DNS over DoT with Unbound/OPNSense

I am using opnsense 21.7.7 with Unbound as the resolver.

Set up 1.1.1.1/853/Cloudflare-dns and 1.0.0.1/853/Cloudflare-dns

DNSSEC is enabled.

1.1.1.1/help shows “NO” down the board, however shows I am connected to resolver 1.1.1.1/1.0.0.1.

https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6IkFUTCIsImlzV2FycCI6Ik5vIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9v

Unbound Logs

|2021-12-25T13:37:03|unbound[631]|[631:0] info: Verified that unsigned response is INSECURE||
| --- | --- | --- | --- |
|2021-12-25T13:37:03|unbound[631]|[631:0] info: NSEC3s for the referral proved no DS.||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: resolving a2z.com. DS IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: Verified that unsigned response is INSECURE||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: NSEC3s for the referral proved no DS.||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: resolving aiv-delivery.net. DS IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: query response was ANSWER||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: reply from <.> 1.0.0.1#853||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: response for api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: resolving api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: query response was CNAME||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: response for api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: resolving api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: query response was CNAME||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: response for api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: resolving api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:37:03|unbound[631]|[631:0] info: resolving api.us-east-1.aiv-delivery.net. A IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: validation success community.cloudflare.com. A IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: validate(positive): sec_status_secure||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: validated DNSKEY community.cloudflare.com. DNSKEY IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: resolving community.cloudflare.com. DNSKEY IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: validated DS community.cloudflare.com. DS IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: query response was ANSWER||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: response for community.cloudflare.com. DS IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: resolving community.cloudflare.com. DS IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: validated DNSKEY cloudflare.com. DNSKEY IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: resolving cloudflare.com. DNSKEY IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: validated DS cloudflare.com. DS IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: query response was ANSWER||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: response for community.cloudflare.com. A IN||
|2021-12-25T13:36:58|unbound[631]|[631:2] info: resolving community.cloudflare.com. A IN||
|2021-12-25T13:36:57|unbound[631]|[631:4] info: validate(positive): sec_status_secure||
|2021-12-25T13:36:57|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:57|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:57|unbound[631]|[631:4] info: validate(positive): sec_status_secure||
|2021-12-25T13:36:57|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. A IN||
|2021-12-25T13:36:57|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. A IN||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: validate(positive): sec_status_secure||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: query response was CNAME||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: reply from <.> 1.0.0.1#853||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: validate(positive): sec_status_secure||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. A IN||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: query response was CNAME||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:57|unbound[631]|[631:6] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:6] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:6] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.map.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:7] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:7] info: validate(nodata): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:7] info: query response was nodata ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:7] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:7] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:7] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: validate(nxdomain): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: query response was NXDOMAIN ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: validate(nxdomain): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: query response was NXDOMAIN ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:5] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: validate(nodata): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: query response was nodata ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: validate(nodata): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: query response was nodata ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:0] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-doh.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: validate(nxdomain): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: query response was NXDOMAIN ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: reply from <.> 1.0.0.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: validate(nxdomain): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: query response was NXDOMAIN ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: query response was CNAME||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: query response was CNAME||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: reply from <.> 1.0.0.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:3] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: validate(nxdomain): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: query response was NXDOMAIN ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: reply from <.> 1.0.0.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: validation success e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: validate(nxdomain): sec_status_secure||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: query response was NXDOMAIN ANSWER||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net.localdomain. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:2] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net.localdomain. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: query response was CNAME||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: reply from <.> 1.0.0.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: query response was CNAME||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: reply from <.> 1.1.1.1#853||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: response for e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net. A IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net. AAAA IN||
|2021-12-25T13:36:56|unbound[631]|[631:4] info: resolving e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-cf.help.every1dns.net. A IN|

Thank you.

Can you query e8d0e6ea-98e0-45fe-bb32-aab80299e237.is-dot.help.every1dns.net. for example directly from your unbound service - what is the response you see there? If you get a non-NXDOMAIN response that tells us everything is working correctly via DoT.

Thank you for the reply.

I saw this post → DNS over TLS can't seem to verify | SmallNetBuilder Forums

I disabled “DNSSEC” and re-ran the test at 1.1.1.1/help and it shows “YES” in the areas expected.

Test link here.

My question is now, does DoT replace DNSSEC?

My understanding is DNSSEC verifies the authenticity of the responding DNS server, while DoT encrypts the traffic to said server. Both are required for the entire process to be secure. Of course, the SNI issue is, an ISP or other network can see the domain you are accessing, but DoT hides the data between it.

So, is this a flaw in the 1.1.1.1/help tester? And can’t it be fixed easily by simply responding to the DNSSEC request for authenticity?

I guess this is “solved” at least, somewhat.

Thanks again.

Had a similar issue. I had to turn off DNSSEC for it to work. Having DNSSEC on was actually choking the system or something for a bit, so I turned it off for that.
Can an admin let us know if running DNSSEC with DoT is even the correct thing to do, or even if it matters?

Thanks!

DNSSEC and DoT (or DoH) address separate issues.

• DNS over TLS and DNS over HTTPS work to address resolver security & privacy over the “last mile” - specifically that queries and answers to/from the resolver can’t be observed or tampered with by the network (your ISP, local WiFi, etc) you’re on.

• DNSSEC authenticates (but does not hide!) answers - allowing your resolver to validate that the answers you receive are signed by the authoritative zone and not tampered with between any upstream resolvers or between a resolver and authoritative server itself.

As for the OP:

• There doesn’t appear to be any DNSSEC failures in the provided logs, so I’m not sure why DNSSEC is being considered as part of the issue here
• The provided Help link appears broken - it only shows “Checking”, which can happen if you click “Share” and don’t wait for the tests to run.

I can have DNSSEC turned off or on in opnsense and it still shows DNSSEC as being enabled as far as Cloudflare shows. This could be because CF has DNSSEC enebled within DoT itself?
I test with both, https://www.cloudflare.com/ssl/encrypted-sni/ and https://1.1.1.1/help

(DNSSEC disabled within opnsense shows DoT and DNSSEC to be working on the CF test pages) (DNSSEC enabled shows DNSSEC enabled, but DoT as not)
With DNSSEC enabled, both of these sites take forever to run the test. With it disabled, test results are returned immidiatly.

I think the issue I was seeing with dns choking was CF in Seattle having a little fit for awhile. Seems fine now.

Sorry for any confusion.

Hi! This is a misconfiguration on our side - the DoT test record is in a parent zone that’s signed, but the test record is generated on the fly when you talk to the 1.1.1.1 (depending on whether you talk over DoT or not) without signatures, so a validating resolver like Unbound is going to reject the result and show you false negative. It should belong to a child zone that’s unsigned to show correct results in this case. DNSSEC will always show you “enabled” for Unbound as it’s asking for DNSSEC records, so it’s supported. I put in an internal ticket to fix this, sorry!

1 Like

Awesome, thanks for the heads up. :+1:

Thanks.

Solved, of course.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.