Wiki

User Tools

Site Tools

Trace: two-pass
pfsense:unbound:secure_dns_over_tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
pfsense:unbound:secure_dns_over_tls [2020/05/13 18:46] – created peterpfsense:unbound:secure_dns_over_tls [2020/05/13 19:04] (current) – removed peter
Line 1: Line 1:
-====== PFSense - Unbound - Secure DNS over TLS ====== 
- 
-Secure DNS required TLS with certificate domain validation. 
- 
-Without TLS certificate domain validation your DNS can still be intercepted, monitored, or manipulated by a man-in-the-middle attacker with nothing more than a self-signed certificate. 
- 
-Here is how you set it up more securely. 
- 
-Here is a minimal example configuration for Unbound, /etc/unbound/unbound.conf, that uses both Quad9 and Cloudflare Resolver as the forwarding resolvers and validates their TLS certificates against the expected domain names for each service: 
- 
-<code> 
-server: 
-  tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem 
- 
-forward-zone: 
-  name: "." 
-  forward-tls-upstream: yes 
-  # Quad9. 
-  forward-addr: 2620:fe::fe@853#dns.quad9.net 
-  forward-addr: 9.9.9.9@853#dns.quad9.net 
-  forward-addr: 2620:fe::9@853#dns.quad9.net 
-  forward-addr: 149.112.112.112@853#dns.quad9.net 
-  # Cloudflare DNS. 
-  forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com 
-  forward-addr: 1.1.1.1@853#cloudflare-dns.com 
-  forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com 
-  forward-addr: 1.0.0.1@853#cloudflare-dns.com 
-</code> 
- 
-<WRAP alert> 
-**IMPORTANT:**  The names after the **#** signs are NOT comments.  They are really important. 
-</WRAP> 
- 
- 
- 
-The **tls-cert-bundle** option points to the local system’s root certificate authority bundle; including all the trusted root certificates of the operating system.  You’ll get this bundle by installing the **ca-certificates** package in most Linux distributions. 
- 
-The default location of the root certificate bundle is **/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem** on Fedora, and **/etc/ssl/certs/ca-certificates.crt** on Debian/Ubuntu.  Refer to the documentation of your distribution if you can’t locate their root certificate bundle. 
- 
-If you haven’t setup the tls-cert-bundle option correctly, you may end up with certificate validation errors (below) and Unbound refusing to connect to the remove resolver: 
- 
-<code> 
-notice: ssl handshake failed 9.9.9.9 port 853 
-error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 
-</code> 
- 
  
pfsense/unbound/secure_dns_over_tls.1589395582.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki