A more secure and private DNS configuration?



  • I am trying to understand and make sure my DNS settings are correct and optimal.

    My current settings:

    I am using the DNS Resolver as I believe it is optimal for my needs:

    1. I want to use DNSSEC
    2. I would like to trust as few third parties as possible
    3. Speed seems good

    In my General Setup i.e. System → General Setup → DNS Server Settings, I have:

    1. NO “DNS Servers” added
    2. “DNS Server Override” is NOT checked
    3. “Disable DNS Forwarder” is NOT checked

    In my DNS Resolver i.e. Services → DNS Resolver → General Settings, I have:

    1. “Network Interfaces” has “ALL” chosen
      2)  “Outgoing Network Interfaces” has “ALL” chosen
    2. “DNSSEC” IS checked

    I use pfBlocker, my rules are attached, I have multiple VLANs and separate interfaces….

    My questions:

    1. I changed my rule #1 (Port 53) gateway to my VPN provider(PIA)...am I still using pfsense/DNS resolver? Just using it with PIA as its first hop?

    2. With my DNS Resolver settings should I keep them at “ALL”?

    3. Open ended question: Is there a more secure and/or private way to configure my DNS Resolver? I realize in this setup I put more trust in my VPN provider then my internet provider. I am OK with that. Any one willing to share their DNS config?



  • I thought I would follow up with some testing I did and see if any one has any additional thoughts:

    I kept my "General Setup" as stated below.

    In my DNS Resolver i.e. Services → DNS Resolver → General Settings

    1. I changed my “Network Interfaces” from "ALL" to my "internal interfaces" and "Localhost" only, this includes VLANs and Interfaces with dedicated NICs. I am not using IPv6 (System -> Advanced -> Networking -> Allow IPv6 is NOT CHECKED) and did not select those interfaces, nor WAN or VPN interface
    2. I changed my “Outgoing Network Interfaces” from "ALL" to "WAN" and my "VPN Interface" only
    3. Even though I use pfBlockerNG I did NOT select the "10.10.10.1 pfB DNSBL - DO NOT EDIT" interface for either the “Network Interfaces” nor the “Outgoing Network Interfaces”…I thought this would break my DNSBL blocker functionality but I am still getting alerts.
    4. I kept DNSSEC Checked. I found a website that claims to check your DNSSEC functionaility: https://dnssec.vs.uni-due.de/ and I appear to be using DNSSEC. Thanks Germany!

    I kept my rules as is with my "DNS rule" rule set to "VPN Gateway"

    I will follow up if anything breaks...open to any thoughts!

    V