This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ===== A) DNS without opnSense ===== [[https://www.nlnetlabs.nl/projects/unbound/about/|Unbound]] is a modern DNS server which is capable of resolving and forwarding your requests using DoT and DoH. I will show you how to use Unbound for your home network using DoT for upstream and DoH for downstream. Given that DoH is not common on PCs, the classic good old DNS on port 53 (both UDP and TCP) will also be available. It's very simple to setup on Gentoo (see [[https://wiki.gentoo.org/wiki/Unbound|here]]) and it also support DNSSEC. So, first of all enable DNSCrypt for Unbound by creating the file **/etc/package.use/unbound**: <file - unbound> net-dns/unbound dnscrypt </file> then emerge Unbound: <code bash> emerge unbound </code> I am using the following **/etc/unbound/unbound.conf**: <file - unbound.conf> server: verbosity: 1 num-threads: 2 interface: 10.0.0.1@53 # Listen to home interface interface: 127.0.0.1@53 # and listen to localhost as well interface: 127.0.0.1@4443 # listen for DoH on local only port https-port: 4443 # move defsault DNS over HTTPS port not to clash with NGINX http-notls-downstream: yes so-reuseport: yes cache-min-ttl: 300 cache-max-ttl: 86400 do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes use-systemd: no do-daemonize: yes # For security reasons, only clients on the home interface can use the DNS service access-control: 10.0.0.0/24 allow access-control: 127.0.0.1/8 allow # and, of course, localhost as well use-syslog: yes hide-identity: yes hide-version: yes harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes harden-algo-downgrade: yes qname-minimisation: yes qname-minimisation-strict: no aggressive-nsec: yes use-caps-for-id: yes prefetch: yes rrset-roundrobin: yes minimal-responses: yes tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" # DNS over TLS enabler, see below auto-trust-anchor-file: "root-anchors/root-anchors.txt" # DNSSEC enabler, see below include: /etc/unbound/adservers.conf # This will add Ad blocking include: /etc/unbound/local.conf # This for local names remote-control: # enable the CLI control control-enable: yes forward-zone: # Remove this block if you DO NOT want to forward your requests! name: "." # Use Google DNS as upstream DNS (put here your preferred ones if not Google) forward-tls-upstream: yes forward-addr: 8.8.8.8@853 forward-addr: 8.8.4.4@853 </file> To configure specific _internal_ hosts, you need to define a **local-zone** and a matching **local-data** rows as defined above. You might want to move these information to specific files to include (like the adservers.conf) for easier maintenance if you have lots of internal names. At this point, read the [[networking:basic:adblock|Ads Blocking]] page to create the **/etc/unbound/adservers.conf** file before continuing. You need to populate your **/etc/resolv.conf** with Unbound as the default nameserver: <file - resolv.conf> # My own local DNS resolver (Unbound) nameserver 127.0.0.1 </file> Don't forget to autostart Unbound service: <code bash> rc-update add unbound default /etc/init.d/unbound start </code> __NOTE:__ as far as i managed to understand, DoT is always enabled on the upstream connection only. You do not need DoT within your home network. ==== Local zone ==== The **local.conf** will contain your own home local addresses: <file - local.conf> server: # Add a local resolve for the home server local-zone: "home.mydomain.com." redirect local-data: "home.mydomain.com. A 10.0.0.1" </file> ==== DNSSEC ==== Enabling DNSSEC is a good idea, and it's pretty simple. This will ensure that all your DNS queries will be checked against signed results, to prevent spoofing attempts. First of all you need to ensure your trust anchors is generated once: <code bash> mkdir /etc/unbound/root-anchors chown unbound:unbound /etc/unbound/root-anchors unbound-anchor -a /etc/unbound/root-anchors/root-anchors.txt </code> the root anchors file needs to be writable by Unbound and inside the chroot where unbound runs. The above unbound config file will take care of enabling DNSSEC directly. To test it: <code bash> delv www.kde.org </code> should return a "fully validated" result. Enabling DNSSEC can be tricky, while simple: make sure the trust-anchor.txt file can be written by the unbound user... And in case you are stuck, raise verbosity to 2. ==== DNS over HTTPS ==== The above configuration already enable DoH (DNS over HTTPS) in Unbound. I set it up on port 4443 because port 443 is already taken by the NGINX reverse proxy, of course, so you will need to create a reverse proxy from NGINX to Unbound covering the endpoint **/dns-query**. Drop the following configuration file into your NGINX home server configuration (see [[selfhost:nginx|The Reverse Proxy concept]] for more details): <file - dns.conf> location /dns-query { if ( $request_method !~ ^(GET|POST|HEAD)$ ) { return 501; } proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; proxy_buffering off; grpc_pass grpc://127.0.0.1:4443; } </file> Note that the classic __proxy_pass__ cannot be used because it does not support HTTP2 upstream, which is mandatory for Unbound, so you need to use //grpc_pass// and disble HTTPS in Unbound, as it's been done in the above configuration files. More details [[https://serverfault.com/questions/1058252/runing-unbound-doh-behind-nginx|here]]. Restart your NGINX, and your DoH should be operative. Please keep in mind that DoH **only works with domain names** due to how certificates work, IP addresses **won't work**. Just to be clear: this DNS over HTTPS is a huge mess and a great headache. In fact, it's more a shitty way to prevent people to run DNS-based ad-blockers than anything. DoT already provided everything needed, but DoH is actually in the hands of the "big players" that can bypass any home-network security in this way, because HTTPS traffic cannot be filtered.
