configuring DNS over TLS in pfSense 2.4.5 -- are these steps right?
-
@jwj I do not disagree with you. I wasn't enabling it for privacy reasons. This was an educational experience for me. Networking is my weakest subject and this seemed like an easy thing to play with to learn. I will probably undo it later. I just want to make sure what I did does what I expect/want to make sure my understanding is right.
-
I agree with the others, but I can also understand going through the setup for the purpose of learning so I won't go further trying to convince you not to set that up. Are you having any specific issue with the setup you outlined?
-
@imthenachoman It's all good. Fun educational activities could include WPA-Enterprise and Radius on your pfsense box. A test network and the IDS/IPS of your liking. Segregating your traffic by access profile, setting up the VLANS and firewall rules. There is always something interesting to learn.
-
@Raffi_ No. It seems to be working but just cause it appears working doesn't mean it is doing what I expect/want it to. Hence why I wanted to check with others to confirm if the steps I have are complete/accurate for the purpose.
@jwj Oh I've got a laundry list of things to do next. pfBlockerNG is first I think. Then IDS/IDP. The other stuff I will have to wait until I get my Unifi APs (waiting for the Wifi 6 ones).
Thanks all!
-
@imthenachoman Nice! Do be careful with IDS/IPS. Not on your primary network. For a home network IDS/IPS is a quick path to frustration and not a solution to any home network security needs (everything, almost, is SSL/TLS so the IDS/IPS is blind to the traffic).
-
@imthenachoman said in configuring DNS over TLS in pfSense 2.4.5 -- are these steps right?:
@Raffi_ No. It seems to be working but just cause it appears working doesn't mean it is doing what I expect/want it to. Hence why I wanted to check with others to confirm if the steps I have are complete/accurate for the purpose.
You can go to Diagnostics > Packet Capture and run a capture on the LAN. You should see your clients going to pfSense on port 53. Then you can run a capture on WAN and check that pfSense is going out on 853 for queries.
Edit,
If you haven't already install Wireshark to look into those capture files. -
@raffi_ Do remember that pfsense may be hitting your DNS provider (as configured in general settings) on port 53. That's to be expected.
If you really, really want to see no port 53 out the WAN you put localhost (127.0.0.1) in the general settings and then configure the DoT in the custom settings for unbound by hand. Just saying you can do that. Don't do that... ;)
-
@jwj I only have one home/primary network. I don't need IDS/IDP but getting my hands dirty is the only way I will learn. Plus, I take backups before I muck with anything so I can restore if I really muck it up.
@Raffi_ Thanks!
-
@imthenachoman said in configuring DNS over TLS in pfSense 2.4.5 -- are these steps right?:
This was an educational experience for me
All for that - might want to start with firewall rule order ;) heheheh
Your rules as stated wouldn't even allow clients to query pfsense for dns let alone anything else, since your block rules are above your allow.
Since you have them marked as quick - take it those are floating rules. Are they on the inbound direction or the outbound. If outbound they are pointless..
Advice - if you want help post up picture of your rules, and the interface they are on..
-
@johnpoz said in configuring DNS over TLS in pfSense 2.4.5 -- are these steps right?:
All for that - might want to start with firewall rule order ;) heheheh
The rule order is right. My thought was that rules would be added to the top of pfSense starting with the top of the table -- top down. So the first rule added would become the bottom rule. I should have worded it better.
Advice - if you want help post up picture of your rules, and the interface they are on..
I learned what I wanted from the DoT rules so I reverted back to no DoT. I've moved on to my next issue. :) Right now I am trying to figure out why I'm having speed issues. pfSense WAN out is getting full speed, LAN client to pfSense is getting full speed, but LAN to WAN out is getting about half. I might just do a reset this weekend. Let's see.
-
@imthenachoman said in configuring DNS over TLS in pfSense 2.4.5 -- are these steps right?:
The rule order is right.
No it is NOT.. Not how you posted them...
The 2nd rule block any and all dns.. How would I get past that rule to query the lan address for 53..
So the first rule added would become the bottom rule.
Dude - come on.. really? That makes no sense at all, nobody would think like that.. This is why when you want help with firewall rules.. Post the rules, not how you want them, not how you say they are.. The actual rules you put in...
There have been many a post where user says the rules are any any, but ping isn't working, etc.. Well that is because their rule is tcp only not any any.. But they were SURE it was a bug in pfsense because the rules were any any, etc..
-
The first button in the add rule window is to "add rule to top". If the table had final rule order, the someone who doesn't understand FW rules would add them, top down using the "add rule to top" button. No?
In my head that is what I would do/see/understand. If the instructions didn't say "add to top" and instead said "add rules to match the table" then I could understand.
In fact, even the Netsense documentation says to add in the order I have -- I just put it into a table.
-
@imthenachoman What you're saying in terms of adding the rules make sense and if you do it the way you are stating they should be correct. I agree with @johnpoz that the way you initially posted them in that table would lead most pfSense users and especially the veterans to think the order is reverse of what you want. We see them posted top down and we think they would be placed in your rule list the same way. In future posts I would highly recommend you don't list rules the way you have them in that table to avoid confusion like this. The best thing would be to take a screenshot of the actual rules. If this is a proof of concept and the rules aren't actually created yet, then post them the way they would physically show up in pfSense since that would make sense for the vast majority of us.
Thanks,
Raffi -
@raffi_ Agreed. The table by itself would be misleading. But the table with the instructions hopefully make it more clear. Either way, I deleted all the rules so I can't take a SS. I'll see if I can add them back this weekend and take a SS then.
Sorry for the confusion all! Wasn't trying to create problems.
