DNS Resolver? OpenDNS? Port 53?



  • In my part of this small world I have a Cable company that sells or is likely to sell my traffic information…not a big fan!

    I have been trying to find what is the best configuration for me and my family. I have attached my rules for reference.

    If I use the default settings, I go to "DNS Leak test" and my cable company shows up?
    I have tried using the default resolver settings and changed my gateway on rule #1 to my VPN provider...not sure that is best?
    I have created an "OpenDNS alias" using their IPs and used my VPN as my gateway for rule #1(also used my default WAN). Is that the best way?

    What is the most PRIVATE AND SECURE way to configure this? Seems fundamental...




  • If I use the default settings, I go to "DNS Leak test" and my cable company shows up?

    Unbound (default DNS Resolver) queries root servers directly by default so your DNS traffic won't go to your ISP provider unless you Enable Forwarding Mode in Unbound.

    "DNS Leak test" should display your own WAN IP and hostname if you are using default Unbound settings (it is a resolver). Do not confuse your own external hostname with your ISP DNS Servers.

    The way I personally do it (and others with more experience may perhaps add their input) is as follows:

    1- Use Unbound resolver without forwarding mode.
    2- Under System => General Setup
    –- I have defined a couple DNS servers (not my ISP's) for pfSense to use them during upgrades and such. These servers are otherwise not used.
    --- Allow DNS server list to be overridden by DHCP/PPP on WAN unchecked
    –- Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall unchecked
    3- I then have rules to prevent network clients from using manually specified DNS servers.
    –- Allow DNS traffic on the VLAN
    --- Create an Alias with alternative (external) DNS servers of my own choice for testing purposes and what not (disabled when not using them)
    --- Block all other DNS traffic to make sure only my pfsense resolver is used.

    That covers a basic DNS setup. I'm not saying it is private because DNS is not encrypted by default but your ISP is not getting your DNS queries.

    For privacy, you may have to look into dnscrypt-proxy + squid + privoxy for web browsing or a VPN service that doesn't log anything, etc. Or forward all your traffic through TOR and bare with the slow network performance.


  • LAYER 8 Global Moderator

    "have defined a couple DNS servers (not my ISP's) for pfSense to use them during upgrades and such."

    Why do you feel you need to do this?  I have never had any issues upgrading pfsense just using the resolver on its own..


Log in to reply