@johnsheridan Thanks for the info and testing. That makes sense. I’ll have a look at those files and patch.

This will be probably fixed in one of the next releases then.

@coyote1abe said in DNS over TLS Not Working?:

could you please be a little more specific about the change you made to system

Somewhere in the past, he changed the IP settings of his device ( a Windows PC ) from the default DHCP settings to a static setting.

Like this :

d3577074-a66d-4dc6-9d2a-47fe70abc2e1-image.png

which means this windows device doesn't use pfSense at all for DNS .... because he asked 1.2.3.4 to be used.

He has undone that, and now all is well.

@Bekoj said in TLS Error : something wrong with Certificates ?:

installed pfsense brand new in 2.4.5 version

installed pfsense brand new in 2.4.5 version

hmmm, next time I'll ask first...😉

@Gertjan "Oooohhhh. And you're telling that now ?"
Yes, we went around a bit, the point is, it's okay

Thanks for that... I had seen the DNS hostname boxes, but must've missed the text below indicating that they're related to DoT. Something might want to be mentioned on the DNS Resolver page at the SSL/TLS checkbox too, that for best security the hostnames for the servers should be entered on System > General.

Thanks for the info. Astounding is what this is. :-)

@naskar

I don't have a good answer for you about enabling DNSSEC when using Cloudflare DoT. The sites that do support DNSSEC are few. I saw something the other day that DNSSEC sites are in the single digit percentage of all sites on the internet. I added the DNSSEC detector add-on on Firefox and I can confirm from my own experience that not too many sites I visit support DNSSEC. With DNSSEC disabled on the DNS Resolver, I still pass all of the DNSSEC tests on these sites:

This thread does shed some light on the topic.

Not fixed as of 2.4.4-RELEASE-p3 (amd64)
built on Wed May 15 18:53:44 EDT 2019
FreeBSD 11.2-RELEASE-p10.

Only after appending the text dump of my ca cert to /usr/local/share/certs/ca-root-nss.crt was I able to send test messages.
"Validate the SSL/TLS certificate presented by the server" had no effect.
Package captures verified that pfsense was rejecting the certificate being returned by my email server.

@medikopter said in OpenVPN TLS Fehler:

Das klingt ja eigentlich ganz cool und simple, allerdings scheitere ich schon an der Umsetzung eines Failover.

Nunja, aber das sind ja auch zwei verschiedene paar Stiefel ;) VPN auf beiden Interfaces zum Laufen zu bringen ist wesentlich leichter, weil du nichts umschalten/routen/sonstwas musst. Daher überhaupt nicht schwer.

Also das er das Interface automatisch wechselt wenn eins Down ist.

Es genügt doch eine Gateway Gruppe zu machen und die bei den Regeln auf dem LAN einzusetzen?