Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    A more secure and private DNS configuration?

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 1 Posters 495 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      I am trying to understand and make sure my DNS settings are correct and optimal.

      My current settings:

      I am using the DNS Resolver as I believe it is optimal for my needs:

      1. I want to use DNSSEC
      2. I would like to trust as few third parties as possible
      3. Speed seems good

      In my General Setup i.e. System → General Setup → DNS Server Settings, I have:

      1. NO “DNS Servers” added
      2. “DNS Server Override” is NOT checked
      3. “Disable DNS Forwarder” is NOT checked

      In my DNS Resolver i.e. Services → DNS Resolver → General Settings, I have:

      1. “Network Interfaces” has “ALL” chosen
        2)  “Outgoing Network Interfaces” has “ALL” chosen
      2. “DNSSEC” IS checked

      I use pfBlocker, my rules are attached, I have multiple VLANs and separate interfaces….

      My questions:

      1. I changed my rule #1 (Port 53) gateway to my VPN provider(PIA)...am I still using pfsense/DNS resolver? Just using it with PIA as its first hop?

      2. With my DNS Resolver settings should I keep them at “ALL”?

      3. Open ended question: Is there a more secure and/or private way to configure my DNS Resolver? I realize in this setup I put more trust in my VPN provider then my internet provider. I am OK with that. Any one willing to share their DNS config?
        IMG_0042.PNG
        IMG_0042.PNG_thumb

      1 Reply Last reply Reply Quote 0
      • V
        Velcro
        last edited by

        I thought I would follow up with some testing I did and see if any one has any additional thoughts:

        I kept my "General Setup" as stated below.

        In my DNS Resolver i.e. Services → DNS Resolver → General Settings

        1. I changed my “Network Interfaces” from "ALL" to my "internal interfaces" and "Localhost" only, this includes VLANs and Interfaces with dedicated NICs. I am not using IPv6 (System -> Advanced -> Networking -> Allow IPv6 is NOT CHECKED) and did not select those interfaces, nor WAN or VPN interface
        2. I changed my “Outgoing Network Interfaces” from "ALL" to "WAN" and my "VPN Interface" only
        3. Even though I use pfBlockerNG I did NOT select the "10.10.10.1 pfB DNSBL - DO NOT EDIT" interface for either the “Network Interfaces” nor the “Outgoing Network Interfaces”…I thought this would break my DNSBL blocker functionality but I am still getting alerts.
        4. I kept DNSSEC Checked. I found a website that claims to check your DNSSEC functionaility: https://dnssec.vs.uni-due.de/ and I appear to be using DNSSEC. Thanks Germany!

        I kept my rules as is with my "DNS rule" rule set to "VPN Gateway"

        I will follow up if anything breaks...open to any thoughts!

        V

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.