DNS Over TLS On pfSense 2.4.5

Dan from Tyler, TX here, Thanks Tom! Just what I needed.

Thanks Tom, as always very informative. Had DOT setup for a while now and had the Cloudflare DNS servers added to the custom options + I'm also using pfBlockerNG, changed it now to the way you're showing in the video (:

Hey, please make a video on Redirecting DNS & Blocking external DNS servers for pfSense. Thanks a lot

I was procrastinating on researching this, thanks for distilling it in another succinct video! No excuse for me not to use it now ;)

Nice video. Love your content. I use pihole and a Unifi network. Pihole with dns over https works fine if using the cloudflared method via loop back.

Thanks Lawrence, you´r the best!! Regards from Colombia!!

Nice one. This was what i im looking for...

Should note that if you're running a dual stack IPv6 / IPv4 network with pfSense and running unbound, pfSense will advertise itself as DNS server through router advertisements. This means that in case you want to point your clients to a Windows DNS first, they'll still "know" about pfSense being a DNS server through the RA. This can cause issues since Windows prefers IPv6 over IPv4 in its IP stack (as it should) and thus is likely to send queries to pfSense over IPv6 in this scenario.
So if you're running dual stack with pfSense, I would actually recommend using it as primary DNS and for AD use appropriate domain forwards in unbound. Yes it's a "workaround" as Tom notes, but it's currently the only way I have found to make it work correctly and consistently.

1st post! :) Great job, Tom, as always! I love your channel and all the content you make around pfSense and UniFi equipment.

Great info @Lawrence Systems Question how does this affect captive portal???

Thanks

I think a new setup guide from you would help as things have changed

I took care of that in AD right before you started talking about it.

Ugh I just did this today! I should have waited 2 hours! 😂

Always best 👍

Have you made a video comparing
DNS over HTPPS vs DNS over TLS ??
Thanks 😊

great video as usual. I have DNSSEC already configured...would there be any conflict by enabling/using DNS over TLS in addition?

To ensure that even dns queries generated by your computers don't leave the computer non TLS encrypted you can use a tool called Simple DNSCrypt. Run Wireshark and filter DNS traffic and you'll see the magic yourself.

FYI, heads-up that the family filtering servers, .2 and .3 do not actually filter when DoT is used. See community.cloudflare.com/t/1-1-1-3-does-not-filter-content-if-queries-are-made-via-dot-dns-over-tls/167730
They do resolve over TLS, but no DNS filtering takes place.
Unfortunately, if you want to use the filtering, for now, you have to use non-TLS. I have confirmed this behavior.

Hey Tom can you get hold of the new unify viewport and give it a good run in and review. Have always respected your point of view and your insights are highly valuable 👍

Finally, this solved my problems. I was using that custom thing with all the stuff I found on forums. This worked a lot better. It even show how to secure with floating rules which I appreciate a lot. Please read whole comment below.
I do have plans for egress filtering, can you please make videos about that? I have a particular network setup with ISP modem (192.168.1.1 lan IP), pfSense base network (wan 192.168.1.5, lan 10.0.0.0/24. And then I use a shared (switched) LAN1 from pfsense base net down to my office where I have yet another pfsense with stricter rules (wan 10.0.0.5, lan 10.0.5.0/24). I'm trying to do egress filtering on my base network to make all of the networks a bit safer, but it seems like I'm breaking the router at my office. I wonder if there are some IPs/ports that I need to allow on 10.0.0.0/24 to not break router at my office.

You’re not hiding anything at all on ISP level: since SNI was introduced the host(name of the website) is added in plaintext on the transport layer of a TLS packet. See RFC 3546 section 3.1. Just wireshark any client hello TLS Packet and you’ll see the hostname

Tom is the shit!

you're using 1.1.1.2 in this demo, but Cloudflare only specifies 1.1.1.1 to be compatible with the use of TLS in their own documentation. Can someone confirm that if you're setting up 1.1.1.2 over TLS that you're actually using the 1.1.1.1 service without the malware filtering?

I have enabled this on pfsense and in pftop I see wan ip address is sending dns queries via port 853. But all LAN clients are still using 53 port.
I'd like to test with forcing lan clients to use only DNS over TLS.
Here it is mentioned that I can use firewall rules for that, but how? When I do telnet pfsensehost 853 the port is not open!

I wish you would do some OPNsense videos.

Love you Tom

👍

Does the "DNS Server Override" setting at 3:47, that's enabled, do any bypassing of DoT?

What's better for Windows Domain - Clients -> Windows DNS ->PFSense DNS or Clients -> PFSense and forward local domain requests to Windows DNS?

See this is sort of where I really do not understand. If the traffic after dns still goes over isp or vpn or whatever… they can still track the ip, only time where I really agree with this of thing is when we have peer to peer communication between company branches and some settings of vpn May cause dns leaks which a hacker may track. Then sure but for the average joe… since isp has ip you connect to, they will still see exactly what site you visit regardless of your dns. Simple put on who is query for all incoming connections and they get the domain names anyway.

