Project

General

Profile

Actions

Bug #9402

closed

Netgate "DNS over TLS with pfSense" Blog Post recommends configuration vulnerable to MITM attacks from self signed certificates

Added by Richard Yao over 5 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
03/15/2019
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

Users should be told to set these options in unbound:

server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

Also, the advice for users that wish to use Quad9 should be changed to say:

forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

This is based on Daniel Aleksandersen's "Actually secure DNS over TLS in Unbound" blog post:

https://www.ctrl.blog/entry/unbound-tls-forwarding

Please correct the netgate blog post so that users following its advice do not do insecure DNS over TLS configurations:

https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

Actions

Also available in: Atom PDF