This issue came up in connection with my post on setting up a simple OpenVPN solution. The DoH service I had been using (Mullvad) stopped working for some reason, which prompts me to ask the question if there is a simple DoT or DoH solution that can be implemented for NomadBSD desktop users, to provide added security to a VPN. The idea, would be to encrypt DNS traffic for added security. I am completely new to FreeBSD and to security issues of this kind in general, so I would appreciate any feedback on how something like this can be implemented, and how difficult it is.
From what I understand, Unbound is the simplest solution for DNS over TLS, and the least resource demanding for a desktop system. Unfortunately, I haven’t had much luck so far. Here is what I have done (or attempted to do mainly using this tutorial):
(make sure that ntpd is installed and running for correct time before adding)
# sysrc local_unbound_enable=YES (local_unbound_enable is tailored to be used as a local resolver)
# pkg install bind-tools
Modify the configuration file /etc/unbound/unbound.conf as follows:
server:
port: 5300
tls-upstream: yes
tls-cert-bundle: "/usr/local/share/certs/ca-root-nss.crt"
forward-zone:
name: "."
forward-addr: 2a05:fc84::42@853#dns.digitale-gesellschaft.ch
Then reboot or:
# service local_unbound start
Test with:
# dig @::1 -p 5300 mozilla.org
Make a DNS request:
# dig @::1 -p 5300 mozilla.org
AND
# tcpdump host 2a05:fc84::42 -w tls.pcap (command will capture the traffic)
Make sure that the key-file is part of your unbound-configuration:
$ cat /etc/unbound/root.key (exists)
Update the keys:
# -u unbound unbound-anchor (-u: Command not found. No man files for unbound.)
Restart unbound:
# service local_unbound start
Test DNSSEC validation:
# dig @::1 -p 5300 mozilla.org +dnssec
The fundamental problem is that the tcpdump command seems to be working fine, however the main protocol that I am seeing in Wireshark is UDP, no DNS, TCP or TLS protocols. I also can’t find unbound-checkconf, which is referred to in Unbound online documentation, nor can I find any log files in my install…
The following seems to be a bit weird as well:
# service unbound stop
unbound does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d), or is not executable
# service local_unbound stop
local_unbound not running? (check /var/run/local_unbound.pid).
# service local_unbound start
Starting local_unbound.
[1645023759] local-unbound[4964:0] error: bind: address already in use
[1645023759] local-unbound[4964:0] fatal error: could not open ports
/etc/rc.d/local_unbound: WARNING: failed to start local_unbound
Anyone familiar with Unbound that can help?
I will shamelessly follow your thread neither providing an answer to help you a little further in your endeavor nor provide a solution for your problem you face right now because for one I’m honestly too dumb to give you one and for two I’m not that into networking, not because it doesn’t interest me but I am not very knowledgeable about this kind of stuff. Maybe there is some kind of network admin in this forum to help you out.