Bug #9402
closedNetgate "DNS over TLS with pfSense" Blog Post recommends configuration vulnerable to MITM attacks from self signed certificates
0%
Description
Users should be told to set these options in unbound:
server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
Also, the advice for users that wish to use Quad9 should be changed to say:
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
This is based on Daniel Aleksandersen's "Actually secure DNS over TLS in Unbound" blog post:
https://www.ctrl.blog/entry/unbound-tls-forwarding
Please correct the netgate blog post so that users following its advice do not do insecure DNS over TLS configurations:
Updated by Richard Yao over 5 years ago
There is a typo in my original report. The post should say:
server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
There was an extra "server:" field. It was a mistake caused when doing copy and paste. I don't know the effect of that, but it was entirely unintentional. Please do not use the original version that I posted.
Updated by Jim Pingle over 5 years ago
- Status changed from New to Duplicate
- Priority changed from Urgent to Normal
That doesn't actually verify anything. It logs that it does, but doesn't fail validation if the host doesn't match.
See #8602 which this is a duplicate of.
tl;dr We know, it isn't possible in the current release, addressed properly in 2.5.0.
Updated by Richard Yao over 5 years ago
One more remark. While I cited that blog post, I haven't actually taken the time to verify that this protects against a MITM attack using a self signed certificate. In theory it does, but someone should test this before fixing the blog post.
Updated by Richard Yao over 5 years ago
Jim, thanks for the quick response. You replied so quickly that I was late in adding that I hadn't actually verified that this does anything.
Thanks for letting me know that it does not do anything.