pfsense:unbound:secure_dns_over_tls
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| pfsense:unbound:secure_dns_over_tls [2020/05/13 18:55] – peter | pfsense:unbound:secure_dns_over_tls [2020/05/13 19:04] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== PFSense - Unbound - Secure DNS over TLS ====== | ||
| - | |||
| - | Secure DNS required TLS with certificate domain validation. | ||
| - | |||
| - | Without TLS certificate domain validation your DNS can still be intercepted, | ||
| - | |||
| - | Here is how you set it up more securely. | ||
| - | |||
| - | Here is a minimal example configuration for Unbound, / | ||
| - | |||
| - | < | ||
| - | server: | ||
| - | tls-cert-bundle: | ||
| - | |||
| - | forward-zone: | ||
| - | name: " | ||
| - | forward-tls-upstream: | ||
| - | # Quad9. | ||
| - | forward-addr: | ||
| - | forward-addr: | ||
| - | forward-addr: | ||
| - | forward-addr: | ||
| - | # Cloudflare DNS. | ||
| - | forward-addr: | ||
| - | forward-addr: | ||
| - | forward-addr: | ||
| - | forward-addr: | ||
| - | </ | ||
| - | |||
| - | <WRAP alert> | ||
| - | **IMPORTANT: | ||
| - | |||
| - | The domain names to validate the certificates against may appear as comments behind the forward-addr configuration lines at first glance. | ||
| - | |||
| - | The syntax for forward-addr is IP address of the resolver an @ sign and then the resolver’s port number followed by a # sign and then the expected TLS domain name to validate the certificate the resolver will present. | ||
| - | |||
| - | It’s important that you get these domain names right or otherwise you’ll end up with the same error messages as shown above. | ||
| - | |||
| - | Unfortunately, | ||
| - | </ | ||
| - | |||
| - | |||
| - | |||
| - | <WRAP info> | ||
| - | **NOTE:** The **tls-cert-bundle** option points to the local system’s root certificate authority bundle; including all the trusted root certificates of the operating system. | ||
| - | |||
| - | The default location of the root certificate bundle is **/ | ||
| - | |||
| - | If you haven’t setup the tls-cert-bundle option correctly, you may end up with certificate validation errors (below) and Unbound refusing to connect to the remove resolver: | ||
| - | |||
| - | < | ||
| - | notice: ssl handshake failed 9.9.9.9 port 853 | ||
| - | error: ssl handshake failed crypto error: | ||
| - | </ | ||
| - | |||
| - | </ | ||
| - | |||
| - | |||
| - | <WRAP info> | ||
| - | **NOTE: | ||
| - | |||
| - | This ensures you’re not sending all your DNS traffic to one provider; making it more difficult for any one provider to build a complete profile on your online activities and behavior. | ||
| - | |||
| - | You can configure as many DNS forwarders as you want with Unbound and it will spread your forwarding requests out among each of them automatically. | ||
| - | |||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Check Logs ===== | ||
| - | |||
| - | You should keep an eye on your logs and watch out for any certificate errors. | ||
| - | |||
| - | It may be an indication that someone is trying to intercept, monitor, or modify your DNS requests. | ||
| - | |||
| - | You can add an additional layer of protection against this by enabling DNSSEC validation. | ||
| - | |||
| - | Both IPv4 and IPv6 addresses in the above configuration example. | ||
| - | |||
| - | Unbound will figure out which protocol is available and which is faster on its own. | ||
| - | |||
| - | You can get better reliability from your DNS server by configuring more routes and more options to cover for outages or routing disruptions. | ||
pfsense/unbound/secure_dns_over_tls.1589396144.txt.gz · Last modified: 2020/07/15 09:30 (external edit)