DNS Redirect Failure

johnpoz

Enable DNSSEC Support = checked

If your going to FORWARD that dnssec being enabled its utterly POINTLESS and just adds queries that mean nothing.

"Query Name Minimization Enabled"

Why do you have that enabled - that can cause you problems depending on what your looking for.. I will attempt to duplicate listening on SSL because it has nothing to do with a normal query to 53 being redirected.

4o4rh

@johnpoz think you mix me with james.
i don't have query name minimization enabled.
if i disable "DNS Query Forwarding", although i see DNS entries cached under DNS Resolver, i see 53 traffic going over the WAN interface.
if i enable "DNS Query Forwarding", i don't see any 53 traffic over the wan, but lots of 853

Grimson

@gwaitsi said in DNS Redirect Failure:

if i disable "DNS Query Forwarding", although i see DNS entries cached under DNS Resolver, i see 53 traffic going over the WAN interface.

Yeah, of course. Without forwarding the resolver is doing it's job by asking the appropriate DNS servers for their information. That's how a resolver works:
https://forum.netgate.com/topic/117972/difference-between-dns-resolver-and-dns-forwarder/12

johnpoz

No I was I was talking to the OP.. for that..

My guess to why have issue with redirection and use of tls listener is prob
"Activating this option disables automatic interface response routing behavior, thus it works best with specific interface bindings."

Again - there really is ZERO reason to enable tls on your local secure network anyway... Do you feel there is someone sniffing your dns queries to pfsense and altering them or knowing where your going -- Really??

jamestford

@johnpoz

Totally agree with you on the applicability of this for internal use, the real reason we wanted to enable this is for testing purposes, this is for an internal security test lab used for students to play around with settings and scenarios so they can see the difference between traffic captures. We may try to enable again and specify the lab interface to see if that makes a difference. But I'm pretty happy that the resolver with redirection and DNSSEC is working as intended so that's the main issue successfully tackled.

4o4rh

@johnpoz i think we are talking cross wires man.

local LAN allows 53 queries and should trap DHCP bypasses e.g. Galaxy S8 seems hard coded with 8.8.8.8 (i want pfsense to be sole source of DNS locally 53 is ok)
DNS should be blocked from the WAN
pfsense should connect to DNSSEC servers for queries (if not cached locally).
DNSSEC requests should be directed over the VPN

all those conditions are met, so long as the DNS queries are forwarded to the DNSSEC servers in the general tab. Ideally, i would like to have what you are suggesting, but the DNS Resolver should have a TLS connection to a DNSSEC server.

Grimson

@gwaitsi said in DNS Redirect Failure:

all those conditions are met, so long as the DNS queries for forwarded to the DNSSEC servers in the general tab. Ideally, i would like to have what you are suggesting, but the DNS Resolver should have a TLS connection to a DNSSEC server.

DNS over TLS is not DNSSEC, those are completely different things. DNSSEC is only really useful if you are resolving instead of forwarding. Inform yourself.

4o4rh

@grimson I am connecting to DNSSEC servers Quad9 and Cloudfare with "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" and therefore doing both.

Only, without forwarding the connection, dns requests are simply pass through the WAN. Didn't see your earlier post with the link.Forwarding is in my case, is therefore the desired option.

Grimson

@gwaitsi said in DNS Redirect Failure:

I am connecting to DNSSEC servers Quad9 and Cloudfare with "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" and therefore doing both. Only, without forwarding the connection, dns requests are simply pass through the WAN.

Then remove WAN from the "Outgoing Network Interfaces" section of the resolver settings if you don't want DNS to go through your WAN. DNSSEC with forwarding is pointless, as the servers you forward too can manipulate all the data and you have to utterly trust them.

4o4rh

@grimson problem there is, i need DNS on the WAN as well.

I need DNS on the WAN to establish VPNs both from pfsense and from
clients that have their own VPNs and go out via the WAN
China and this forum for example don't allow connections from my VPN provider

Grimson

@gwaitsi said in DNS Redirect Failure:

@grimson problem there is, i need DNS on the WAN as well.

I need DNS on the WAN to establish VPNs both from pfsense and from
clients that have their own VPNs and go out via the WAN

You only need the initial connection to at least one VPN from pfSense, from there on the resolver can do it's job no matter how the rest of the traffic is then routed. For this initial connection you can use IPs instead of domain names.

If your VPN provider forces you to use domain names you can go to the general settings, tick "Disable DNS Forwarder" and add one or two DNS servers. Then pfSense will use these DNS servers by itself while clients can still be forced to use the resolver, you also might have to manually specify the resolver as DNS in the DHCP server settings in that case.

johnpoz

@gwaitsi said in DNS Redirect Failure:

Enable DNSSEC Support = checked

No we are not crossing anything... You do not seem to grasp basic concepts here on what dnssec is... If you are going to "forward" then dnssec means NOTHING!!! Only the resolver does dnssec... If you forward to a resolver that does dnssec then your good already and they are doing dnssec for you.

As to

DNS should be blocked from the WAN

Dude out of the box EVERYTHING is BLOCKed into the wan..

4o4rh

after all this discussion.....i am back to forwarding mode, for the below reason.
https://forum.netgate.com/topic/137628/solved-weird-dns-problem/5

jamestford

Wanted to get some feedback on DNS privacy from the group, I've gone back and forth on this issue several times and it seems that there is no perfect solution. Either you run your on recursive resolver with QNAME minimisation or you forward to an external resolver via TLS over DNS. I've never been a fan of passing the security buck on to someone else, which is exactly what you're doing when you forward via TLS to Cloudfare or others, you are trusting they are not using your data for nefarious purposes and maybe they aren't .... today. But that leaves running your own resolver which still posses privacy issues for the ISP or others inline who can sniff the traffic. Some of this is mitigated with Qname mimimisation but the last query from the resolver to the authoritative server will have the full query.