DNSSEC, DoT and DNSBL on OPNSense

Miha Kralj
Apr 7, 2020 · 5 min read

YYYou think that your home internet is up-to-date with modern networking standards? Go to the site internet.nl (sponsored by Dutch Internet Standards) and run their connectivity test.

Image for post

The Dutch test of modern internet runs two tests that everyone should pass in 2020: your IPv6 connectivity and usage of secure tamper-proof DNS. My bet is that you will fail both tests. If you passed one, you are in a tiny majority. If you passed both, you have my deepest admiration — I needed almost 4 weeks of network tinkering to finally pass that bar and get a 100% score.

Below is the guide that will help you fix one of two problems above: it will help you set up a modern DNS service on OPNSense router.

DNSSEC, DoT and DNSBL with Unbound

DNS standard was built when internet was still a cuddly trusted happy network and nobody anticipated weaponized malicious attack vectors of today. DNSSEC is a security extension protecting your network from believing forged or false DNS records — also known as DNS cache poisoning. DNSSEC assures the integrity of records that are returned to your queries.

DNS standard also doesn’t encrypt your queries or responses, allowing anyone on the path to collect information on what domains you visit and how often. Nobody needed to hide that 30 years ago. DNS over TLS (DoT) is a security protocol for DNS that encrypts your queries and responses, just like https does it for browsing.

You don’t want to resolve all DNS queries— especially queries for ads, spam, malicious sites and other garbage that is out on the internet. DNS Blackhole list (DNSBL) will prevent a resolution of unwanted domains, letting less trash entering your home. DNSBL is mostly used to block domains that serve ads, but it was originally designed to block spam, phishing, and other active threats.

Image for post

OPNSense firewall uses Unbound DNS by NLnet Labs as a standard DNS service, installed and enabled by default.

Unbound DNS is a full DNS resolver that can talk directly to DNS root servers on the internet. Compared to typical DNS forwarders found in regular routers, Unbound DNS offers validating, recursive, caching DNS capabilities.

You can find Unbound DNS under Services — Unbound DNS in OPNSense GUI.

Turning DNSSEC on is trivially simple with Unbound DNS:

  • Enable the Unbound DNS (if it is not enabled by default)
  • Enable DNSSEC on the General settings page:
Image for post

Enabling DNS over TLS is a bit more complex because OPNSense GUI doesn’t have DoT feature integrated into interface yet. But the underlying Unbound DNS service that runs on OPNSense does have DoT built-in, so all we need to do is to supply the unbound.conf with the right DoT parameters.

DNS over TLS typically uses port 853 and is not offered by every DNS service out there. I personally like Quad9 and Cloudflare DNS services, but if you have your own preferred DNS provider (for example, using Google DoT), you should easily adapt settings below.

That’s what my Custom options look like:

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 9.9.9.9@853 #Quad9 ip4
forward-addr: 149.112.112.112@853 #Quad9 ip4
forward-addr: 2620:fe::fe@853 #Quad9 ip6
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
forward-addr: 2606:4700:4700::1111@853 #Cloudflare ip6
forward-addr: 2606:4700:4700::1001@853 #Cloudflare ip6

This is how the Custom options field looks like in OPNSense GUI:

Image for post

To enable DNSBL on OPNSense, we need to grab a plugin that will extend Unbound DNS with the DNSBL feature. The plugin is called os-unbound-plus-devel and is available (as the name suggests) only for the development release type of OPNSense.

If you are not on Dev release yet, switch that first by going to System — Firmware-Settings:

Image for post

Then refresh the list of plugins and install os-unbound-plus-devel:

Image for post

With this plugin installed, the new entry “Blacklist” will appear under the Unbound DNS branch. All you need is to enable it and decide what source to use for domain blacklists.

I personally don’t use any of the built-in ones — I use the ultimate list from the energized.pro collection:

https://block.energized.pro/ultimate/formats/domains.txt
Image for post

Now, in order to see queries in the Unbound DNS log, we need to enable logging of queries on the bottom of Unbound DNS — Advanced page (and click Save and then restart of Unbound service):

Image for post

With all of that set and active, you should get:

  • DNSSEC tamper-proof resolution of your DNS queries
  • DNS over TLS encrypted channel to request and receive DNS entries
  • DNS Blacklist to filter out all unwanted domain resolution

Happy secure surfing!

The Startup

Medium's largest active publication, followed by +756K people. Follow to join our community.

 by the author.

Miha Kralj

Written by

A cloud computing nerd, an expert in IT paleontology, purveyor of all geeky things. A very “ethical” advisor who is the first in line for any free food or swag.

The Startup

Medium's largest active publication, followed by +756K people. Follow to join our community.

Miha Kralj

Written by

A cloud computing nerd, an expert in IT paleontology, purveyor of all geeky things. A very “ethical” advisor who is the first in line for any free food or swag.

The Startup

Medium's largest active publication, followed by +756K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store