The pfSense Store

Author Topic: DNS over TLS for internal hosts HOWTO  (Read 144 times)

0 Members and 1 Guest are viewing this topic.

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
DNS over TLS for internal hosts HOWTO
« on: November 05, 2017, 07:07:21 pm »
Hey,

Below are some custom options I used to provide DNS over TLS to internal hosts. This is still new, very much not feature complete, and I do not recommend doing this. HOWEVER! It's fun, so if you want to play with it here you go. Normal DNS continues to function.

The only use I can see for this would be providing encrypted dns lookups over an open wifi AP, assuming clients like Android support it. It seems like this is compatible with using ssl-upstream as well.

There may also be additional steps required in the future to authenticate the certificate, using spki or otherwise.

Code: [Select]
#since your pfsense will be doing the resolving over unencrypted connections, use what privacy is available..
qname-minimisation: yes

#This prevents us from binding to 853, so turning off
interface-automatic: no

#These are the default All interfaces. You may wish to customize the interface
interface: 0.0.0.0@853
interface: ::0@853

ssl-port: 853

#This is the default cert used by pfsense. In order for it to be present you must have the web configurator set up for https
ssl-service-pem: "/var/etc/cert.crt"
ssl-service-key: "/var/etc/cert.key"


To use this on a freebsd client, create the following file:
/etc/unbound/conf.d/dns-over-tls.conf
Code: [Select]
server:
        ssl-upstream: yes
        do-tcp: yes
        forward-zone:
                name: "."
                forward-addr: 192.168.1.1@853 #pfsense server ip

More info on DNS over TLS here:
https://dnsprivacy.org/wiki/
« Last Edit: November 06, 2017, 01:57:42 am by PertFlavus »

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #1 on: November 14, 2017, 07:22:16 am »
It looks like on reboot the cert is not written to the disk fast enough for the DNS Resolver, so unbound fails to start.

Heads up on that.