Domain Name System (dns.cgi) page has no indicator that DNS over TLS (DoT) is active. hostname of certificate can be configured in setup form but that domain name is not visible in configuration overview. There is no indicator that TLS hostname is correct and that TLS is used. When I use “check DNS”, DNSSEC is verified but no information related to TLS is shown.
I would like to see an icon when DoT is used.
UPDATE. My DNS was configured wrong, I was living with false beleive that I use DoT but I was not using it… The trick is to switch from UDP or TCP connection to TLS, this is global configuration for all DNS configurations in IPfire. This important point is not clear from IPfire wiki and I found that information from instructions for “Quad9 setup guide for IPfire”… When you are DNS expert, then this is clear but it is not clear for someone who has no experience with DoT or DoH…
Once TLS is active, then DNS check button verifies if connection is working and error is shown when hostname for certificate is wrong…
Then you should place the mouse pointer over the Error label and after a second or so you will see an information message on what is causing the Error message. It can be that the DNS Server is not available for a short period.
You can also look in the DNS Server System Logs for more details.
I think, DNS over TLS ( DoT! ) is referenced clearly in wiki.
If you feel, there should be an explicit remark ( for non-experts also ), you are invited to contribute that. Your credentials for the community are working in the wiki also.
I checked wiki again and I cannot see it there, I am sorry…
My confusion was based on assumption that each DNS server can be configured as unencrypted DNS or DoT DNS, that it is option for each server and the switch is field “TLS hostname”, when it is filled that IPfire will try to use TLS. That was wrong, there is a global switch that affects all configurations.
DoT is new for me, IPcop was too old to have support for DoT. I have some experience with DNSCrypt and DNSCrypt proxy (OpenDNS supported DNSCrypt long before DoT was standardized)
When I hoover mouse over “Error” status I see message like this one (not limited to 9.9.9.9): TLS peer has closed connection; cannot receive reply from 9.9.9.9@853(TCP)
by the way I watched the YT video you posted above, and I am not getting an impression that quad9 is in the DNS business for purely “Not for profit” . It appears that they have a large PR budget.
but I don’t know anything about them.
I also found the discussion with their rep:
I use some of the recommended DNS servers in Wiki,
You will notice that “the not for profit” ones, are slower than the “for profit” ones like 1.1…1. or 2.2.2.
Hi @peppetech wondering if QAD9 TLS is compatible with recursive unbound? I think it has something to do with CNAMES that unbound calls.witch can result in unexpected behaviour of the DNS resolver. As well the forward.conf must be filled with something like this :
unbound.conf (as the unbound conf is pulling forward configurations from an external file in local.d this must be filled:
forward-zone:
name: “.”
forward-tls-upstream: yes
forward-addr: ...#******** dns.resolver quad. etc
forward-addr: (ipv6 DNS not used in Ipfire)
forward-addr: ...#*********.dns.nextdns.io
forward-addr:
but the problem regarding DOT and unbound is explained in this external link, altough it’s related to another dns resolver: Consider disabling CNAME scrubbing for forwarded queries · Issue #132 · NLnetLabs/unbound · GitHub
Regards G70P
My IPfire has this config file, it was generated by scripts (no manual modification). I configured two Quad9 DNS servers during weekend in WUI, DoT mode is active.
[root@ipfire ~]# cat /etc/unbound/forward.conf
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
9.9.9.9 and 149.112.112.112 do some “censorship/filtering”, to remove hostnames misused by malware, etc. These are called as secured
9.9.9.10 and 149.112.112.10 should not filter anything. These are called unsecured. There is written in documenation that there is no DNSSEC on unsecured servers… details
IPfire doesn’t show that “unsecured” service miss DNSSEC:
I think this should not be real issue because IPfire has DNS cache (unbound); the first query could be slower but following queries are served from the IPfire cache (until the information in the cache expires and has to be queried again)
Hi @pslpsl altough the file will be overwritten by the use of the webGUi, the local.d directory is the place to create a file to be included in unbound parameters. In /etc/unbound/local.d/touch forward.conf with the creation of this file unbound.conf will include what’s inside local.d not altering the forward.conf at the /etc/unbound/ directory. At the end of the nano unbound.conf file says: include etc/unbound/local.d/. touch there the file and writte the parameters for the TLS DNS’s
Regards
G70P
Hello Jon,
since the topic asks for an indicator if DNS-over-TLS is active i queried also TLS with a certificate validation (+tls-ca) but used also TLS to a remote server hostname check (+tls-host).
RRSIG is the DNSSEC signature attached to the record. If the DNS resolver does not support DNSSEC, it will not look for a signature. This is equivalent to “falling back” to not using DNSSec.
For more information according kdig, please see → kdig – Advanced DNS lookup utility — Knot DNS 2.6.9 documentation