The default behavior in pfSense is to operate unbound in recursive mode, sending queries to the root servers. You can even see in this video that the dropdown for "DNS Resolution Behavior" says, "Use local DNS (127.0.0.1), fall back to remote DNS servers (Default)." So as configured here, clients will rarely if ever touch Cloudflare or ISP DNS servers. If you're really worried about it, you can select "Use local DNS (127.0.0.1), ignore remote DNS servers" in that drop-down box. Also, I don't understand the willingness to trust large multinational corporations like Google or Cloudflare vs. an ISP. Regardless, your ISP sees every IP address you visit immediately after making a DNS query, so obscuring the DNS query won't help much.
You are partially correct: By default, pfSense will use itself (127.0.0.1) as a name server, however, where is it getting those lookups resolved from? Its’ next hop for non-authoritiative lookups by default would be the DNS servers provided by your ISP. To your second point about which DNS to trust, that is indeed entirely up to you. Personally, my stance is this: I do not trust my ISP, or anyone else, by default. Their TOS does not give enough transparency as to what they are allowed to do with your lookup history. Through my own research, I have chosen DNS servers that I am satisfied with how they are handling that data. Your milage may vary, and that’s okay! This gives you two things: 1. The average home Internet user is unaware of the interworkings of how their Internet use may be monetized, and this calls it to their attention, and 2. with that knowledge, they can decide if they want to do something about it. To your final point about ISP’s ultimately sniffing your traffic anyway, this is actually indeed in every ISPs Terms of Service: What they can do with data retention and history of the actual underlying TCP/UDP socket connections from your router traversing their network. DNS lookup history is almost always “mysteriously” missing from the TOS. Hope this helps, and having these conversations is helpful to everyone! Ask questions! That’s how we learn!
@@OMGTheCloud Unbound as configured by default on pfSense gets DNS results from root server IP addresses compiled into unbound. You can obtain this list on pfSense with the command "unbound-control -c /var/unbound/unbound.conf lookup ." It's possible to use a more up-to-date root.hints file, but the IP addresses change so infrequently that it's not worth the effort. Again, the settings you implemented in this video did not change this behavior.
Close, but still not quite true: There *is* a configuration possible that would have the result you describe, where DNS Resolver would consult root hints for TLD lookups, but that is not the case here. I’ll let you review these two settings and decide for yourself if you agree: 1. Under System -> General Settings: We have defined DNS Servers as described before. This informs pfSense what to do if it needs to look outside its’ own config to get an authoritative lookup (pretty much everything, except what you may have defined locally with Unbound). 2. Under Services -> DNS Resolver, under the ‘DNS Query Forwarding’, we have ‘Enable Forwarding Mode” checked. Reading its’ description, we know that the behavior here is, when a query hits DNS Resolver and it doesnt have an authoritative response itself, what should it do next? if this option is unchecked, you are correct: it would use root hints to figure out what to do next. With this option checked, it refers to the DNS servers listed in step 1 above. For completeness, here’s the description of that field: “If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).”
Interesting Video - Great info about not using ISP DNS servers... The DNS Resolver portion was interesting - but, perhaps you should also post the text of that CUSTOM OPTION in your notes and provide more instruction on it. Also you mention setting up another subnet for IoT - do you have a video on this?
Total thumbs up short and too the point video man, thank you. What are your thoughts on making pfsense as a DNS caching controller to speed up your most visited sites? Thank you.
Not a bad idea! There's a couple caveats to caching: You can certainly run in to issues with persistent cache causing problems with content not expiring out. Also, with nearly all our traffic being HTTPS these days, caching can fall off in its' value. But, give it a try and see if you see some improvements. Personally, I believe the better benefit is running a good blackhole ad blocker, such as PiHole, has a better return, as it will save you quite a bit of ad content traffic, while also protecting you more from trackers than most browsers are capable of.
