Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-06 Thread Dave Warren 

On 2018-04-06 00:09, Bryan D. wrote:

On 2018-Apr-05, at 10:47 PM, Dave Warren  wrote:


Cloudflare has pushed an update, and things seem to be working from here. For 
those having issues, try again now?


Thanks for the "heads up."  Works for me, also (i.e., on pfSense 2.2.6 
configured as stated in previous posting).


How's the speed? I'm seeing moderately slower results for queries that 
go out to 1.1.1.1, whereas queries from the cache or stub zones (to 
servers hosted out on the 'net) are very fast.


If I switch TLS off and go back to @53 it's faster, but ultimately not 
as fast as just running recursion myself.





___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-06 Thread Bryan D. 
On 2018-Apr-05, at 10:47 PM, Dave Warren  wrote:

> Cloudflare has pushed an update, and things seem to be working from here. For 
> those having issues, try again now?

Thanks for the "heads up."  Works for me, also (i.e., on pfSense 2.2.6 
configured as stated in previous posting).

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-05 Thread Dave Warren 

On 2018-04-05 01:25, Bryan D. wrote:

On 2018-Apr-04, at 10:05 PM, Dave Warren  wrote:


I can also confirm that 9.9.9.9@853 does work here which re-enforces that this 
is a Cloudflare specific issue.

-

So it looks like the following config works on pfSense 2.2.6's unbound/DNS 
Resolver (so should work with 1.1.1.1 when Cloudflare gets things fixed):
server:
ssl-upstream: yes
ssl-port: 853
forward-zone:
name: "."
forward-addr: 9.9.9.9@853


Cloudflare has pushed an update, and things seem to be working from 
here. For those having issues, try again now?


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-05 Thread Bryan D. 
On 2018-Apr-04, at 10:05 PM, Dave Warren  wrote:

> I can also confirm that 9.9.9.9@853 does work here which re-enforces that 
> this is a Cloudflare specific issue.
-

So it looks like the following config works on pfSense 2.2.6's unbound/DNS 
Resolver (so should work with 1.1.1.1 when Cloudflare gets things fixed):
server:
ssl-upstream: yes
ssl-port: 853
forward-zone:
name: "."
forward-addr: 9.9.9.9@853

Thanks!

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread Dave Warren 
I'm running 2.4.3-RELEASE (amd64). I can't get it working here either 
after a couple hours of poking at it on and off, it now looks like this 
is actually a Cloudflare issue:


https://community.cloudflare.com/t/1-1-1-1-was-working-but-not-anymore/15136/4

"Thanks for the report! This is going to be fixed in the next upgrade 
that’s being rolled out.
There was an interop issue in the last upgrade with Unbound as it sends 
the frame size and the actual DNS message in two separate packets 
instead of both at once."


So it looks like the immediate solution is to revert to port 53 and wait 
for Cloudflare. I can also confirm that 9.9.9.9@853 does work here which 
re-enforces that this is a Cloudflare specific issue.



On 2018-04-04 19:23, James wrote:

Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any 
queries returned no records.



On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote:

Wild guess, but did you try it in 2.4.x?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D.
Sent: Wednesday, April 4, 2018 8:01 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] DNS over TLS config for pfSense 2.2.6

Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
---
Applying the suggested "Custom Options" to the Unbound/DNS Resolver
configuration in pfSense 2.2.6 does not work, with logs indicating that
"forward-ssl-upstream" is invalid.

I tried various incantations using "server:ssl-upstream: yes"
with and without "ssl-port: 853" and, although the unbound service would
then run, a DNS/host query always indicated that no hosts were found.

Does anyone know a configuration that will work with pfSense 2.2.6?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread James 
Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any 
queries returned no records.



On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote:
> Wild guess, but did you try it in 2.4.x?
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> -Original Message-
> From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D.
> Sent: Wednesday, April 4, 2018 8:01 PM
> To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
> Subject: [pfSense] DNS over TLS config for pfSense 2.2.6
> 
> Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
> ---
> Applying the suggested "Custom Options" to the Unbound/DNS Resolver 
> configuration in pfSense 2.2.6 does not work, with logs indicating that 
> "forward-ssl-upstream" is invalid.
> 
> I tried various incantations using "server:ssl-upstream: yes" 
> with and without "ssl-port: 853" and, although the unbound service would 
> then run, a DNS/host query always indicated that no hosts were found.
> 
> Does anyone know a configuration that will work with pfSense 2.2.6?
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread Steve Yates 
Wild guess, but did you try it in 2.4.x?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D.
Sent: Wednesday, April 4, 2018 8:01 PM
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: [pfSense] DNS over TLS config for pfSense 2.2.6

Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
---
Applying the suggested "Custom Options" to the Unbound/DNS Resolver 
configuration in pfSense 2.2.6 does not work, with logs indicating that 
"forward-ssl-upstream" is invalid.

I tried various incantations using "server:ssl-upstream: yes" with and 
without "ssl-port: 853" and, although the unbound service would then run, a 
DNS/host query always indicated that no hosts were found.

Does anyone know a configuration that will work with pfSense 2.2.6?

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] DNS over TLS config for pfSense 2.2.6

2018-04-04 Thread James 
Yeah, I ran into this as well. It just caused my to not be able to resolve 
anything :(



On Thu, 5 Apr 2018, at 11:01 AM, Bryan D. wrote:
> Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
> ---
> Applying the suggested "Custom Options" to the Unbound/DNS Resolver 
> configuration in pfSense 2.2.6 does not work, with logs indicating that 
> "forward-ssl-upstream" is invalid.
> 
> I tried various incantations using "server:ssl-upstream: yes" 
> with and without "ssl-port: 853" and, although the unbound service would 
> then run, a DNS/host query always indicated that no hosts were found.
> 
> Does anyone know a configuration that will work with pfSense 2.2.6?
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold