DNS Resolver - SSL Handshake Fail/Server Cert Fail
-
I tried setup-dns-over-tls and the instructions in that post worked right away (DNSSEC should be disabled of course, as it make no sense to use DNSSEC when forwarding).
The test as mentioned :
I could resolve just fine ....
Several observations :
DNS Gateway should be None I guess :
You have something different.
Also : verify that you have "Verify that you selected ALL network interfaces." selected. I did.
Your logs states -as you high lighted :
Thus, your certs failed verification.
I tried 'real' certs from Letenscrypyt, and the auto-created "Web" cert from pfSense :both where accepted.
Your pfSense system time is ok ?
-
Thanks for the feedback.
None of that seemed to help though... :-(Here is what I just tried:
Changed my Gateway for both DNS Server under settings from "WAN gateway" to "None".
Changed the my interfaces to "ALL" on the "Network interfaces" and "Outbound Interfaces".Not sure how to make sure my certificates are in the right location on my system.
I tried using my other Cert but no luck.My results while I had "853" enabled
My Results after disabling it
Also, I verified my time is correct.
Compared it to time.govNow, I didn't do a full reset after I enabled "SSL", I'll have to try that later, but i'm pretty sure I've already done that too.
-
Are you sure about DNSSEC?
@jimp said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:
DNSSEC is for validating authenticity (prevent spoofing, hijacked authoritative nameservers, etc).
DNS over TLS is for encrypting transport (privacy).
They do different things and are both are useful, especially together, for increased security and privacy.
There is no reason you can't run both, unless whatever you are forwarding to does not support one or the other.
-
@CiscoX said in DNS Resolver - SSL Handshake Fail/Server Cert Fail:
Are you sure about DNSSEC?
Yep, because you (have to) trust the server you forward to.
See the discussion, the last 20 messages or so at the bottom of that guide.It might probably work with DNSSEC activated.
But, jey, we're looking here why things are not working for @ryan810cows - so I tend to stick with the guide, and taking out all the other stuff out of the equation. -
Where did you get those host names for quad nine on the General tab
-
I just made up the Host names for quad nine.
I thought that was just for organizational purposes.
MAYBE that's it!!!
I'll try it in a little while and report back! -
Does Quad9 support DNS over TLS?
We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.
https://www.quad9.net/faq/
-
Interesting. I just read that too.
Does that mean i need to put "dns.quad9.net" in both of the Host Names in the General settings of just leave them blank? -
that is how mine is configured
-
OMG.. That was it! I'm SOO happy that worked!!
THANK YOU SOO SOO MUCH!! The community support here ROCKS!