OPNsense is an open-source, FreeBSD-based firewall and routing security software. It also acts as a DNS resolver for all of your desktops and mobile devices. Let us see how to configure the OPNsense DNS resolver to encrypt all DNS queries to protect from eavesdropping to increase our privacy and security.
All DNS queries routed using plaintext. We either use UDP and TCP protocol 53 in plaintext, and your ISP or an attacker/hacker can monitor transmissions even if you use HTTPS, the DNS queries and answers of the site leaked. Hence we need to encrypt our DNS queries to protect ourselves. DNS over TLS (DoT) is nothing but a security protocol for encrypting DNS traffic using the Transport Layer Security (TLS) protocol. The main objective is to increase your security and privacy. Some benefits of DNS over TLS:
- Avoid manipulation DNS.
- Get rid of man-in-the-middle attacks.
- No more eavesdropping.
OPNsense set up and configure DNS Over TLS (DoT)
OPNsense is a free and open-source firewall and routing engine. It is a fork of pfSense firewall, and pfSense was forked from m0n0wall software. All of these are based upon industry strength FreeBSD operating systems. Let us see how to configure OPNsense with DNS Over TLS (DoT) to increase your privacy and security.
Configuring OPNsense with DNS Over TLS (DoT)
I assume currently you have OPNsense up and running. First, open the firewall web UI. My firewall is running at 192.168.1.1. Hence, open the web browser of your choice and feed URL:
Enter your username (root) and password.
Click on the Services > Unbound DNS and Miscellaneous option:
How to configure DNS-over-TLS on OPNsense
OPNSense GUI have DoT feature integrated into the interface. You will see a web GUI option as follows:
Next type nameservers to use for DoT. The syntax is pretty straightforward:
[email protected] ## IBM DNS Dot
[email protected] ## Cloudflare DNS DoT
[email protected] ## Google DNS DoT
[email protected] ## Your organization DNS DoT
Now all you have to do is restart the Unbound service. Click on the Services > Unbound DNS > General option > make sure you choose the “Enable DNSSEC Support” and finally click the reload/restart icon:
How can I verify DNS encryption?
Use the ssh to log into your firewall ssh port from your Windows or macOS/Linux system:
ssh -l root 192.168.1.1
Get shell and type:
# cat /var/unbound/etc/dot.conf
DoT config added by the GUI:
server: tls-cert-bundle: /etc/ssl/cert.pem forward-zone: name: "." forward-tls-upstream: yes forward-addr: [email protected] forward-addr: [email protected] forward-addr: [email protected]
Let us do DNS tcpdump on the OPNsense firewall itself:
# tcpdump -i igb1 dst 188.8.131.52 or 184.108.40.206 or 220.127.116.11 and dst port 853
The igb1 is my wan interface and we are interested in 853 port for 18.104.22.168/22.214.171.124/126.96.36.199 DoT enabled DNS servers.
Now we have enabled and secure our DNS communication:
- DNS over TLS to encrypt all DNS traffic from your LAN to upstream service provider.
- DNSSEC to prevent DNS cache poisoning and other types of tampering attacks.
Head over to the Opnsense documentation to dig deep into other firewall features and enjoy your worry-free secure DNS and Internet browsing.
Very clear precise explanation
I would suggest blocking TCP and UDP port 53 as well as 853 except for our firewall IP address to avoid accidental plain text DNS queries.
Clear and useful tutorial.
Very useful to avoid ISP snooping.
They changed UI. Would you mind updating this page?
What Wendy said, UI has been updated. Are you able to update the guide ?
The new UI options are “Host”, “Port”, and “Verify CN”. Host and port are obvious. Verify CN you can look up for each DNS provider. Without Verify CN, MITM attacks are still possible. Verify CN is used to confirm the validity of the TLS certificate that’s presented by the remote DNS server.
Cloudflare (188.8.131.52, 184.108.40.206) and CloudFlare with Malware blocking (220.127.116.11, 18.104.22.168) use a CN of cloudflare-dns.com
IBM’s Quad9.net (22.214.171.124, etc) and Quad9 with malware blocking (126.96.36.199, etc) uses a CN of ns.quad9.net