unbound: Allow easier DNS-over-TLS configuration

[jpawlowski]

Currently "Enable Forwarding Mode" will not consider that upstream servers might be DNS-over-TLS or DNS-over-HTTPS aware.

The "General configuration" shall provide an option to mark a server for those protocols and use the respective ports if no explicit port was set. Unbound shall then make use of that information to properly configure the forward section. This will avoid to use "Custom options" for it.

Please also consider to add "tls-cert-bundle: /etc/ssl/cert.pem" to the "server:" section to ensure that the upstream servers can be validated properly.

This is what I must currently put manually to the "Custom options":

server:
  minimal-responses: yes
  qname-minimisation: yes
  rrset-roundrobin: yes
  use-caps-for-id: yes
  tls-cert-bundle: /etc/ssl/cert.pem

forward-zone:
  name: "."
  forward-addr: 2606:4700:4700::1111@853
  forward-addr: 1.1.1.1@853
  forward-addr: 2606:4700:4700::1001@853
  forward-addr: 1.0.0.1@853
  forward-ssl-upstream: yes

[jpawlowski]

I may also refer to the "small p" appliance and their updated implementation.

[mimugmail]

As before, will be available via plugin.

[jpawlowski]

Are you talking about some kind of DNS proxy I read about? That actually sounds a bit fishy to me to have just another daemon process in between. What's the benefit of nesting all those different kinds of plugins and all their interdependencies?

[mimugmail]

Because it's pluggable. There are also users just using dnsmasq, there are also users wanting bind as the main resolver. IMHO dnscrypt also has some advantages in overrides and blacklisting.

But to be fair, I'm not really familiar with legacy code, so I only add new stuff and dont change old existing ones.

[jpawlowski]

But to be fair, I'm not really familiar with legacy code, so I only add new stuff and dont change old existing ones.

Touché :-)

I indeed get the impression that sometimes coordination of the overall picture is missing be the primary maintainer. I like new stuff probably as much as you do but it also becomes a little complex to setup things already today (just had a similar experience with Postfix + Rspamd + Redis + Clamav) where there is no dependency management and it's not always clear to somebody unfamiliar with the backend systems how the interact.

I can only imagine that maintenance of all those interdependencies for potentially small features might become really complex as well. Might be easier as long as all plugins are being served by the same person, but things change...

I'm not saying that the approach of having something more generic is not good to have as well, but me and potentially other people would maybe prefer to keep things simple as long as it's possible. Also, I am more than happy to see low latency with Unbound today (even with DoH/DoTLS enabled) and am a bit worried that it will be worse with something in the middle. It might even be an issue for larger setups, who knows...

[mimugmail]

Keeping it simple or keeping it modular .. for an unexperienced user this might be quite complex, but you can use redis for rspamd and ntopng, you can use clamav for proxy and/or rspamd. It all plays really nice together as you can configure everything for itself.

In contrast, other vendors install c-icap, clamav etc. included in it's main package. When you now code another plugin depending on clamav, perhaps with some special needs to configuration which might break proxy, what do you do? Also, when there comes a commercial AV product, how do you handle this when clamav comes bundled with the proxy?

You are totally right that the UX might not be the same as with Sophos or others, perhaps there's a need for more documentation and/or inline wizards or guidelines.

[fichtner]

thanks for the config bits. not sure about providing IP address input or possibly hardcoding them...

[jpawlowski]

Input fields already exist, just would need to be extended in System > Settings > General:

Entries shall then be written to /etc/resolv.conf as before, just make sure the optional part will be truncated before.

The logic in Unbound to "Enable Forwarding Mode" shall then be updated so that the format of the configuration will look similar to what is mentioned above (that is for TCP / DNS-over-TLS but DNS-over-HTTPS looks very similar. Can get it for you if desired.).

No IP address needs to be hard-coded, people will need to know if the external DNS resolver supports the respective protocol. :-)

[fichtner]

Ok, DNS server selection in general is already pretty bad as it is... maybe we can fudge the ports and auto-assign. normally the ports don't matter because resolv.conf doesn't support it.

[fichtner]

After a bit of thought we'll add a server input field in Unbound that allows to set DNS-over-TLS servers with optional port specification or defaulting to 853. This keeps everything in the Unbound configuration.

[bugz8unny69]

After a bit of thought we'll add a server input field in Unbound that allows to set DNS-over-TLS servers with optional port specification or defaulting to 853. This keeps everything in the Unbound configuration.

Sorry to interject here, to clarify, you mean 19.1?

[fichtner]

No schedule has been allocated.

[jpawlowski]

Cool! Remember to add DoH port option as well :)

[jpawlowski]

Not sure why I am being asked about any status @opnsenseuser :-) However, there is no relation at all between LetsEncrypt and a DNSoTLS-aware DNS Resolver at all. I suggest you google about to sort things out for you.

[Keltere]

@jpawlowski i've tried your custom settings on 20.7 but it doesn't work, i can't get cloudflare DNS over LTS, sniffing the port 53 shows all unencrypted stuff and sniffing 853 port results in nothing, not even a request. Here are my settings, i've also disabled the override of the dns in general settings https://postimg.cc/gallery/fM2mBRh

[mimugmail]

Unbound in 20.7 does not need custom settings for DoT

[Keltere]

Unbound in 20.7 does not need custom settings for DoT

I've tried the DNS over TLS tab in miscellaneous settings by adding 1.1.1.1@853 and 1.0.0.1@853 and it doesn't work, so i've tried to use custom settings to achieve that but without success. I've also tried reinstalling unbound and nothing. Current unbound version 1.10.1

[mimugmail]

Can you please open a thread in forums with screenshots etc.? A merged PR is not the right place for such a discussion.

Thx :)

[Keltere]

Can you please open a thread in forums with screenshots etc.? A merged PR is not the right place for such a discussion.

Thx :)

Done https://forum.opnsense.org/index.php?topic=18408.0

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.