DNS Security and Adblock with OPNSense, Part 1

If you’re not familiar with DNS, you can think of it as the contact list in your phone. You don’t remember anyone’s phone numbers. You just know their name and have the number stored in their contact entry. DNS is similar in that you just need to know the domain of a website and your computer will lookup the IP address of the site. Here is a primer that goes into a bit more detail.

With OPNSense, you can run a DNS resolver called Unbound. This will validate and cache DNS queries for your local network. It can improve your network performance but it’s usually not noticeable as your browser and other software generally have their own DNS cache. The real benefit of Unbound is that we can modify the DNS for the entire network to provide more security, privacy, and piece of mind.

UPSTREAM DNS

Most people have never thought about DNS and therefore just use the default one since it just works. This default DNS provider is your ISP. And at a basic level, your ISPs DNS servers will do pretty much everything that the ISP customer wants. They will translate a domain into an IP address.

However, things are not always rosy with your ISPs DNS servers. At a minimum, your ISP will know every website you go to, even if you use HTTPS. The majority of them will also sell this information. In addition to these privacy concerns, many ISPs will modify your DNS requests. The most common change is to direct you to an ad filled page instead of returning a NO DOMAIN response. Some ISPs will return NO DOMAIN for valid domains due to governmental censorship. ISPs sometimes also modify the responses for common misspellings of domains.

Fortunately, there are a number of third party DNS servers that we can use instead of the ones provided by our ISP. Google, OpenDNS, and Cloudflare to name a few. After watching this interview with the Executive Director at Quad9, I decided to look into them for my DNS needs.

Quad9 provides two important benefits. First, they are very privacy focused and don’t sell your DNS data. Second, they provide a filtered DNS service. How is this filtering different from your ISP? Quad9 returns NO DOMAIN for domains that are used for viruses, malware, bots, and other attack vectors. If this concerns you, Quad9 also provides an unfiltered service but I recommend using the filtered version. I have yet to have a problem with it’s blocking and I can have some piece of mind that less technical users will be better protected.

ENCRYPTED DNS

Now that we’ve selected our DNS provider of choice, we have to decide how to connect to this provider. There are three methods and they are supported by most DNS providers. They are standard DNS, DNS over TLS (DoT), and DNS over HTTPS (DoH). Cloudflare has a good explanation of the differences, but the basics are thus. Standard DNS is what everyone has been using and has been around from the beginning of the internet. It is an unencrypted protocol that sends your request over port 53. This allows everyone to see the requests that you make, including your ISP. Therefore it doesn’t provide any privacy or security benefits as it can be easily viewed and hijacked.

That leaves us with DoT and DoH. DoT is simply encrypted DNS and goes over port 853, It’s to DNS what HTTPS is to HTTP. A lot of DNS clients will be able to use it natively but not all of them. Fortunately, Unbound will and we can then serve standard DNS over our local network as that has less privacy and security concerns. DoH uses HTTPS, the same as your browser, in order to perform it’s lookups. It is a completely different protocol and is less supported than DoT. You need a third party client in order to translate your lookups. Additionally, DoH being less standard than DoT makes it more of a pain to diagnose and troubleshoot.

CONFIGURING OPNSENSE FOR DOT

First, make sure you are running at least version 20.7 of OPNSense. DoT support prior to this version was not easily accessible. Go to Services -> Unbound DNS -> Miscellaneous and you will see an option for DNS over TLS Servers. You will need to enter both the IP and the port number of your DNS provider. You can mix and match providers if you wish but this will negate any provider level filtering benefits. One thing to note. After you enter each entry, click outside of the box for it to take before you enter in the next server. For Quad9, we will be using 9.9.9.9@853 and 149.112.112.112@853. Once done, click on the Save button.

Now that we’ve configured Unbound for DoT we’ll want to test the server to make sure it’s working correctly. Go to Interfaces -> Diagnostics -> DNS Lookup. Plug in a domain and see what comes back.

Depending on your settings, you will see a number of servers returned in the bottom section. 127.0.0.1 is the Unbound server on OPNSense. So what are the others? 10.0.2.3 in this case. That is your upstream DNS servers, most likely the ones provided by your ISP. We want OPNSense to not use those so that it doesn’t avoid any filtering we put in place. Go to System -> Settings -> General and uncheck the Allow DNS to be overridden. Hit Save and then try your DNS lookup again.

Now you’ll see only 127.0.0.1 in the server list. But how do we know that it’s actually hitting Quad9 and filtering out bad domains? We turn to nslookup. But first we need to find a bad domain. I like to use the malware domain list but you can look around for any of the sort.

Once we’ve found a bad domain, we perform an nslookup against the filtered Quad9 service. You’ll see it return the NXDOMAIN response which means that it wasn’t resolved. Next we look it up using the unfiltered Quad9 service (or any other DNS provider that doesn’t filter). You’ll see it return an IP address. Next we do an nslookup using our local network. We should get the same result at the filtered Quad9 request as those are the servers we’re using.

CONFIGURING OPNSENSE FOR DNSSEC

There is one more setting we will want to configure and that is to enable DNSSEC. This will add an additional layer of security and make sure that the DNS response we receive is the correct one and not hijacked along the way.

Enabling DNSSEC in OPNSense using Unbound is simple. Go to Services -> Unbound DNS -> General and check the Enable DNSSEC Support box. That’s it. You’re done.

6 thoughts on “DNS Security and Adblock with OPNSense, Part 1

  1. Thanks! This worked well. I was using pi-hole with quad9 but I read on several forums that it’s not secure to use pi-hole. Any thoghts?

    • Glad I could help. I’m not sure what specific security issues you might have seen regarding using pi-hole. I choose not to use it because I don’t want to run an additional device, however that does mean I lose out on some of the cool dashboards.

      For people running a consumer router or wanting a simple solution pi-home makes sense.

  2. CJ: I just want to say thank you so much for posting this article. It was clearly well thought out and for me extremely helpful.

  3. Hey CJ,

    Thanks for your great article…. Do you now how to set up DOT with quad9 in OPNSense version 21.7.4. It semm to differ to previous versions of Unbound DNS right now…

Leave a Reply

Your email address will not be published. Required fields are marked *