Bug #9402: Netgate "DNS over TLS with pfSense" Blog Post recommends configuration vulnerable to MITM attacks from self signed certificates - pfSense - pfSense bugtracker

Actions

Copy link

Bug #9402

closed

Netgate "DNS over TLS with pfSense" Blog Post recommends configuration vulnerable to MITM attacks from self signed certificates

Added by Richard Yao about 5 years ago. Updated about 5 years ago.

Status:

Duplicate

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

03/15/2019

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

Description

Users should be told to set these options in unbound:

server:
tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

Also, the advice for users that wish to use Quad9 should be changed to say:

forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net

This is based on Daniel Aleksandersen's "Actually secure DNS over TLS in Unbound" blog post:

https://www.ctrl.blog/entry/unbound-tls-forwarding

Please correct the netgate blog post so that users following its advice do not do insecure DNS over TLS configurations:

https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #9402

Netgate "DNS over TLS with pfSense" Blog Post recommends configuration vulnerable to MITM attacks from self signed certificates

Updated by Richard Yao about 5 years ago

Updated by Jim Pingle about 5 years ago

Updated by Richard Yao about 5 years ago

Updated by Richard Yao about 5 years ago