Another DoT Topic

I did an update to core 141 and wanted to switch to DoT, so I changed the DNS protocol from tcp to tls and updated my DNS firewall rules vom TCP 53 to TCP 853. However that doesn’t work

What am I missing? thx Terry

Hi Terry,

can you fgve us some mor information please?

Hm which one? I thought switching DNS to DoT is done with only changing the DNS protocoll. SO I changed it from TCP to TLS. Also per default all communication is blocked for ipfire and the other networks. So I have firewall rules to allow TCP DNS communication and since DoT is still TCP I only changed the Port from 53 to 853 but it doesn’t work :pensive:. I get tons of firewall log entries for UDP Port 53 (that is not DoT).

Ah yeah and I tested DoT with the rule “firewall outgoing: allowed” and it works (Working (Recursor-Modus) but in recursor mode (why is that?). So the main problem is related to iptables (not again! :grimacing:).

maybe the problem is “all is blocked”? In my case outgoing is allowed.

Ah i see you testet it also, than i have no idea sorry. Maybe a developer can say more.

I also just added a UDP Port 53 rule in addition to the TCP Port 853 but no changes: still broken.

Unbound switched to recursor mode if no forward server is configured.

If you switch on “TLS” all servers without a hostname will skipped because the hostname is needed vor tls validation.

2 Likes

How do I do that? I was looking for a wiki but couldn’t find it.

Edit: I did just define the DNS hostenames and it’s working. Thx. So I don’t know what you mean by this but it looks like I don’t need anything else to be done.

Ah OK the DNS server list/overview doesn’t show a column with TLS hostnames so I didn’t expect that. Done.