Open in app

Sign in

Write

Sign in

Mastodon

DNSSEC, DoT and DNSBL on OPNSense

Miha Kralj: Software Engineering Nerd
The Startup
Published in
5 min readApr 7, 2020

--

YYYou think that your home internet is up-to-date with modern networking standards? Go to the site internet.nl (sponsored by Dutch Internet Standards) and run their connectivity test.

The Dutch test of modern internet runs two tests that everyone should pass in 2020: your IPv6 connectivity and usage of secure tamper-proof DNS. My bet is that you will fail both tests. If you passed one, you are in a tiny majority. If you passed both, you have my deepest admiration — I needed almost 4 weeks of network tinkering to finally pass that bar and get a 100% score.

Below is the guide that will help you fix one of two problems above: it will help you set up a modern DNS service on OPNSense router.

DNSSEC, DoT and DNSBL with Unbound

DNS standard was built when internet was still a cuddly trusted happy network and nobody anticipated weaponized malicious attack vectors of today. DNSSEC is a security extension protecting your network from believing forged or false DNS records — also known as DNS cache poisoning. DNSSEC assures the integrity of records that are returned to your queries.

DNS standard also doesn’t encrypt your queries or responses, allowing anyone on the path to collect information on what domains you visit and how often. Nobody needed to hide that 30 years ago. DNS over TLS (DoT) is a security protocol for DNS that encrypts your queries and responses, just like https does it for browsing.

You don’t want to resolve all DNS queries— especially queries for ads, spam, malicious sites and other garbage that is out on the internet. DNS Blackhole list (DNSBL) will prevent a resolution of unwanted domains, letting less trash entering your home. DNSBL is mostly used to block domains that serve ads, but it was originally designed to block spam, phishing, and other active threats.

OPNSense firewall uses Unbound DNS by NLnet Labs as a standard DNS service, installed and enabled by default.

Unbound DNS is a full DNS resolver that can talk directly to DNS root servers on the internet. Compared to typical DNS forwarders found in regular routers, Unbound DNS offers validating, recursive, caching DNS capabilities.

You can find Unbound DNS under Services — Unbound DNS in OPNSense GUI.

Turning DNSSEC on is trivially simple with Unbound DNS:

  • Enable the Unbound DNS (if it is not enabled by default)
  • Enable DNSSEC on the General settings page:

Enabling DNS over TLS is a bit more complex because OPNSense GUI doesn’t have DoT feature integrated into interface yet. But the underlying Unbound DNS service that runs on OPNSense does have DoT built-in, so all we need to do is to supply the unbound.conf with the right DoT parameters.

DNS over TLS typically uses port 853 and is not offered by every DNS service out there. I personally like Quad9 and Cloudflare DNS services, but if you have your own preferred DNS provider (for example, using Google DoT), you should easily adapt settings below.

That’s what my Custom options look like:

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6

This is how the Custom options field looks like in OPNSense GUI:

To enable DNSBL on OPNSense, we need to grab a plugin that will extend Unbound DNS with the DNSBL feature. The plugin is called os-unbound-plus-devel and is available (as the name suggests) only for the development release type of OPNSense.

If you are not on Dev release yet, switch that first by going to System — Firmware-Settings:

Then refresh the list of plugins and install os-unbound-plus-devel:

With this plugin installed, the new entry “Blacklist” will appear under the Unbound DNS branch. All you need is to enable it and decide what source to use for domain blacklists.

I personally don’t use any of the built-in ones — I use the ultimate list from the energized.pro collection:

https://block.energized.pro/ultimate/formats/domains.txt

Now, in order to see queries in the Unbound DNS log, we need to enable logging of queries on the bottom of Unbound DNS — Advanced page (and click Save and then restart of Unbound service):

With all of that set and active, you should get:

  • DNSSEC tamper-proof resolution of your DNS queries
  • DNS over TLS encrypted channel to request and receive DNS entries
  • DNS Blacklist to filter out all unwanted domain resolution

Happy secure surfing!

Opnsense
DNS
Dnssec
Dnsbl
Networking

 by the author.

--

--

Miha Kralj: Software Engineering Nerd
The Startup

296 Followers
Writer for

Late-Night Code Sprints: Silent keystrokes, bottomless coffee, and the unvarnished saga of a developers' moonlit misadventures.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams