Project

General

Profile

Actions
Copy link

Bug #9402

closed

Netgate "DNS over TLS with pfSense" Blog Post recommends configuration vulnerable to MITM attacks from self signed certificates

Added by Richard Yao about 5 years ago. Updated about 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
03/15/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Users should be told to set these options in unbound:

server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

Also, the advice for users that wish to use Quad9 should be changed to say:

forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

This is based on Daniel Aleksandersen's "Actually secure DNS over TLS in Unbound" blog post:

https://www.ctrl.blog/entry/unbound-tls-forwarding

Please correct the netgate blog post so that users following its advice do not do insecure DNS over TLS configurations:

https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

Actions
Copy link
 #1

Updated by Richard Yao about 5 years ago

There is a typo in my original report. The post should say:

server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

There was an extra "server:" field. It was a mistake caused when doing copy and paste. I don't know the effect of that, but it was entirely unintentional. Please do not use the original version that I posted.

Actions
Copy link
 #2

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Duplicate
  • Priority changed from Urgent to Normal

That doesn't actually verify anything. It logs that it does, but doesn't fail validation if the host doesn't match.

See #8602 which this is a duplicate of.

tl;dr We know, it isn't possible in the current release, addressed properly in 2.5.0.

Actions
Copy link
 #3

Updated by Richard Yao about 5 years ago

One more remark. While I cited that blog post, I haven't actually taken the time to verify that this protects against a MITM attack using a self signed certificate. In theory it does, but someone should test this before fixing the blog post.

Actions
Copy link
 #4

Updated by Richard Yao about 5 years ago

Jim, thanks for the quick response. You replied so quickly that I was late in adding that I hadn't actually verified that this does anything.

Thanks for letting me know that it does not do anything.

Actions
Copy link

Also available in: Atom PDF