4. A more secure and private DNS configuration?

A more secure and private DNS configuration?

  • V

    I am trying to understand and make sure my DNS settings are correct and optimal.

    My current settings:

    I am using the DNS Resolver as I believe it is optimal for my needs:

    1. I want to use DNSSEC
    2. I would like to trust as few third parties as possible
    3. Speed seems good

    In my General Setup i.e. System → General Setup → DNS Server Settings, I have:

    1. NO “DNS Servers” added
    2. “DNS Server Override” is NOT checked
    3. “Disable DNS Forwarder” is NOT checked

    In my DNS Resolver i.e. Services → DNS Resolver → General Settings, I have:

    1. “Network Interfaces” has “ALL” chosen
      2)  “Outgoing Network Interfaces” has “ALL” chosen
    2. “DNSSEC” IS checked

    I use pfBlocker, my rules are attached, I have multiple VLANs and separate interfaces….

    My questions:

    1. I changed my rule #1 (Port 53) gateway to my VPN provider(PIA)...am I still using pfsense/DNS resolver? Just using it with PIA as its first hop?

    2. With my DNS Resolver settings should I keep them at “ALL”?

    3. Open ended question: Is there a more secure and/or private way to configure my DNS Resolver? I realize in this setup I put more trust in my VPN provider then my internet provider. I am OK with that. Any one willing to share their DNS config?

    0
  • V

    I thought I would follow up with some testing I did and see if any one has any additional thoughts:

    I kept my "General Setup" as stated below.

    In my DNS Resolver i.e. Services → DNS Resolver → General Settings

    1. I changed my “Network Interfaces” from "ALL" to my "internal interfaces" and "Localhost" only, this includes VLANs and Interfaces with dedicated NICs. I am not using IPv6 (System -> Advanced -> Networking -> Allow IPv6 is NOT CHECKED) and did not select those interfaces, nor WAN or VPN interface
    2. I changed my “Outgoing Network Interfaces” from "ALL" to "WAN" and my "VPN Interface" only
    3. Even though I use pfBlockerNG I did NOT select the "10.10.10.1 pfB DNSBL - DO NOT EDIT" interface for either the “Network Interfaces” nor the “Outgoing Network Interfaces”…I thought this would break my DNSBL blocker functionality but I am still getting alerts.
    4. I kept DNSSEC Checked. I found a website that claims to check your DNSSEC functionaility: https://dnssec.vs.uni-due.de/ and I appear to be using DNSSEC. Thanks Germany!

    I kept my rules as is with my "DNS rule" rule set to "VPN Gateway"

    I will follow up if anything breaks...open to any thoughts!

    V

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy