DNS over TLS on IPFire 2.27 Core-Update 180

Networking
1

Anyone else having issues with DNS over TLS after upgrading to IPFire 2.27 (x86_64) - Core-Update 180?

After the upgrade it became unstable and now DNS will fail if I enable TLS

Using Quad9 name servers
9.9.9.9
149.112.112.112

I checked with my ISP and they have not implemented any blocks for DNS over TLS but I am still checking.

2

Welcome!

I use DoT and also upgraded recently to 180. And no issues. I must admit I do not use Quad9.

Do you have any other DoT Servers configured? I have about 8 in my setup. Occasionally the test does fail and it’s therefore good to have a few configured.

2 Likes
3

Hi Raymond - welcome to the IPFire community!

I use the same quad9 servers and all works A-OK.

What errors are you seeing? Screenshots or message log errors always help!

4

Hi @ipfrd911.

I have this on all the machines I have installed with version 180 and I don’t have any problems.

imagen
imagen979×509 17.2 KB

Bye.

1 Like
5

When I change the configuration to enable TLS the Check DNS servers fail. Even Cloudflair’s fail
From the IPFire
nslookup of yahoo
;; connection timed out; no servers could be reached

/var/log/messages
Nov 2 11:01:02 hmgw01 unbound: [2038:0] error: SERVFAIL <yahoo.com. A IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 upstream server timeout
Nov 2 11:01:49 hmgw01 unbound: [2038:0] error: SERVFAIL <yahoo.com. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names

6

image
image924×285 9.81 KB

7

ok searching around more I see this in the fast.log for suricata
11/02/2023-11:02:19.395572 [Drop] [] [1:2048911:1] ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI) [] [Classification: Misc activity] [Priority: 3] {TCP} 207.173.138.41:44230 → 9.9.9.9:853
11/02/2023-11:02:35.253282 [Drop] [] [1:2048911:1] ET INFO Observed DNS Over HTTPS Domain (dns .quad9 .net in TLS SNI) [] [Classification: Misc activity] [Priority: 3] {TCP} 207.173.138.41:35508 → 149.112.112.112:853

8

I had my firewall disconnect after adding Quad9 secondary using TLS (to test Quad9 too).
Web menu System > Home showed line as idle (pppoE for ref).
Tried disconnect then reconnect from the menu and still broken.
Rebooted firewall and all came back (inc Quad9).

1 Like
9

update: add the quad 9 ip’s to the Intrusion Prevention System Whitelisted Hosts and it it works again. This was working fine up until I updated to the latest release recently.

Intrusion Prevention System configuration

image
image849×260 6.98 KB

1 Like