DNS over TLS Not Working?

1.21Gigawatts · Apr 2, 2022, 2:57 AM

I have followed this netgate guide and read this forum thread guide but can not get TLS working with DNS resolver.

I have updated pfSense to the latest 2.6.0 release, but was also having this issue prior to updating. I did have it working at a previous address with a differnt ISP, but had to default my pfSense box to get my new WAN connection working.

I am using 1.1.1.1/help to test.
Result

Here is a screen shot of my
Here is the

I have left "Enable DNSSEC Support" unchecked, but enabling doesnt fix the problem.
I have also tried putting in "1dot1dot1dot1.cloudflare-dns.com" & "one.one.one.one" for the DNS Server Hostname for TLS Verification.

What am i doing wrong?!
Are there any specific logs i can provide?

Gertjan · Apr 2, 2022, 9:33 PM

@1-21gigawatts said in DNS over TLS Not Working?:

Here is a screen shot of my

Compare with https://forum.netgate.com/topic/171218/dnsbl-stopped/7?_=1648898904135

The reverse of 1.1.1.1 is "one.one.one.one".
The reverse of 1.0.0.1 is also one.one.one.one

I've set :

login-to-view

and

login-to-view

and my DNS works :

login-to-view

DNS over TLS = ok.

@1-21gigawatts said in DNS over TLS Not Working?:

I have left "Enable DNSSEC Support" unchecked, but enabling doesnt fix the problem.

You can check it if you want, but that's useless, as you can not have DNSSEC if when you're forwarding.

@1-21gigawatts said in DNS over TLS Not Working?:

"one.one.one.one"

That was ok.

1.21Gigawatts · Apr 2, 2022, 9:37 PM

@gertjan
Thanks for looking into it.
Why does your settings have a choice of WAN_DHCP next to one.one.one.one? Mine only has two feilds. Which version of pfSense are you running?

Seems my issue goes beyond DNS over TLS.
I changed my DNS servers to 8.8.8.8 & 8.8.4.4, rebooted pfSense box, devices connected to the network were still using 1.1.1.1, even after a dns cache flush when i sent to 1.1.1.1/help, it was still detecting me using 1.1.1.1

maybe i need to fully reinstall pfSense

Gertjan · Apr 2, 2022, 10:37 PM

@1-21gigawatts said in DNS over TLS Not Working?:

Why does your settings have a choice of WAN_DHCP next to one.one.one.one?

Because I have a WAN gateway (like you) that connects to my upstream IPv4 only ISP router.
I have a second WAN type interface connected to an IPv6 only "ISP (tunnel.he.net).

Because I have more the one WAN, I can specify to unbound which WAN to use.
Not really needed to use both IPv4 like 1.1.1.1 and also an IPv6 route, as an IPv4 connection to 1.1.1.1 can resolve IPv4 and IPv6 DNS requests.

@1-21gigawatts said in DNS over TLS Not Working?:

devices connected to the network were still using 1.1.1.1

A device can use what is set to use.
This could be the DNS it has build (compiled) in. It won't ask for a DNS during the DHCP request, and pfSense won't give it an DNS.
Or, you've set up on the DNS that the device must use 1.1.1.1, and in that case it will not use pfSense as an DNS, but it goes directly to 1.1.1.1 for its DNS needs.
Or you've set up yourself a static DNS on that device, 1.1.1.1.

@1-21gigawatts said in DNS over TLS Not Working?:

maybe i need to fully reinstall pfSense

Noop.
You could save you backup, and reboot (use the console) using the default settings.
DNS will be default == will work. If the wizard pops up during initial setup, do not give any DNS details, because none are needed.

If you have a Microsoft PC, open a cmd and yype

ipconfig /all

You'll see what DNS your device is using.
Normally, all this info is obtained by a DHCP request.
Normally, the gateway and DNS servers should be the LAN IP of pfSense. So pfSense is the gateway, and also the DNS 'source' of your network.
On pfSense, unbound is the "collector" of all the DNS requests on all your LAN interfaces, and uses the WAN(s) to collect the info, using the main root DNS servers, then a TLD DNS server and then the domain name server of the domain from which you need answers, like : what IP has "www.host.tld".

1.21Gigawatts · Aug 5, 2022, 4:26 AM

Ok i figured out the problem.
I had set DNS servers in the Services/ DHCP server / LAN
Once i removed these and restarted the services, the normal DNS settings took priority again and i get a yes for TLS on 1.1.1.1/help

Thanks for your replies @Gertjan

Coyote1Abe · Aug 5, 2022, 4:26 AM

@1-21gigawatts greetings, I am having the same problem, could you please be a little more specific about the change you made to system to be able to verify if it works for me.

Thanks kindly
Coyote

Gertjan · Aug 5, 2022, 6:54 AM

@coyote1abe said in DNS over TLS Not Working?:

could you please be a little more specific about the change you made to system

Somewhere in the past, he changed the IP settings of his device ( a Windows PC ) from the default DHCP settings to a static setting.

Like this :

login-to-view

which means this windows device doesn't use pfSense at all for DNS .... because he asked 1.2.3.4 to be used.

He has undone that, and now all is well.