Setup Bind DNS over TLS using Stunnel on OpenBSD

Stunnel is a multipurpose open source program that is client-server based and provides encryption for secure data communications using the SSL/TLS protocol. Stunnel can run on various operating systems such as Unix, Linux, BSD, Windows and others. Stunnel is designed to help secure HTTP/HTTPS ports, because Stunnel is able to encrypt traffic, proxy connections, and redirect applications so they can run safely on your computer with an untrusted network connection.

Stunnel can also inspect each packet in the encrypted tunnel and make adjustments to improve performance. Stunnel manages one or more client-server TCP/IP connections by creating an encrypted tunnel where only the client and server are allowed to talk. This encrypted connection is a substitute for a direct connection between the client application and the server application, which helps prevent communication disruptions in transit from one end of the connection to the other.

Stunnel has the power to create blocks of data in a format that cannot be deciphered by attackers. This allows the creation of encrypted tunnels for specific applications, making it a popular tool in the world of ethical hacking and penetration testing. Encryption is known as a key and is stored locally on the client and server computers. When communication is required between two endpoints, Stunnel connects to the server, receives critical information for a particular connection (host name, port number, and protocol) from the server then creates an encrypted tunnel over an encrypted TCP/IP connection. Once the tunnel creation is complete, Stunnel releases its TCP/IP credentials and terminates it.

Stunnel software is an implementation of the SSL protocol or often called Secure Sockets Layer and TLS (Transport Layer Security). Benefits Stunnel can facilitate end-to-end encryption, data integrity, and authentication between two hosts. The transmission protocol can be several protocols, such as FTP, IMAP, POP3, telnet, and HTTP. Stunnel can be used to authenticate with a server via a client certificate or with an authentication agent via single sign-on (SSO). It can also be used to provide an encrypted layer for network traffic that does not require authentication with a server.

1. Install Stunnel

As we know, Bind DNS server does not have direct DNS-over-TLS (DOT) support. If you want to enable DOT support on Bind, you must add Stunnel, so that Bind can forward DNS directly to the TLS protocol. Thanks to its flexibility and power, Stunnel is able to encrypt TLS without making any major changes to the running client or server.

On OpenBSD the Stunnel repository is available in the PKG package and port, you can install it directly. To make the process easier, use the PKG package to install Stunnel, as in the example below.

Install Stunnel
ns3# pkg_add stunnel
During the installation process, OpenBSD automatically creates users and groups for Stunnel. These groups and users are very useful during the Stunnel setup process. Run the command below to grant file ownership rights.

Enable Stunnel
ns3# chown -R _stunnel:_stunnel /etc/stunnel/

2. Setup Stunnel

On OpenBSD the Stunnel configuration file is located in /etc/stunnel. Please open and edit the stunnel.conf file. We recommend that you delete the entire contents of the stunnel.conf script, and replace it with the script that we have created. Adapt the script to your OpenBSD server specifications. Below is a complete example of the /etc/stunnel/stunnel.conf script.

chroot = /etc/stunnel
setuid = _stunnel
setgid = _stunnel
;pid = /var/stunnel/
;foreground = yes
;debug = info
;output = /var/stunnel/stunnel.log

client = yes
CApath = /etc/ssl
CAfile = /etc/ssl/cert.pem
cert = /etc/stunnel/server-cert.pem
key = /etc/stunnel/server-key.pem
accept =
connect =
verifyChain = yes
verify = 4
checkIP =
checkHost =
OCSPaia = yes

client = no
cert = /etc/stunnel/client-cert.pem
key = /etc/stunnel/client-key.pem
accept = 853
connect = 1053
In the example script above, we divided three stunnel settings
  1. Global settings
  2. DNS Server Settings, and
  3. DNS Client Settings
What you need to pay attention to is creating a TLS certificate. Below we provide an example of creating a TLS certificate for a DNS server and DNS client. The first thing you have to do is create a root CA certificate.

Create root CA certificate
ns3# cd /etc/stunnel
ns3# openssl genrsa 2048 > ca-key.pem
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x010001)
ns3# openssl req -new -x509 -nodes -days 1825 -key ca-key.pem -out ca-cert.pem
After that you create a server certificate, remove the password and sign it with the CA key

Create server certificate
ns3# openssl req -newkey rsa:2048 -days 1825 -nodes -keyout server-key.pem -out server-req.pem
ns3# openssl rsa -in server-key.pem -out server-key.pem
ns3# openssl x509 -req -in server-req.pem -days 1825 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
Proceed with creating a client certificate, removing the password and signing with the CA key.

Create client certificate
ns3# openssl req -newkey rsa:2048 -days 1825 -nodes -keyout client-key.pem -out client-req.pem
ns3# openssl rsa -in client-key.pem -out client-key.pem
ns3# openssl x509 -req -in client-req.pem -days 1825 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem
Verify certificate
ns3# openssl verify -CAfile ca-cert.pem server-cert.pem client-cert.pem
After that, activate Stunnel with the rcctl command

Enable Stunnel
ns3# rcctl enable stunnel
ns3# rcctl restart stunnel

3. Setup ISC Bind DNS Server

The main requirement for setting up Bind is that you must have read the previous article "About the process of installing and configuring ISC Bind on OpenBSD". Because in this article we will not discuss how to install Bind and we will assume that your ISC Bind server is running normally on OpenBSD.

Open the configuration file /var/named/etc/named.conf. Change the script below.

zone "." {
  type forward;
  forward first;
  forwarders {;; };
Replace with the script below.

zone "." {
  type forward;
  forward first;
  forwarders { port 1053;    
Run ISC Bind DNS Server.

Enable Bind DNS Server
foo# rcctl restart isc_named
The final step is to check ISC Bind, whether it is running or not.

Test Bind DNS Server
ns3# dig
ns3# nslookup
As you can see, setting up stunnel in OpenBSD is not difficult at all, so we hope that this article will be useful for you and that you will adopt other ways to use network services safely.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post