Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense 2.5 Configuring cloudflare family for DNS over TLS Issue with Encrypted SNI

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 815 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aGeekhere
      last edited by aGeekhere

      Hi have followed the guide https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html for configuring pfsense 2.5 for DNS over TLS using cloudflare (1.1.1.3). Everything seems to be working except when i test at https://www.cloudflare.com/en-gb/ssl/encrypted-sni it shows and X for Encrypted SNI.

      Is this an issue? how do i fix it?

      Never Fear, A Geek is Here!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @aGeekhere
        last edited by johnpoz

        esni or replacement ech (encrypted client hello) is a browser thing.. Would have nothing to do with the dns being encrypted over tls or not.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        A 1 Reply Last reply Reply Quote 0
        • A
          aGeekhere @johnpoz
          last edited by

          @johnpoz Ah good, thought i missed configured something.

          Never Fear, A Geek is Here!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @aGeekhere
            last edited by johnpoz

            You do understand without esni or ech (esni is dead already really)..

            Just because you hide the dns from your evil isp, they still see where you going via the sni the browser sends to the https server they are talking to via the ip they got from your hidden from the man dns query.

            Without esni or ech, hiding your dns queries from your isp is to be honest exercise in futility. Your isp can really easy see what whatever.domain.tld your going to.. Along with the IP, and if the IP is not on some CDN serving 1000s and 100s of thousands of sites - its not difficult to know exactly where your going. Even if using esni or ech

            But what you do end up doing is handing over everywhere you go to whatever dns service your forwarding to, be it encrypted or not.

            Since going to a website is a specific handshake between the client and the server, support for encryption of what site you actually want via the sni in the https handsake will depend on the server your going to supporting that.. Doesn't matter if you encrypt the dns query or not.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.