You could do so, however depending on the hardware setup for your pfsense there are a few things to recommend. Depending on how many devices you have on the network you need to consider your hardware for pfsense if you want an efficient cache controller using squid proxy. Its one of the packages in the pfsense you will find under "Package Manager" Back to the hardware setup. consider this important. Squid proxy cache will need to store on a hard disk, ram is also a good factor to consider. If you have 30 devices that are surfing across the web and you need to cache websites along with other elements such as short videos, photos, etc. 30 devices accessing the cache simultaneously across the pfsense hard disk will create an immediate bottleneck. Because those 30 devices are accessing a hard drive capped at 100mb/s. This is unethical for a network with 30 devices on the web simultaneously. Sometimes you got to think outside the box for best performance. My current setup with PfSense. Dell 1unit server with 1 quad port NIC, and 2 built in lan ports. 2 built in lan ports are from ISP each supporting 1gb service. Quad Port NIC, has LAG - LACP tied into an HP Procurve switch. Server also has 20gb of ram with 12 core intel xeon cpu. Storage is a bit tricky, 2 mechanical drives in Raid 1 for PfSense 4 SSD Drives in Raid 0 - for fast performance, yes no fault tolerance needed. SSD Drives are configured as the cache storage with Squid and the 4 SSD Drives in Raid 0 put out a total of 2gb/s for cached content across the network for all the users. This is an mid size business with over 60 pc's Creating a cache server can help you, but can also hurt you if its not planned correctly. Hopefully this helps!
DNS isnt only method to track clients, DNSoHttps isn’t to anonymyse browsing internet. I’m ISP and I collect data by ip server connection, and only way to protect web browsing is VPN.
I want to say great videos! I have learned a lot from your video series. I tried these settings in the past, and I recall they worked, but now they are not. I did a DNS Leak test, and my ISP is now handling my DNS requests. I did some research, and they mentioned this is due to the ISP doing Transparent DNS, which makes these settings not work. Do you have any suggestions for going about it when the ISP is doing Transparent DNS? Is there any specific setting I need to look out for?
I have configured OpenDNS Server on LAN with DHCP... I want to by pass an Alias from OpenDNS Server.... I wan to direct that Alias through GoogleDNS? How to do it sir
Good question! If you are looking for a content filter / blocker, there's a few pfSense add-on packages for that. pfBlockerNG is a popular one. Give it a try and let me know how you do!
Good question! This is for upstream DNS lookups, ie when a computer on your network looks up "www.google.com", that request goes to the "next hop" upstream DNS server. You do NOT want this upstream DNS server to be your ISP's DNS server, as many of them sell your DNS activity at worst, and and at least they certainly do not secure it. CloudFlare (as one good example that I personally like) does provide anonymous secured DNS resolvers. Cheers, and thanks for watching!
@@OMGTheCloud Would it be a wise idea have pfsense as the only point for dns and have it do the lookups? Meaning to not connect to any dns services such as your isp, cloudflare, google etc?
For your internal lookups, yes. However, pfSense has to resolve external DNS names from somewhere, unless you were to try to host your own public DNS server (not even remotely practical to do). Effectively what is happening is this: your computer requests DNS for “www.google.com” - pfSense checks its’ internal DNS records and says, ‘nope, not one of mine’, and does a forward lookup to the next hop upstream (your ISP if you change nothing) - that DNS server does the same thing: if it doesnt have a cached or authoritative record for the FQDN you requested, it would forward up one more level itself, until an authoritative response is finally given, then send that back downstream to your pfSense, which in turn responds to your computer inside your network. The key here is cutting out your ISPs ability to catalog every single site you visit, every service you connect to. It is such a hugely overlooked privacy issue. For what it’s worth if you are an Apple / Mac user, the upcoming version of iOS, iPadOS, and macOS have built in private DNS relay and public IP screening. It works pretty well, and we’ll be reviewing that after public release 👍
@@OMGTheCloud I had only my pfsense box as the dns with no forwarding/upstream. No other dns server. Having dhcp point to the pfsense box for dns. When I do a dns leak test it shows as my ip only. So with out upstreaming to any external dns how was my network able to resolve external dns names? I did clear cache.
The default behavior in pfSense is to operate unbound in recursive mode, sending queries to the root servers. You can even see in this video that the dropdown for "DNS Resolution Behavior" says, "Use local DNS (127.0.0.1), fall back to remote DNS servers (Default)." So as configured here, clients will rarely if ever touch Cloudflare or ISP DNS servers. If you're really worried about it, you can select "Use local DNS (127.0.0.1), ignore remote DNS servers" in that drop-down box.
