Just a quick update on this, over this last weekend, I finally implemented pfSense with the forwarding of DNS/DHCP to one of my Linux systems where I configured the DHCP with static IP assignments, and to my initial shock, I got everything right and everything is "just working".

Thanks for the information and pointers on how to get this configured.

Now to figure out how to get the hostnames I have configured in the DHCP static assignments to populate instead of the hostname that the devices are reporting...

@gertjan Pfsense uses 127.0.0.1 as it's nameserver (it was displayed then using the pfSense dns lookup tool). I checked all settings on my win10 client and even captured the packets with wireshark: The packets were definitly sent to pfsense and were processed there (i saw the specific lookup request I made in the unbound logs). Good idea to check the resolution with the cli, thx.

However in the meantime, it seems like it's working:
I have noticed that I didn't upgrade my pfSense for more than 3 months. Therefore I checked for updates and saw that the version 2.6.0 was available. I installed it and as of know, the problems are gone.
Don't know if this was a bug in the previous version or what, but it was definitly strange...

@johnpoz @Gertjan @SteveITS Thanks for all the help :)

@bob-dig Yes, I can ping the domain name and receive a response from the firewall.

@johnpoz Thanks man.

@coyote1abe said in DNS over TLS Not Working?:

could you please be a little more specific about the change you made to system

Somewhere in the past, he changed the IP settings of his device ( a Windows PC ) from the default DHCP settings to a static setting.

Like this :

d3577074-a66d-4dc6-9d2a-47fe70abc2e1-image.png

which means this windows device doesn't use pfSense at all for DNS .... because he asked 1.2.3.4 to be used.

He has undone that, and now all is well.

@gertjan said in DNS Overides:

deep in the past

Using my "Internet years" theory (like dog years) that's 7 Internet years ago.

@rvjr On pfSense unbound generally restarts. See
https://redmine.pfsense.org/issues/5413

@johnpoz That's great JP.

Yes the dig command certainly returns a good visual of what's going on under the bonnet :)

I will never look at DNS requests the same way again!

And I am sold on the concept of having pfsense in Resolver Mode rather than Forwarding Mode...

Not easily. That is usually accomplished by having staff and student VLANs where you can apply different firewall rules to the traffic. So if it's wifi for example you can have a separate ssid with 802.1x authentication that only staff can connect to.

Steve

@mer Thanks for the reply! Your comments got me to thinking which can be dangerous ;-)

I figured out the problem. It has to do with little Windows 10 app that the commercial VPN provides. This app resides in the system tray on the right side of the task bar in Windows 10. The app is used to connect and disconnect from the VPN. With your comments, I had the thought to try to figure out what DNS server windows was using when connected to the VPN and when not connected to the VPN. With a quick google search I found the Windows 10 command prompt nslookup command. Simply entering "nslookup" in a windows command prompt will return the DNS server being used. In my case, when I wasn't connected to the VPN, it returned the ip of my pfSense router. When I was connected to the VPN it returned an ip of a DNS server that belongs to my VPN provider. It seems that everytime you connect to the VPN service using their Windows 10 app, they change your DNS server address to their DNS server. I tried manually changing it back to the ip of my pfSense router but that didn't work when connected to the VPN - in that case I broke internet access altogether and couldn't connect to anything. When connected to the VPN, Windows wasn't able to resolve the local ip of my pfSense router. The solution will have to be to stop using the app provided by the VPN provider so that the DNS server that Windows uses stays pointing to my pfSense router. I had previously setup a gateway associated wiht the commercial VPN provider in my pfSense router. My solution will be to configure pfSense to route traffic from my Windows 10 through the VPN gateway when I want to use the VPN from my Windows 10 pc. Sort of a pain b/c I will have to log in to pfSense every time I want to use (or not use) the VPN. But in this scenario I can use the https://server1name.domain_name.tld paradigm to access my local services from my Windows 10 pc whether or not its WAN traffic is being routed through the VPN. This is because my Windows 10 pc will always be configured to use pfSense for domain name resolution.

You do not need to create a nat - but if your policy routing, then yes you need a rule above that policy route rule that allows where your trying to go before you policy route out a vpn.

https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#bypassing-policy-routing

@jgq85 I think that will work but it's always best to have Windows do your DNS and DHCP if your clients are using AD. Just use pfSense as a routing firewall and VPN remote site. Are you looking to move the existing building DC somewhere else? Otherwise I don't know why you wouldn't just connect the new building to the old one and the clients use the same old DC they always did with the least amount of disruption.

Apparently, another corporate router CISCO ASA connected to DMZ was the troublemaker. After physical disconnect and reboot of that device, everything started to work fine again :-)