A more secure and private DNS configuration?
I am trying to understand and make sure my DNS settings are correct and optimal.
My current settings:
I am using the DNS Resolver as I believe it is optimal for my needs:
- I want to use DNSSEC
- I would like to trust as few third parties as possible
- Speed seems good
In my General Setup i.e. System → General Setup → DNS Server Settings, I have:
- NO “DNS Servers” added
- “DNS Server Override” is NOT checked
- “Disable DNS Forwarder” is NOT checked
In my DNS Resolver i.e. Services → DNS Resolver → General Settings, I have:
- “Network Interfaces” has “ALL” chosen
2) “Outgoing Network Interfaces” has “ALL” chosen
- “DNSSEC” IS checked
I use pfBlocker, my rules are attached, I have multiple VLANs and separate interfaces….
I changed my rule #1 (Port 53) gateway to my VPN provider(PIA)...am I still using pfsense/DNS resolver? Just using it with PIA as its first hop?
With my DNS Resolver settings should I keep them at “ALL”?
Open ended question: Is there a more secure and/or private way to configure my DNS Resolver? I realize in this setup I put more trust in my VPN provider then my internet provider. I am OK with that. Any one willing to share their DNS config?
I thought I would follow up with some testing I did and see if any one has any additional thoughts:
I kept my "General Setup" as stated below.
In my DNS Resolver i.e. Services → DNS Resolver → General Settings
- I changed my “Network Interfaces” from "ALL" to my "internal interfaces" and "Localhost" only, this includes VLANs and Interfaces with dedicated NICs. I am not using IPv6 (System -> Advanced -> Networking -> Allow IPv6 is NOT CHECKED) and did not select those interfaces, nor WAN or VPN interface
- I changed my “Outgoing Network Interfaces” from "ALL" to "WAN" and my "VPN Interface" only
- Even though I use pfBlockerNG I did NOT select the "10.10.10.1 pfB DNSBL - DO NOT EDIT" interface for either the “Network Interfaces” nor the “Outgoing Network Interfaces”…I thought this would break my DNSBL blocker functionality but I am still getting alerts.
- I kept DNSSEC Checked. I found a website that claims to check your DNSSEC functionaility: https://dnssec.vs.uni-due.de/ and I appear to be using DNSSEC. Thanks Germany!
I kept my rules as is with my "DNS rule" rule set to "VPN Gateway"
I will follow up if anything breaks...open to any thoughts!