Any idea how to setup a laptop to exclusively use the pfsense DoH DNS for filtering at home and also use DoH in the browser/computer when on a remote network? I’m guessing the only way is to set pfsense as the DoH custom provider and VPN into it since you can’t set primary and fallback DoH providers in your browser when it can’t be reached. The only other option is to turn off all computer level DoH and let pfsense provide it when you are at home but it is then off when roaming and potentially unreliable when an update could reset to non-pfsense default.
In short, using pfBlocker & pfsense DoH with DoH settings in both the browser and soon to be additional DoH settings in Windows also is going to be a pain to configure and maintain especially mobile devices. If any of those DoH setting to pfsense gets switched to an outside non-filtering DNS provider by an update, you won’t likely know or have any warning and Microsoft will likely do that [oops] to get around blocking attempts of their integrated spyware. Privacy for the user is also privacy from the user for app makers when using third party DoH.

Is this a global setting or can it be set so IoT on a separate vlan uses 53 while the main network uses TLS? Maybe through DHCP?

It's not clear here if Forwarding mode has alternative side effects? How can we NOT be in forwarding mode, and still have encrypted DNS queries that do get sent to upstream providers?
I want Unbound to be a resolver, not a forwarder, but when it does resolve request by querying an upstream provider, I want it to use DNS over TLS. Is this not possible?

Can you please do the video for redirecting DNS.

Hi
I have a problem with pfsense configuration , on my server I have ubuntu 20.04 configured with nginx proxy manager , sorting out the ssl certs which works fine, on a second server I have truenas configured with Nextcloud witch works fine . The issue is that when I connect to my Nextcloud, externally via phone works fine , but when I need to connect locally via Wi-Fi with the same domain name and account it will not allow it. What is the configuration that I miss in my case . If you need more info I will try to explain it to you again!

Tom at 3:54 "DNS Server Override" is checked, does this affect the DNS over TLS functionality?

I use a VPN like that (or did) when i was at my previous job to bypass their social media filters on my lunch breaks they had free internet but blocked all social networking even UA-cam was grouped in this, using an VPN like this allowed me to bypass it which i guess was kind of not best practice but since i am no longer employed there feel safe saying that.

Hi Lawrence, I would like to ask about the TLS 1.2 on pfsense. Is it possible to create a certificate using the TLS 1.2?

Will you make a video on UNifi custom widgets for us udmp users

Sir do i need to check the DNS server overrride?

I have configured OpenDNS Server on LAN with DHCP... I want to by pass an Alias from OpenDNS Server.... I wan to direct that Alias through GoogleDNS? How to do it sir

I have DNS forwarder enabled on my pfsense pointing to a private DNS running on my network. Is this good or bad?

Greetings Tom, the set up for dns over tls in pfsense 2.6 seems not to be working unless you use the old custom options settings, could you please confirm why?

Please make pfsense video for
1. DNS Over HTTPS
2. port knocking

Next dns and rethink dns on android is the bomb. You can see the junk that’s being sucked up.

Why not use DNSSEC? Is it not compatible with forwarding mode?

Hey, Chinaduh, just passed bill C11 to restrict content on YT, can a DNS work as an alternative to VPN?

Alternatively you can hit publicly available pi-holes as opposed to G or C.

why not using unbound without forwarding + dnssec and direct query root servers?

Why not enable DNSSEC?

What are your opinions about this regarding unbound vs encrypting DNS?
""jfb
Moderator
Apr '19
This depends on your definition of “secure”.
With encrypted DNS, the DNS requests to and from the upstream provider are not visible to your ISP or others, and the reply you get is the answer that was sent, as it travels an encrypted path. However, you have to trust the upstream provider with your DNS history, and to not filter or alter any of the DNS replies it sends you. Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing.
With unbound, you avoid upstream providers completely and your local resolver (unbound) deals directly with the authoritative name servers (the same ones the upstream providers use). The DNS traffic is not encrypted, but it is authenticated with DNSSEC, so the reply you receive is validated as being the answer that was sent. Unbound uses a few techniques to send as little data to the nameservers as possible and to maximize your privacy - qname minimisation is one method. Since you communicate directly with the authoritative name servers, the replies are not filtered in any way. Unbound also has a very efficient cache, so after it’s been in use for a while it does not have to communicate with the name servers as often. Most users find that unbound is typically faster overall than using an upstream provider, once the cache is populated.
For these reasons, I prefer unbound to encrypted DNS:
No upstream DNS provider has your DNS history.
The results are unfiltered.
You have equal assurance that the DNS traffic has not been altered in transit.
There is no less privacy from the ISP.
Generally faster.
I have complete control over my DNS resolver.""

Can you make pfsende serve a DOH resolver?

Dnssec or DNS over TLS?

Reupload?

Tom, absolutely love your videos but please take a breath of air every now and then and slow down just a bit, especially when whipping through pfSense configuration options. Thanks!

too fast!

First - From Florida!

Lol