Thanks.. But have no real desire to try this at all.. Like I said I don't really care that my isp or roots can see that I go to forum.pfsense.org ;)

Its nice of you to share you info with the shinyhats out there.. But to me this is just waste of time.. You mean it slows down my dns.. Well sure sign me up! ;) lets give that a run hehehehehe

But why do you need two vps nodes?  As long as the node is up, you sure don't need 2 of them.

Now what bcan posted about qname-minimisation, this is good way to help out the shinyhat wearers and not add complexity and layers and latency to your dns I would think..  I might play with that a bit to see if have any issues resolving stuff I go to..



- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #10 on: October 28, 2017, 05:04:04 am »
Why do you need two vps nodes?  As long as the node is up, you sure don't need 2 of them.

Because, at some point, it won't be, and there's not a damned thing you can do about that. It's another con to the waste of time.

In the above config your internet will totally stop working if the dns server you forward to is inaccessible because, say, your vps provider gets ddos'd ;)


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #11 on: October 28, 2017, 05:18:55 am »
My internet could also go down, I could loose power.. There could be a zombie Apocalypse as well ;)

As to the damn thing I could do about sure, if that vps goes down I just resolve normally... No reason to pay for extra vps because I would be worried that my vps provider gets hit with a ddos ;) hehehe

I use 3 different hosts for vpses - none of them have gone down because of ddos ;) tat I can recall  They have had maint, sure..  But to be honest pretty freaking impressed with the uptime.. Especially the the main one I use where I have 4 different vps int 3 different data centers, etc.

But sure yes failover planning and redundancy is part of any system that needs to be taken into account sure.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline chrcoluk

  • Sr. Member
  • ****
  • Posts: 387
  • Karma: +20/-50
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #12 on: October 28, 2017, 10:48:03 pm »
John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.

In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy.  So I think in that case even using a 3rd party server would be worthwhile.
pfSense 2.4
Qotom Q355G4 or Braswell N3150 with Jetway mini pcie 2x intel i350 lan - 4 gig Kingston 1333 C11 DDR3L
 - 60 gig kingston ssdnow ssd - ISP Sky UK

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14441
  • Karma: +1337/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #13 on: October 29, 2017, 03:39:05 am »
If your isp is doing dns interception and doing any sort of injection or filtering to stop you from looking up something then by all means this makes sense..  Be it dnscrypt/tls tunnel - vpn, etc.  To get your data past such network.

My guess is they are attempting to block p2p sites, etc.  But doesn't matter what they are blocking - blocking whatever it is to me in violation to what they are suppose to be doing which is just providing you a net connection.  If you want to lookup up p0rn, p2p, whatever - and its out there.. They shouldn't be messing with your ability to look up the IP that is for sure.

But if all they are doing is logging it.. Then I don't give 2 shits..  If they want to sell it to someone that I seem to like xyz I really don't care.   But they better not mess with what is to be returned from the authoritative server.. If they were doing such a thing I would be on a different isp..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE (home)

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: DNS over TLS forwarding howto
« Reply #14 on: October 29, 2017, 10:56:10 am »
John personally I run my own dnscrypt endpoint, and I would do the same if I switched to unbound TLS.

In some parts of the world (UK especially) isp's actually intercept and filter DNS queries (yes this would also catch queries using pfsense as the resolver as its outbound port 53 to query authoritative servers) so there is net value to carrying out DNS privacy.  So I think in that case even using a 3rd party server would be worthwhile.

Damn.. that's terrible.. but why do they stop at dns when they could also filter http/https? I don't suppose you know a good source that describes this? I'd be interested in learning about it. I'm really hoping tls 1.3 includes a way to encrypt sni.