Also, I don't understand the willingness to trust large multinational corporations like Google or Cloudflare vs. an ISP. Regardless, your ISP sees every IP address you visit immediately after making a DNS query, so obscuring the DNS query won't help much.
You are partially correct: By default, pfSense will use itself (127.0.0.1) as a name server, however, where is it getting those lookups resolved from? Its’ next hop for non-authoritiative lookups by default would be the DNS servers provided by your ISP. To your second point about which DNS to trust, that is indeed entirely up to you. Personally, my stance is this: I do not trust my ISP, or anyone else, by default. Their TOS does not give enough transparency as to what they are allowed to do with your lookup history. Through my own research, I have chosen DNS servers that I am satisfied with how they are handling that data. Your milage may vary, and that’s okay! This gives you two things: 1. The average home Internet user is unaware of the interworkings of how their Internet use may be monetized, and this calls it to their attention, and 2. with that knowledge, they can decide if they want to do something about it.
To your final point about ISP’s ultimately sniffing your traffic anyway, this is actually indeed in every ISPs Terms of Service: What they can do with data retention and history of the actual underlying TCP/UDP socket connections from your router traversing their network. DNS lookup history is almost always “mysteriously” missing from the TOS.
Hope this helps, and having these conversations is helpful to everyone! Ask questions! That’s how we learn!
@@OMGTheCloud Unbound as configured by default on pfSense gets DNS results from root server IP addresses compiled into unbound. You can obtain this list on pfSense with the command "unbound-control -c /var/unbound/unbound.conf lookup ." It's possible to use a more up-to-date root.hints file, but the IP addresses change so infrequently that it's not worth the effort.
Again, the settings you implemented in this video did not change this behavior.
Close, but still not quite true: There *is* a configuration possible that would have the result you describe, where DNS Resolver would consult root hints for TLD lookups, but that is not the case here. I’ll let you review these two settings and decide for yourself if you agree:
1. Under System -> General Settings: We have defined DNS Servers as described before. This informs pfSense what to do if it needs to look outside its’ own config to get an authoritative lookup (pretty much everything, except what you may have defined locally with Unbound).
2. Under Services -> DNS Resolver, under the ‘DNS Query Forwarding’, we have ‘Enable Forwarding Mode” checked. Reading its’ description, we know that the behavior here is, when a query hits DNS Resolver and it doesnt have an authoritative response itself, what should it do next? if this option is unchecked, you are correct: it would use root hints to figure out what to do next. With this option checked, it refers to the DNS servers listed in step 1 above.
For completeness, here’s the description of that field: “If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).”
Interesting Video - Great info about not using ISP DNS servers... The DNS Resolver portion was interesting - but, perhaps you should also post the text of that CUSTOM OPTION in your notes and provide more instruction on it. Also you mention setting up another subnet for IoT - do you have a video on this?
Thanks! Here’s my video to get you going with vLANs
ua-cam.com/video/gUh1wNt43lc/v-deo.html
It really does not matter. The isp still relay your traffic and they still got the ips. Sort of a moot point I think.
Total thumbs up short and too the point video man, thank you. What are your thoughts on making pfsense as a DNS caching controller to speed up your most visited sites? Thank you.
Not a bad idea! There's a couple caveats to caching: You can certainly run in to issues with persistent cache causing problems with content not expiring out. Also, with nearly all our traffic being HTTPS these days, caching can fall off in its' value. But, give it a try and see if you see some improvements.
Personally, I believe the better benefit is running a good blackhole ad blocker, such as PiHole, has a better return, as it will save you quite a bit of ad content traffic, while also protecting you more from trackers than most browsers are capable of.
You could do so, however depending on the hardware setup for your pfsense there are a few things to recommend.
Depending on how many devices you have on the network you need to consider your hardware for pfsense if you want an efficient cache controller using squid proxy.
Its one of the packages in the pfsense you will find under "Package Manager"
Back to the hardware setup.
consider this important. Squid proxy cache will need to store on a hard disk, ram is also a good factor to consider.
If you have 30 devices that are surfing across the web and you need to cache websites along with other elements such as short videos, photos, etc.
30 devices accessing the cache simultaneously across the pfsense hard disk will create an immediate bottleneck.
