0

DNS over TLS Certificate Validation Hostname

I am configuring my router (pfsense) to use DNS over TLS and one of the settings it asks for is the hostname for TLS verification i.e. the Fully Qualified Domain Name of the DNS server, used to validate DNS server certificates when using DNS over TLS. Note this is not the same as the DNS over TLS endpoint which is provided in the nextDNS setup instructions.

For example, if configuring cloudflare the DNS Server would be 1.1.1.1 and the corresponding TLS validation hostname would be: cloudflare-dns.com.

Does anyone know what I should hostname use for nextDNS? I am guessing it could be: dns.nextdns.io is this correct?

7replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • The hostname you need to use for DoT is shown in your setup page. It is CONFIG_ID.dns.nextdns.io.

    Like 1
  • Hi Olivier, actually that one does not work - I dont need the hostname to perform the TLS query - I need the hostname for TLS certificate validation.

    So for pfsense, the DNS resolver service (unbound) has the hostname you mention but the router itself when defining DNS servers (under General settings) needs and IP address for the DNS server and a hostname if using TLS to validate the certificate. It does accept dns.next.io as valid but does NOT accept CONFIG_ID.dns.next.io.

    Clearly the fundamental DNS server must use an IP address, since without DNS it can'r resolve a hostname.

    Like
    • Ian Morris you need the hostname for both TLS validation and for configuration linking. If you don’t use the config hostname, your DNS traffic won’t use your configuration.

      The use of a bootstrap IP Is orthogonal. Some DoT/DoH client are able to use the system DNS to resolve the DoT/DoH hostname. This is not the case of unbound.

      In the setup tab, check the routers sub tab. You have a guide on how to setup pfsense.

      Like 1
  • Olivier Poitrey Thanks for the reply. I think everything is configured fine and working.

    The DNS resolver does have the CONFIG_ID hostname in the custom properties and is picking up my configuration- I can see this on NextDNS logs where it tags traffic from the router. I have also linked the External IP address of the router.

    I notice that there is a very small amount (0.2%) of DNS that is not TLS and so was wondering if that was the router doing its own DNS queries (i.e. not the DNS resolver service) unecrypted.

    Like
    • Ian Morris link IP does only work for unencrypted DNS with IPv4. It won’t help with DoT. Fine if it works, but it can’t work without the config hostname somewhere using DoT, trust me.

      Like 1
  • Olivier Poitrey Yes I agree, that is exactly what I am seeing I think.

    The DNS Resolver is working fully encrypted on TLS since it does use the hostname but the queries the pfsense system makes are not since it can only use DNS IP addresses.

    Like
  • For anyone using pfsense based upon the discussion with Olivier and some experimenting the following works well (assuming you are not using the router CLI app).

    Set up DNS Resolver using custom options as stated in the router section of the Setup tab - in my case it looks a little like this:

    server:
      server:
      forward-zone:
        name: "."
        forward-tls-upstream: yes 
    forward-addr: 45.90.28.0#Router-config_id.dns1.nextdns.io
    forward-addr: 2a07:a8c0::#Router-config_id.dns1.nextdns.io
    forward-addr: 45.90.30.0#Router-config_id.dns2.nextdns.io
    forward-addr: 2a07:a8c1::#Router-config_id.dns2.nextdns.io

    where "Router" is the label you want to give your router so when you can differentiate the traffic coming from that and other devices.

    Also in the DNS Resolver check that "DNS Query Forwarding" is unticked (not enabled)

    Next go to System/General in pfsense and delete the list of configured DNS Servers. This makes pfsense then use the ones configured in the DNS Resolver service and thus encrypts the traffic. If you left a list of DNS server IPs here, the queries coming from pfsense itself would not be encrypted, whereas the ones from the DNS Resolver would be.

    With this setup I am now showing 100% encrypted!

    Like
Like Follow
  • 1 mth agoLast active
  • 7Replies
  • 90Views
  • 2 Following