Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS over TLS Not Working?

    Scheduled Pinned Locked Moved
    DHCP and DNS
    tls dns resolver tls over dns dns unbound
    3
    7
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 1
      1.21Gigawatts
      last edited by 1.21Gigawatts

      I have followed this netgate guide and read this forum thread guide but can not get TLS working with DNS resolver.

      I have updated pfSense to the latest 2.6.0 release, but was also having this issue prior to updating. I did have it working at a previous address with a differnt ISP, but had to default my pfSense box to get my new WAN connection working.

      I am using 1.1.1.1/help to test.
      Result "Using DNS over TLS (DoT) No"

      Here is a screen shot of my System/General config
      Here is the DNS Resolver/ General Settings

      I have left "Enable DNSSEC Support" unchecked, but enabling doesnt fix the problem.
      I have also tried putting in "1dot1dot1dot1.cloudflare-dns.com" & "one.one.one.one" for the DNS Server Hostname for TLS Verification.

      What am i doing wrong?!
      Are there any specific logs i can provide?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @1.21Gigawatts
        last edited by

        @1-21gigawatts said in DNS over TLS Not Working?:

        Here is a screen shot of my

        Compare with https://forum.netgate.com/topic/171218/dnsbl-stopped/7?_=1648898904135

        The reverse of 1.1.1.1 is "one.one.one.one".
        The reverse of 1.0.0.1 is also one.one.one.one

        I've set :

        c7c3bad6-cf8a-4d35-8fde-cee08d2e4821-image.png

        and

        64e270a8-d943-4e27-9f6d-3ba4ce8525bf-image.png

        and my DNS works :

        77005cb4-481c-4c6a-b9fc-3786932eda14-image.png

        DNS over TLS = ok.

        @1-21gigawatts said in DNS over TLS Not Working?:

        I have left "Enable DNSSEC Support" unchecked, but enabling doesnt fix the problem.

        You can check it if you want, but that's useless, as you can not have DNSSEC if when you're forwarding.

        @1-21gigawatts said in DNS over TLS Not Working?:

        "one.one.one.one"

        That was ok.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 1 Reply Last reply Reply Quote 0
        • 1
          1.21Gigawatts @Gertjan
          last edited by 1.21Gigawatts

          @gertjan
          Thanks for looking into it.
          Why does your settings have a choice of WAN_DHCP next to one.one.one.one? Mine only has two feilds. Which version of pfSense are you running?

          Seems my issue goes beyond DNS over TLS.
          I changed my DNS servers to 8.8.8.8 & 8.8.4.4, rebooted pfSense box, devices connected to the network were still using 1.1.1.1, even after a dns cache flush when i sent to 1.1.1.1/help, it was still detecting me using 1.1.1.1

          maybe i need to fully reinstall pfSense

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @1.21Gigawatts
            last edited by

            @1-21gigawatts said in DNS over TLS Not Working?:

            Why does your settings have a choice of WAN_DHCP next to one.one.one.one?

            Because I have a WAN gateway (like you) that connects to my upstream IPv4 only ISP router.
            I have a second WAN type interface connected to an IPv6 only "ISP (tunnel.he.net).

            Because I have more the one WAN, I can specify to unbound which WAN to use.
            Not really needed to use both IPv4 like 1.1.1.1 and also an IPv6 route, as an IPv4 connection to 1.1.1.1 can resolve IPv4 and IPv6 DNS requests.

            @1-21gigawatts said in DNS over TLS Not Working?:

            devices connected to the network were still using 1.1.1.1

            A device can use what is set to use.
            This could be the DNS it has build (compiled) in. It won't ask for a DNS during the DHCP request, and pfSense won't give it an DNS.
            Or, you've set up on the DNS that the device must use 1.1.1.1, and in that case it will not use pfSense as an DNS, but it goes directly to 1.1.1.1 for its DNS needs.
            Or you've set up yourself a static DNS on that device, 1.1.1.1.

            @1-21gigawatts said in DNS over TLS Not Working?:

            maybe i need to fully reinstall pfSense

            Noop.
            You could save you backup, and reboot (use the console) using the default settings.
            DNS will be default == will work. If the wizard pops up during initial setup, do not give any DNS details, because none are needed.

            If you have a Microsoft PC, open a cmd and yype

            ipconfig /all

            You'll see what DNS your device is using.
            Normally, all this info is obtained by a DHCP request.
            Normally, the gateway and DNS servers should be the LAN IP of pfSense. So pfSense is the gateway, and also the DNS 'source' of your network.
            On pfSense, unbound is the "collector" of all the DNS requests on all your LAN interfaces, and uses the WAN(s) to collect the info, using the main root DNS servers, then a TLD DNS server and then the domain name server of the domain from which you need answers, like : what IP has "www.host.tld".

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • 1
              1.21Gigawatts
              last edited by

              Ok i figured out the problem.
              I had set DNS servers in the Services/ DHCP server / LAN
              Once i removed these and restarted the services, the normal DNS settings took priority again and i get a yes for TLS on 1.1.1.1/help

              Thanks for your replies @Gertjan

              C 1 Reply Last reply Reply Quote 0
              • C
                Coyote1Abe @1.21Gigawatts
                last edited by

                @1-21gigawatts greetings, I am having the same problem, could you please be a little more specific about the change you made to system to be able to verify if it works for me.

                Thanks kindly
                Coyote

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @Coyote1Abe
                  last edited by Gertjan

                  @coyote1abe said in DNS over TLS Not Working?:

                  could you please be a little more specific about the change you made to system

                  Somewhere in the past, he changed the IP settings of his device ( a Windows PC ) from the default DHCP settings to a static setting.

                  Like this :

                  d3577074-a66d-4dc6-9d2a-47fe70abc2e1-image.png

                  which means this windows device doesn't use pfSense at all for DNS .... because he asked 1.2.3.4 to be used.

                  He has undone that, and now all is well.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post