2.4.4_1: DNS over TLS (Cloudflare) and IPv6 [SOLVED]
-
I've got DNS over TLS using Cloudflare IPv4 servers (1.1.1.1 and 1.0.0.1) in pfSense. Since I'm now starting to use IPv6, I assume I need to add their IPv6 servers (2606:4700:4700::1111 and 2606:4700:4700::1001). PfSense won't allow me to add those IPv6 servers under System > General Setup > DNS Server Settings > DNS Servers. Where and how do I do that? Do I follow Step 2 of this pre-2.4.4 article:
https://www.netgate.com/blog/dns-over-tls-with-pfsense.html
and put them under Services > DNS Resolver > General Settings > Custom Options?
-
@beremonavabi said in 2.4.4_1: DNS over TLS (Cloudflare) and IPv6:
PfSense won't allow me to add those IPv6 servers under System > General Setup > DNS Server Settings > DNS Servers.
What do you mean it won't allow you to add them there? I just tried on a test box here and it worked fine. What is the exact error message you receive?
Maybe you have chosen an IPv4 gateway alongside the IPv6 address, and it rejected the mismatched address family?
-
@jimp said in 2.4.4_1: DNS over TLS (Cloudflare) and IPv6:
@beremonavabi said in 2.4.4_1: DNS over TLS (Cloudflare) and IPv6:
PfSense won't allow me to add those IPv6 servers under System > General Setup > DNS Server Settings > DNS Servers.
What do you mean it won't allow you to add them there? I just tried on a test box here and it worked fine. What is the exact error message you receive?
Maybe you have chosen an IPv4 gateway alongside the IPv6 address, and it rejected the mismatched address family?
Thanks, again, jimp. That's exactly what I'd tried doing. This time around, I opened the dropdown for the Gateway and used the actual IPv6 gateways instead of the IPv4 ones. Of course, it works now.
-
I'd hold off on enabling TLS to cloudflare until the next release of pfSense. There's a memory leak in the included version of Unbound that will result in Unbound taking up all available memory in pfSense and crashing if you enable TLS.
See here
Here's a graph of memory usage on my pfSense box with TLS enabled in Unbound. See those spikes in memory and the subsequent swap being used? Yeah, that's what you can expect. All that swapping going on will kill an SD card fast.
-
@imcdona I have replied to your separate post: https://forum.netgate.com/topic/138347/warning-don-t-enable-tls-to-upstream-dns-servers-in-pfsense-2-4-4
You are posting this comment in a thread discussing an update to 2.4.4 ie 2.4.4-p1 (released today) that includes an updated Unbound (1.8.1) that appears to have fixes for memory leaks. Perhaps you could try it and see if it fixes your issue?
-
@gsiemon My bad. I saw Unbound TLS and jumped the gun.