Netgate SG-1000 microFirewall

Author Topic: DNS over TLS for internal hosts HOWTO  (Read 1150 times)

0 Members and 1 Guest are viewing this topic.

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-0
    • View Profile
DNS over TLS for internal hosts HOWTO
« on: November 05, 2017, 07:07:21 pm »
Hey,

Below are some custom options I used to provide DNS over TLS to internal hosts. This is still new, very much not feature complete, and I do not recommend doing this. HOWEVER! It's fun, so if you want to play with it here you go. Normal DNS continues to function.

The only use I can see for this would be providing encrypted dns lookups over an open wifi AP, assuming clients like Android support it. It seems like this is compatible with using ssl-upstream as well.

There may also be additional steps required in the future to authenticate the certificate, using spki or otherwise.

Code: [Select]
#since your pfsense will be doing the resolving over unencrypted connections, use what privacy is available..
qname-minimisation: yes

#This prevents us from binding to 853, so turning off
interface-automatic: no

#These are the default All interfaces. You may wish to customize the interface
interface: 0.0.0.0@853
interface: ::0@853

ssl-port: 853

#This is the default cert used by pfsense. In order for it to be present you must have the web configurator set up for https
ssl-service-pem: "/var/etc/cert.crt"
ssl-service-key: "/var/etc/cert.key"


To use this on a freebsd client, create the following file:
/etc/unbound/conf.d/dns-over-tls.conf
Code: [Select]
server:
        ssl-upstream: yes
        do-tcp: yes
        forward-zone:
                name: "."
                forward-addr: 192.168.1.1@853 #pfsense server ip

More info on DNS over TLS here:
https://dnsprivacy.org/wiki/
« Last Edit: November 06, 2017, 01:57:42 am by PertFlavus »

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-0
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #1 on: November 14, 2017, 07:22:16 am »
It looks like on reboot the cert is not written to the disk fast enough for the DNS Resolver, so unbound fails to start.

Heads up on that.

Offline juruteknik

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #2 on: April 02, 2018, 12:37:42 am »
i've follow all this and the result of dig is still on port 53:

Code: [Select]
dig google.com

; <<>> DiG 9.11.2-P1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53396
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             29      IN      A       216.58.196.14

;; AUTHORITY SECTION:
google.com.             38383   IN      NS      ns2.google.com.
google.com.             38383   IN      NS      ns3.google.com.
google.com.             38383   IN      NS      ns1.google.com.
google.com.             38383   IN      NS      ns4.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         40481   IN      A       216.239.34.10
ns2.google.com.         239457  IN      AAAA    2001:4860:4802:34::a
ns3.google.com.         62066   IN      A       216.239.36.10
ns3.google.com.         241432  IN      AAAA    2001:4860:4802:36::a
ns4.google.com.         48518   IN      A       216.239.38.10
ns4.google.com.         239690  IN      AAAA    2001:4860:4802:38::a
ns1.google.com.         62057   IN      A       216.239.32.10
ns1.google.com.         240075  IN      AAAA    2001:4860:4802:32::a

;; Query time: 76 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Apr 02 13:36:49 +08 2018
;; MSG SIZE  rcvd: 303

any further explaination how to make it using 853?

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-0
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #3 on: April 05, 2018, 11:02:58 pm »
Your dns server should be listening on internal tcp port 853 but you'll need a client which can use it.

At the moment, That's probably stubby.
https://getdnsapi.net/blog/dns-privacy-daemon-stubby/

I didn't mess with this beyond just lab testing. One pfsense box configured to forward to another, which is set up to accept dns over tls. This is definitely not a default for a normal pc to use for dns. I would not recommend doing this until it's fully supported either as if your cert isn't there when unbound starts you won't have dns resolution.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21760
  • Karma: +1503/-26
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #4 on: April 06, 2018, 01:17:58 pm »
I added GUI controls for this to 2.4.4: https://redmine.pfsense.org/issues/8030
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-0
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #5 on: April 11, 2018, 10:18:57 am »
So far it works great, thanks jimp!

Offline PertFlavus

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-0
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #6 on: April 14, 2018, 12:35:03 pm »
A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
DNS over TLS support in Android P Developer Preview

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21760
  • Karma: +1503/-26
    • View Profile
Re: DNS over TLS for internal hosts HOWTO
« Reply #7 on: April 16, 2018, 07:48:21 am »
A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
DNS over TLS support in Android P Developer Preview

Nice! Now if only Google's public DNS servers would support DNS over TLS.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!