DoT or DoH unbound

JonathanLee

Has anyone played with unbounds new DoH support that would be a cool GUI addition…

DefenderLLC

@JonathanLee said in DoT or DoH unbound:

Has anyone played with unbounds new DoH support that would be a cool GUI addition…

DNS over TLS works great already. Why switch to DoH?

JonathanLee

@DefenderLLC your right, DoT is now supported in unbound code 🧑‍why test it? For something epic to work on :)

DefenderLLC

@JonathanLee said in DoT or DoH unbound:

@DefenderLLC your right, DoT is now supported in unbound code 🧑‍

DoT support is not new within pfSense by any means. I've been running DoT to Cloudlare within pfSense for several years.

DNS Resolver custom options:

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

JonathanLee

@DefenderLLC I am running DoT with 853 sorry DoH is what I mean

johnpoz

@JonathanLee have not played with doh outbound from unbound, dot is clicky clicky to setup. But I did get both dot and doh for inbound setup internally... So clients can query unbound via dot or doh.. I have zero use for it, but figured would see what it takes to setup.. Not much other than creating your certs for use that your clients can trust, etc.

Simple as copy the cert over, and tell unbound to use it via options box. And tell it to listen on 443 for doh.. Once you set the cert in the options box it will be used for both dot and doh, and override what you have set in the gui for dot listening.

simple test to validate its working

And here is when the cert CN/SAN doesn't validate

JonathanLee

@johnpoz can it be used to intercept one.one.one.one doh address or token.apple.com or some other ones act as the middle man for DoH much like DNS on port 53 or 853.

The thought process I have is that it could act as the middleman itself to see what requests are sent to any DoH server. I am fearful that DoH will be used making dns url guards less effective. Right now I pretty much block all DoH again it’s only because I have a list of what DoH servers are being attempted, take that list away it’s no longer efficient enough for detecting requests.

I guess long story short can DoH on unbound do all the requests for the upstream servers like Amazon’s DoH or Apple etc. I am not worrying about the major ones, it’s the random ones that sideline security.

Does that make sense. I mean right now we use unbound for request it handles them at the firewall, again if something is resolving with DoH the url blockers don’t really see it only IP addresses then much like the issue with Squid.

Amazing it’s set up

johnpoz

@JonathanLee If you had a client wanting to talk to doh.whatever.tld and you created a cert he would trust that says it doh.whatever.tld then sure you should be able to do a mitm..

JonathanLee

@johnpoz epic I bet squid 6 supports it too