DNS is a critical service for the Internet. Not only every webpage you visit but even
much of the content on each website requires a DNS lookup to find the server
where the content is located. DNS by
default is also not encrypted, allowing anyone in your traffic path such as
your ISP to see every web page you visit even if you are not using their DNS
servers. Because of this, it has become
one way of tracking people online. We do
have a few options to at least cut our ISP off from some of our data. We could use a VPN but they are not always
ideal. So today I am going to focus on
DNS over TLS. TLS(Transport Layer
Security) is the same encryption used to protect websites and also allows us to
verify that the server we are talking to is who we think it is.
Using OPNSense, we need to do only a few things to protect
our entire network. Let’s get started!
- Enable
DNS over TLS
- Prevent
DNS leakage
- Test
Enable DNS over TLS
For this, we will be using Unbound DNS, which should be
installed by default on OPNSense. If you have any other DNS servers
enabled on OPNSense, you must turn them off.
Open up the Services Menu
On the general tab check to enable Unbound, make sure the port is 53 and you
have the network interfaces you host DNS on selected. By default, this is
just LAN.
On the Query Forwarding tab we want to make sure “Use System
Nameservers” is disabled. This setting will
prevent the use of DNS over TLS.
On the DNS over TLS tab, we want to make sure “Use System Nameservers” is
disabled. This setting will prevent the
use of DNS over TLS. The new will add the
name servers we want to use. I’ll use Cloudflare
in this example but feel free to use your preferred DNS service.
Add server, for Cloudflare the servers are 1.1.1.1 and
1.0.0.1 on port 853. The CN(Common Name)
is used to verify the TLS certificate, so we can be sure we're talking to Cloudflare.
Once our servers are added click apply.
Now all the DNS requests that come into OPNSense should be
forwarded to the name servers we defined over TLS! Note, that the DNS requests made by OPNSense itself
won’t use TLS when it reaches out for things like updates.
Prevent DNS leakage
Unfortunately, not everything will honor the DNS settings
we provide from our DHCP. Smart home and
IoT devices are notorious for preferring their own DNS settings. While we can’t configure them directly, we
can block them from reaching out on their own so they have to use our DNS. Let’s put in a firewall rule to block all
outbound DNS traffic over port 53(the default unencrypted DNS port).
For this, we will be under the Firewall menu.
Go to Rules
We are looking for DNS traffic destined for the Internet so we
will put the rule on the WAN interface.
Click on the button to add a rule.
The Action should be “Reject”
Quick “Apply the action immediately on match” this will stop
further processing of firewall rules once this rule is matched.
The interface should be WAN.
Direction Out
Destination port range from any to (other) port 53
Let’s also enable logging so we can verify, feel free to disable
this later as it may generate a lot of logging in your environment.
Save our rule
It should look like this on the rules list.
Apply our new rule
Now we have enabled our firewall to receive plain unencrypted DNS requests on
our network and forward them out over TLS and have a firewall rule to prevent
devices from bypassing our DNS settings and going out unencrypted.
Test
So we implemented all this stuff but is it working? Let’s find out.
From your browser, you can use the below site to verify your
browser is using the DNS servers you specified.
In this example, Cloudflare’s DNS servers 1.1.1.1 and 1.0.0.1 are load-balanced
IP addresses. Each of them has many DNS
servers behind them all over the world.
Our responses won’t be from 1.1.1.1 or 1.0.0.1 but they should be from
Cloudflare and the Country should be in your region. I’m in the southwestern US so this looks
good.
https://www.dnsleaktest.com/
It is good to see our computers are using the correct setting
but what about the other pesky devices on our network? Let’s see how our firewall rule is doing.
Back under the Firewall, we can look at the logging we
enabled
Select Live View.
Let’s put in some filters so we can see what is happening to
DNS traffic trying to bypass our settings.
Destination port(dst_port) is 53(the default DNS port for
nonencrypted DNS)
The interface is wan, this will show us just what is going
out to the Internet, you may also see inbound DNS attempts from the Internet this
is why we have firewalls……
I have one other rule just to prevent my current public IP
from being listed.
You may see a sea of red as I do, smart home devices sure
are uh fun…. If you see devices reaching
out and getting a pass(green) you may need to look at if you have other
firewall rules allowing the traffic.
Now our ISP can no longer see all of our DNS traffic!
One thing we didn’t do is block DNS over TLS to providers
other than the one we set up. Some browsers use their DNS over TLS to “Protect”
the user or so they get your tracking information depending on how you look at
it.
No comments:
Post a Comment