Non-TLS DNS Leaks when PFsense looks up host alias(es)

This post is deleted!

Derelict

Set the firewall to use the local DNS resolver and delete all of those.

With the new default gateway settings you should not need those multi-wan DNS servers any longer.

You will probably need to manually set forwarding using custom options though, thinking about it. I'll look at it but it might be tomorrow.

Derelict

@Kirin Try this:

Screen Shot 2019-10-26 at 3.36.51 PM.png

And this:

Screen Shot 2019-10-26 at 3.35.37 PM.png

And this in custom options in the DNS resolver:

server:
# Forwarding
forward-zone:
	name: "."
	forward-tls-upstream: yes
	forward-addr: 9.9.9.9@853#dns9.quad9.net
        forward-addr: 149.112.112.9@853#dns9.quad9.net
        forward-addr: 1.0.0.1@853#one.one.one.one
        forward-addr: 1.1.1.1@853#one.one.one.one

This post is deleted!

johnpoz

You understand such a setup not good right... You are forwarding to 2 different types here quad 9 filters, while 1.1.1.1 does not.. This is a borked setup..

What do you want - filtering or not? Since you are not going to be sure which one gives you an answer.. So you may be filtered when you don't want to be, or not filtered when you want to be..

And now that is cached, and the next guy asking gets maybe the wrong sort of answer as well. You can not point to NS that resolve differently or you will have problems.. If your going to forward to multiple NS, they need to resolve the same way.. filtered or not filtered - you can not mix them without just having a mess.

Even picking 2 filtering providers is going to be problematic. Since you have different filtering lists, where site X might be filtered on 1, and not on the other... So sometimes it resolves, sometimes it doesn't.

bcruze

Your dns tls hostname verification servers appear to be wrong for quad9,

dns.quad9.net

This post is deleted!

johnpoz

@Kirin said in Non-TLS DNS Leaks when PFsense looks up host alias(es):

when you have a DNS server under General Setup it gets added to resolv.conf

Well Duh ;) Not sure why this was even a question then? No shit if you tell the OS to use NS X, that it could use NS X ;)

Why didn't you just ask that, how do I have unbound forward to NS that Pfsense will not use for its own use..

This post is deleted!

Derelict

It is also pretty useless to use DNSSEC when forwarding. Since you don't get signature information all the way from the roots, you are blindly trusting whatever the forwarding server gives you.