@PertFlavus:

A bit of news, it is confirmed that Android p will have built in support for dns over tls and automatically use it by default.

https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
DNS over TLS support in Android P Developer Preview

Nice! Now if only Google's public DNS servers would support DNS over TLS.

Hi,

Better yet : instead of having some foreign source handling your DNS resolutions, you can decide to do nothing. In that case the default resolver get used, which includes DNSSEC if present.

If you have vpn client connecting they should use the local dns through the vpn to resolve rfc1918 address space.  It is BAD PRACTICE to put rfc1918 in public dns… The whole point of rebinding protection is to protect against such practice.

If you have site to site vpn connections.  Then all your different sites across these site to site connections should be able to resolve what you want them to resolve via internal dns..

so lets say you have site A and site B via vpn connection.

Lets call it siteAdomain.tld and siteBdomain.tld..  Its very simple to tell site A dns to ask siteB dns for host.siteBdomain.tld via either delegation or simple domain override if your using say unbound..

"i can not ping the hostname pfSense sends me to the outside"

Lets see the ipconfig /all of your client.

out of the box pfsense resolves.  And hands its dhcp clients itself for dns..

Wild? Only a litle bit. :-)  It is not departments, it is many state organizations from different parts of state administration, they have different management, different legislation, different systems…

Adding ACL helped me, now is it working. I am realy stupid I didn't realise this can be the reason.

Thank you very much, you are the best.

Have a nice day.
pq

Set outgoing interface to WAN in Resolver settings.

You answered none of my questions and simply blamed pfSense.

DNS has to be correct pfSense or not.

Those questions were not just time-fillers. They are pointed so we get the information we need to possibly help you or - better - maybe they'll point you in the direction necessary to help yourself.

If you do not understand how the flow of DNS queries is supposed to work - so you can, in turn, figure out why they are not working - you should probably consider hiring someone who does.

Does it answer on tcp?

That tool doesn't test UDP. Says so right on the top of it..

Is the device directly connect to your lan or is it downstream?  So I have dhcp on a lan side vlan of my pfsense - using the tool to test 53, reports back fine since the dns is also listening on 53 tcp for full dns.

When you say open - do you mean on the hosts firewall.  Since there is no rules required on pfsense to talk to lan devices - unless you put in some outbound rules on your floating rules?

Selection_007.png
Selection_007.png_thumb

Thanks for the replies, its odd that if ping 1.1.1.1 whether its using pfblocker or not i should get a response. But the secondary DNS works fine very odd

@johnpoz:

Well if your seeing stuff go out on default dns, is it going to where your wanting to forward it?  Or all over the place like a resolver does out of the box.

Are your clients actually pointing to pfsense for their dns are they going directly out to some dns server.

It turns out the issue was because of my wireless router running IPFire which set the DNS server to "local recursor" instead of using pfSense as a DNS server through DHCP  :-[ I had to force it to use pfSense as a DNS.

now capturing packets on port 853 shows requests going through 9.9.9.9

Thanks for the help!

For me resolution does not work always.
I use MultiWAN with failover and it seems that if one gateway is down, resolution hangs.

Register a domain would be step 1, or use a free one.

Point it at your IP, step 2..