dns/bind: add native DNS-over-TLS (DoT) server support#5424
Open
mbedworth wants to merge 2 commits intoopnsense:masterfrom
Open
dns/bind: add native DNS-over-TLS (DoT) server support#5424mbedworth wants to merge 2 commits intoopnsense:masterfrom
mbedworth wants to merge 2 commits intoopnsense:masterfrom
Conversation
Fix critical syntax error in opnsense-fw active response script that prevents IPs from being added to the __wazuh_agent_drop alias.
## Problem
The script contains invalid Python syntax - a variable assignment inside a dictionary literal:
```python
"parameters":{
unique_key = "%s-%s" % (...) # Invalid Python syntax
"keys": [unique_key]
}
```
This causes the script to fail with a SyntaxError on all 'add' commands, meaning attacking IPs are never blocked.
## Changes
- Move unique_key assignment outside dictionary literal (fixes SyntaxError)
- Fix typo: 'even' -> 'event' in error message
- Add debug logging for easier troubleshooting
## Testing
- Verified syntax with `python3 -m py_compile`
- Tested active response add/delete operations on OPNsense 26.1
Add GUI configuration for incoming DNS-over-TLS connections (RFC 7858). BIND 9.18+ supports a native tls clause, but the plugin had no way to configure it. This adds three fields to the general settings model and form: dotenable, dotport (default 853), and dotcertificate. A new generate_certs.php script reads the selected certificate from the OPNsense trust store and writes the PEM files to /var/etc/named/ before named starts. The configd [start] and [restart] actions are updated to call this script first, ensuring cert files are present on every boot (since /var/etc/ is a tmpfs ramdisk). A standalone [certsetup] action is also added for on-demand use. The named.conf template emits a tls dot-tls stanza and listen-on lines for port 853 when dotenable is set, reusing the existing listen addresses. Requires BIND 9.18+.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:
If AI was used, please disclose:
Describe the problem
The os-bind plugin has no GUI support for accepting incoming DNS-over-TLS connections (RFC 7858). BIND 9.18+ supports a native
tlsconfiguration clause and per-listener TLS on arbitrary ports, but there is no way to configure this through the plugin. Users who want to serve DoT to LAN clients have no supported path on OPNsense.Note: this is the server (listen) side of DoT. The forwarding side (outbound DoT to upstream resolvers) is covered by PR #5391.
Describe the proposed solution
Add three new fields to the BIND general settings model and form:
dotenable(BooleanField) — enable/disable the DoT listenerdotport(PortField, default 853) — port to listen ondotcertificate(CertificateField) — certificate from System > Trust > Certificatesmodels/OPNsense/Bind/General.xmlcontrollers/OPNsense/Bind/forms/general.xmlservice/templates/OPNsense/Bind/named.conftls dot-tls {}stanza and conditionallisten-on port 853 tls dot-tlslinesscripts/OPNsense/Bind/generate_certs.php(new)dotcertificaterefid from config, writes/var/etc/named/dot.crtanddot.keyviaOPNsense\Trust\Store::getCertificate()service/conf/actions.d/actions_bind.conf[certsetup]action; prepends cert write to[start]and[restart]The named.conf template emits a
tls dot-tlsstanza before theoptions {}block and addslisten-on port <dotport> tls dot-tlslines for each configured IPv4/IPv6 listen address whendotenableis set. The same listen addresses used for plain DNS are reused for DoT.Because
/var/etc/is a tmpfs ramdisk, cert files do not survive reboots. Thegenerate_certs.phpscript is called at the start of the[start]and[restart]configd actions to ensure the files are always present before named reads its configuration. A standalone[certsetup]action is also provided.Testing
Tested on OPNsense 26.1 with BIND 9.20, wildcard Let's Encrypt certificate:
named-checkconfpasses cleanlyopenssl s_client -connect <ip>:853shows the configured certificatedig +tls @<ip> -p 853 google.comresolves correctly on all configured listen addresses (IPv4 and IPv6)configctl bind restartRelated issue
N/A