DNS Over TLS on OPNSense - Extra Online Privacy Using Encryption
Вставка
- Опубліковано 4 жов 2022
- Hey all and welcome to my channel! In this video I am going to show you how to use the built-in features that comes with the Unbound DNS service on your OPNSense firewall, to unlock additional privacy and security by using DNS over TLS to encrypt all your DNS transmissions over your network.
DNS by default sends all requests and responses in plaintext on UDP port 53, which means that anyone eavesdropping on your transmission such as a ISP or hacker can see exactly which websites you are going to, and even worse opens you up to in-path attacks where a hacker can manipulate the DNS response sending you to a site of their choosing.
Lets fix this in 5 minutes by enabling DNS over TLS on OPNsense using free DNS services provided by Google, CloudFlare or Quad9.
Ready to take your cyber security to the next level? Lets jump straight into the video.
P.S. - Also, please don't forget to like and subscribe!
Links used in video:
cloud.google.com/dns/docs/dnssec
docs.opnsense.org/manual/unbo...
www.cloudflare.com/learning/d...
www.cloudflare.com/learning/d...
www.cloudflare.com/learning/s...
NOTE: I am not sponsored by or affiliated to any of the products or services mentioned in this video, all opinions are my own based on personal experiences.
DISCLAIMER: All information, techniques and tools showcased in these videos are for educational and ethical penetration testing purposes ONLY. NEVER attempt to use this information to gain unauthorized access to systems without the EXCPLICIT consent of its owners. This is a punishable offence by law in most countries.
#opnsense #dnsovertls #privacy
Excellent video, thank you so much
I migrated from UDM to OPNsense to get more visibility on my home network. Unbound DNS built in to OPNsense is awesome. Great video !
Thanks for watching! I agree, OPNsense is a great product and when you install extensions like Zenarmor it makes it even better.
Thanks for this, me thinks ill try this !
Can I ask why you're using Google DNS rather than Quad9 DNS on a privacy focused video..?
thank you!
You're welcome!
wont the logs also contains the website you visited with the dns included if its working properly?
Is it possible to setup DoT with a multi wan? I don’t see a gateway option on unbound.
Good. However, is this setup going to work along with failover I saw in a previous video of yours? Thanks
Thanks for watching, no, you will run into issues with the DNS configs because the failover uses those DNS servers as monitoring addresses on each WAN interface. If you want to use both DoT and failover you will probably need to setup Unbound DNS on another server in your network and configure your clients to use that as their DNS server and then put some restrictions on your firewall to only DNS traffic out the LAN from that server IP to prevent the users from overriding your DNS settings. I have not test the above suggestion, but in theory it may work, hopefully it helps.
@@ls111cyberEd I once set failover and Unbound with DoT enabled in pfSense, and both seemed to be working, no particular issue actually, but I didn't test the setup accurately. Thanks
Can you make a video on DNS OVER HTTPS(DOH) its more secure than tls ,opnsense has removed the custom oprtions under unbound so its confusing how to add custom options to make it work
Thanks for watching, I will consider this as a future video. DoH is not necessarily more secure than DoT, both hide your DNS traffic which is what this is all about. You could argue that DoH gives you better privacy by essentially "blending" the DNS traffic with the HTTPS traffic so someone snooping in on the traffic wont know the difference, however, at the same time this could also be a con because from the network administrators point of view, they wont be able to control or isolate the DNS traffic separately, in that case DoT would be preferred.
Trying to determine this solution in relation to settings for pi-hole running on a docker container?
Thanks for watching, to do this with pi-hole you will need to continue pointing your hosts to pi-hole as their DNS server to benefit from the ad blocking. In your pi-hole upstream DNS providers settings, you will need to setup a custom DNS provider and point it to your OPNSense firewall running the unbound DNS server. This should achieve the same result because the local hosts will query pi-hole firstly for the address, and if pi-hole cant resolve the address, it will then forward this over to OPNSense which will then forward it via DoT to the upstream provider. Hopefully this helps.
@@ls111cyberEd this part I was missing -thank you
@@ls111cyberEd is this a better solution then going directly from pihole to quad9?
how would you configure this using windows server for dns?
You need OPNsense, so either virutalize it or install it bare metal instead of Windows
Thank you for your videos. I followed your video. But I have my outbound dns port changed to port 54 instead of 53. Due to setting up adguard, saying port 53 is already in use, so I changed it to 54. After following your instructions, my internet stops working? Please could you help thanks