DNS over TLS but still 53 Outbound Traffic

JayNY

I'm running 2.5.2 CE and have configured DNS over TLS as per this document:

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html

This works no problem, but when I verify it's working proerly using Diagnostics > DNS Lookup, I still see traffic to the upstream DNS servers from the WAN interface on port 53 in addtion to the 853 traffic.

Patch

@jayny
I guess client computers on your lan are using dns other than pfsense.

Have you tried redirecting lan port 53 traffic to pfsense?

JayNY

In addition to wanting to know if this is expected, can someone verify this behavior on their system? I had a few packages installed and uninstalled, and I still see some residual effects like the "bandwidthd" service is still listed, but not running.

JayNY

@patch It's defientely not this. In fact I think it has to do with the system using all the DNS servers listed including the loopback, even though it's specified not to in System > General, "Use local DNS (127.0.0.1), ignore remote DNS Servers". The connections open in the order of the listed DNS servers.

JayNY

@patch I forgot to mention I've blocked all port 53 traffic to the LAN interface to rule it out.

bmeeks

Do you have pfSense configured to use the DNS Resolver or the DNS Forwarder? The out-of-the-box default is the DNS Resolver enabled in resolving mode. In that mode, it contacts the root servers directly when resolving a domain name to an IP. As of today, the DNS roots do not support encryption, thus unbound on pfSense will contact the roots over port 53 without encryption. So the initial domain nameserver lookups will be over port 53. Then, once the authoritative server for the domain is identified, the communication may proceed over TLS if the final nameserver supports it.

So if you have the resolver enabled, here is what you are probably seeing. Assume a client is looking for "amazon.com". The DNS Resolver first asks the root servers "what nameserver do I ask for *.com lookups?" The root server responds with "1.2.3.4". So next, the DNS Resolver asks name server 1.2.3.4 "what is the IP for the authoritative nameserver for amazon.com?" That server responds with the IP of the Amazon nameserver. At that point, the DNS Resolver will try to talk to the Amazon server over TLS if you have that enabled. The previous traffic to the root servers would all have been in the clear over port 53.

I will ask, because many times users have no clue, but do you know the difference between DNS resolving and DNS forwarding? Not meant as an insult, but many, many users have shot themselves in the foot with DNS on pfSense by not understanding that critical distinction. That configuration will have a large impact on the DNS traffic you see.

JayNY

@bmeeks It is configured to use DNS Resolver in forwarding mode as per the document I linked.

To be clear I'm seeing pfSense contact the upstream DNS servers I specified in System > General on both 853 and 53 when testing via Diagnostics > DNS Lookup. I have blocked all other port 53 traffic from reaching the firewall from the LAN.

bmeeks

@jayny said in DNS over TLS but still 53 Outbound Traffic:

@bmeeks It is configured to use DNS Resolver in forwarding mode as per the document I linked.

To be clear I'm seeing pfSense contact the upstream DNS servers I specified in System > General on both 853 and 53 when testing via Diagnostics > DNS Lookup. I have blocked all other port 53 traffic from reaching the firewall from the LAN.

Then you would need to capture some of the DNS traffic on port 53 to find out who is talking to whom. You can do that under the DIAGNOSTICS menu in pfSense. There are processes on pfSense that do DNS lookups. Use the source and destination IPs to find out where the local traffic is originating from. That will help you close the hole.

But many of us here with a long career of IT security really don't see the need for DNS over TLS. Simply let the DNS Resolver talk to the roots and don't have all the headaches associated with TLS. You are not really hiding where you go. Your ISP knows every IP address you go to anyway. And now you are also handing over all of your destination information to another third-party (those forwarders you are using). Nothing is really "free", so those DNS forwarders are harvesting your info to monetize it in some fashion. They are not going to spend millions creating a world-wide DNS infrastructure to then just give it away for nothing ...

JayNY

@bmeeks I don't think a packet capture is going to help me, I'm pretty sure pfSense is sending the traffic itself. I can lock it down so pfSense is the only device, when I run Diagnostics > DNS Lookup, that's when I see the traffic.

JayNY

I think this explains the behavior as expected:

https://docs.netgate.com/pfsense/en/latest/diagnostics/dns.html#dns-servers-included-in-testing

It would have been nice if the "Testing" section of the "Configuring DNS over TLS" documentation noted this tidbit as well.

See excerpt with note below:

DNS servers included in testing

The page will query a specific set of DNS servers. This set depends upon the DNS Server Settings under System > General.

The page will test against 127.0.0.1 if the DNS Resolver or DNS Forwarder are active and the DNS Resolution Behavior setting is not set to ignore local DNS.

The page will test each of the DNS Servers from the list at System > General.

The page will also test DNS servers from dynamic WANs if DNS Server Override is set and the firewall has obtained servers from dynamic sources.

Note
The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above.