Because those 30 devices are accessing a hard drive capped at 100mb/s. This is unethical for a network with 30 devices on the web simultaneously.
Sometimes you got to think outside the box for best performance.
My current setup with PfSense.
Dell 1unit server with 1 quad port NIC, and 2 built in lan ports.
2 built in lan ports are from ISP each supporting 1gb service.
Quad Port NIC, has LAG - LACP tied into an HP Procurve switch.
Server also has 20gb of ram with 12 core intel xeon cpu.
Storage is a bit tricky,
2 mechanical drives in Raid 1 for PfSense
4 SSD Drives in Raid 0 - for fast performance, yes no fault tolerance needed.
SSD Drives are configured as the cache storage with Squid and the 4 SSD Drives in Raid 0 put out a total of 2gb/s for cached content across the network for all the users.
This is an mid size business with over 60 pc's
Creating a cache server can help you, but can also hurt you if its not planned correctly.
Hopefully this helps!
@@OMGTheCloud Wouldn't it be more convenient to run PFBlocker instead of Pihole?
Excellent presentation. Thank you.
DNS isnt only method to track clients, DNSoHttps isn’t to anonymyse browsing internet. I’m ISP and I collect data by ip server connection, and only way to protect web browsing is VPN.
I want to say great videos! I have learned a lot from your video series. I tried these settings in the past, and I recall they worked, but now they are not. I did a DNS Leak test, and my ISP is now handling my DNS requests. I did some research, and they mentioned this is due to the ISP doing Transparent DNS, which makes these settings not work. Do you have any suggestions for going about it when the ISP is doing Transparent DNS? Is there any specific setting I need to look out for?
I have configured OpenDNS Server on LAN with DHCP... I want to by pass an Alias from OpenDNS Server.... I wan to direct that Alias through GoogleDNS? How to do it sir
can we block IDM download from Pfsense? If yes then how?
Good question! If you are looking for a content filter / blocker, there's a few pfSense add-on packages for that. pfBlockerNG is a popular one. Give it a try and let me know how you do!
@@OMGTheCloud Internet download manager speed can be blocked from pfblocker??? any video
I work for an ISP and trust me, we aren't bothered about collecting and looking at your DNS traffic.
Until you get a letter from the government or a big movie studio...
What's the point of adding the DNS addresses from cloud flare when you're using the local dns resolver? I'm confused as I just started to use pfsense.
Good question! This is for upstream DNS lookups, ie when a computer on your network looks up "www.google.com", that request goes to the "next hop" upstream DNS server. You do NOT want this upstream DNS server to be your ISP's DNS server, as many of them sell your DNS activity at worst, and and at least they certainly do not secure it. CloudFlare (as one good example that I personally like) does provide anonymous secured DNS resolvers. Cheers, and thanks for watching!
@@OMGTheCloud Would it be a wise idea have pfsense as the only point for dns and have it do the lookups? Meaning to not connect to any dns services such as your isp, cloudflare, google etc?
For your internal lookups, yes. However, pfSense has to resolve external DNS names from somewhere, unless you were to try to host your own public DNS server (not even remotely practical to do). Effectively what is happening is this: your computer requests DNS for “www.google.com” - pfSense checks its’ internal DNS records and says, ‘nope, not one of mine’, and does a forward lookup to the next hop upstream (your ISP if you change nothing) - that DNS server does the same thing: if it doesnt have a cached or authoritative record for the FQDN you requested, it would forward up one more level itself, until an authoritative response is finally given, then send that back downstream to your pfSense, which in turn responds to your computer inside your network.
The key here is cutting out your ISPs ability to catalog every single site you visit, every service you connect to. It is such a hugely overlooked privacy issue.
For what it’s worth if you are an Apple / Mac user, the upcoming version of iOS, iPadOS, and macOS have built in private DNS relay and public IP screening. It works pretty well, and we’ll be reviewing that after public release 👍
@@OMGTheCloud I had only my pfsense box as the dns with no forwarding/upstream. No other dns server. Having dhcp point to the pfsense box for dns. When I do a dns leak test it shows as my ip only. So with out upstreaming to any external dns how was my network able to resolve external dns names? I did clear cache.
If you do not define an upstream DNS server (default), it will use the DNS server(s) provided by your ISP.