Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    A more secure and private DNS configuration?

    DHCP and DNS
    1
    2
    382
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro last edited by

      I am trying to understand and make sure my DNS settings are correct and optimal.

      My current settings:

      I am using the DNS Resolver as I believe it is optimal for my needs:

      1. I want to use DNSSEC
      2. I would like to trust as few third parties as possible
      3. Speed seems good

      In my General Setup i.e. System → General Setup → DNS Server Settings, I have:

      1. NO “DNS Servers” added
      2. “DNS Server Override” is NOT checked
      3. “Disable DNS Forwarder” is NOT checked

      In my DNS Resolver i.e. Services → DNS Resolver → General Settings, I have:

      1. “Network Interfaces” has “ALL” chosen
        2)  “Outgoing Network Interfaces” has “ALL” chosen
      2. “DNSSEC” IS checked

      I use pfBlocker, my rules are attached, I have multiple VLANs and separate interfaces….

      My questions:

      1. I changed my rule #1 (Port 53) gateway to my VPN provider(PIA)...am I still using pfsense/DNS resolver? Just using it with PIA as its first hop?

      2. With my DNS Resolver settings should I keep them at “ALL”?

      3. Open ended question: Is there a more secure and/or private way to configure my DNS Resolver? I realize in this setup I put more trust in my VPN provider then my internet provider. I am OK with that. Any one willing to share their DNS config?

      1 Reply Last reply Reply Quote 0
      • V
        Velcro last edited by

        I thought I would follow up with some testing I did and see if any one has any additional thoughts:

        I kept my "General Setup" as stated below.

        In my DNS Resolver i.e. Services → DNS Resolver → General Settings

        1. I changed my “Network Interfaces” from "ALL" to my "internal interfaces" and "Localhost" only, this includes VLANs and Interfaces with dedicated NICs. I am not using IPv6 (System -> Advanced -> Networking -> Allow IPv6 is NOT CHECKED) and did not select those interfaces, nor WAN or VPN interface
        2. I changed my “Outgoing Network Interfaces” from "ALL" to "WAN" and my "VPN Interface" only
        3. Even though I use pfBlockerNG I did NOT select the "10.10.10.1 pfB DNSBL - DO NOT EDIT" interface for either the “Network Interfaces” nor the “Outgoing Network Interfaces”…I thought this would break my DNSBL blocker functionality but I am still getting alerts.
        4. I kept DNSSEC Checked. I found a website that claims to check your DNSSEC functionaility: https://dnssec.vs.uni-due.de/ and I appear to be using DNSSEC. Thanks Germany!

        I kept my rules as is with my "DNS rule" rule set to "VPN Gateway"

        I will follow up if anything breaks...open to any thoughts!

        V

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy