DNS Resolver Log Error sending queries to 1.1.1.1
- 
 Do we have to wait for an update for this to be fixed? Was anybody successful in getting the Cloudflare config to work? Thanks! It worked until this morning so I left the config in place and added entries for Quad9 as well. If they both provide the DNS TLS might as well have both in the list. The point is to be able to use Cloudflare as the primary DNS since their service is faster. Agree but it does not work for me. If I only have Cloudflare in my config I cannot resolve. Apr 5 09:08:16 unbound 70814:1 error: SSL_read syscall: Connection reset by peer Quad9 works though. 
- 
 The Cloudflare settings still are not working and Cloudflare is reporting that they are not experiencing any service problems. Perhaps they have made some change that either inadvertently or deliberately blocks this? Regardless, it seems that it isn’t likely to work “as is”. Hope I’m wrong.  
- 
 The Cloudflare settings still are not working and Cloudflare is reporting that they are not experiencing any service problems. Perhaps they have made some change that either inadvertently or deliberately blocks this? Regardless, it seems that it isn’t likely to work “as is”. Hope I’m wrong.  I was reading a post on one of the forums and some there seems to think this is a pfsense issue with the Cloudflare certificate. 
- 
 The Cloudflare settings still are not working and Cloudflare is reporting that they are not experiencing any service problems. Perhaps they have made some change that either inadvertently or deliberately blocks this? Regardless, it seems that it isn’t likely to work “as is”. Hope I’m wrong.  I was reading a post on one of the forums and some there seems to think this is a pfsense issue with the Cloudflare certificate. Stange thing is, it worked for two days before it stopped at @ Midnight local two nights ago. 
- 
 https://tech.slashdot.org/story/18/04/05/0420247/1111-cloudflares-new-dns-attracting-gigabits-per-second-of-rubbish If they can't handle the bogus traffic, maybe they should move to a host that specializes in DDoS protections… ;D ;D 
- 
 ^ exactly… Why anyone would even want to point their dns to this is beyond me.... 
- 
 ^ exactly… Why anyone would even want to point their dns to this is beyond me.... Do you use QUAD9? 
- 
 No I resolve with dnssec.. Not going to forward my queries to any specific dns thank you very much. I will just run my own resolver as it should be.. 
- 
 I use Quad9 and I find value in their service. I have had 2 issues with them and contacting Quad9 has been to my surprise very easy; they are very professional and responsive. They have addressed the issues rather quickly and have been kind enough to follow up with me. 
- 
 Quad9 seems to provide a nice value-add by attaching block lists to their results. Likely a setup that you could easily recreate with pfSense, although something to be said for the ease of pointing to them & getting it for free. Also I'd assume they have access to more exhaustive lists than what we could maintain privately. I'm actually in touch with their support right now and agree that they're pretty responsive. There's one or two hops between me and their service that drop lots of packets… Results in occasional long delays for a DNS lookup (at least, that's my theory as to why I see this). I sent them a couple example reports from mtr; maybe they'll have better luck contacting whomever is responsible for those systems than I would. 
- 
 I was reading a post on one of the forums and some there seems to think this is a pfsense issue with the Cloudflare certificate. I'm not sure what you read, but Cloudflare person said clearly: Thanks for the report! This is going to be fixed in the next upgrade that's being rolled out. 
 There was an interop issue in the last upgrade with Unbound as it sends the frame size and the actual DNS message in two separate packets instead of both at once.From: https://community.cloudflare.com/t/1-1-1-1-was-working-but-not-anymore/15136/4 
- 
 Yeah shepherds are normally very attentive to their sheep, as they gather their flock ;) heheheeh 
- 
 I was reading a post on one of the forums and some there seems to think this is a pfsense issue with the Cloudflare certificate. I'm not sure what you read, but Cloudflare person said clearly: Thanks for the report! This is going to be fixed in the next upgrade that's being rolled out. 
 There was an interop issue in the last upgrade with Unbound as it sends the frame size and the actual DNS message in two separate packets instead of both at once.From: https://community.cloudflare.com/t/1-1-1-1-was-working-but-not-anymore/15136/4 I stand corrected! My apologies! 
- 
 No I resolve with dnssec.. Not going to forward my queries to any specific dns thank you very much. I will just run my own resolver as it should be.. So when your resolver does not know a host's IP because it is not cached, where does it forward the query? No need to get upset, I am just asking a question! 
- 
 We have updated the blog post with Quad9 settings https://www.netgate.com/blog/dns-over-tls-with-pfsense.html Hi, First of all, thanks for the Tips&Tricks guide :) DNS over TLS doesn't work for me. I run into this issue and lost Internet to. Apr 5 18:29:19 unbound 7412:0 info: start of service (unbound 1.6.. Apr 5 18:29:19 unbound 7412:0 error: duplicate forward zone . ignored. Apr 5 18:29:19 unbound 7412:3 error: duplicate forward zone . ignored. Apr 5 18:29:19 unbound 7412:2 error: duplicate forward zone . ignored. Apr 5 18:29:19 unbound 7412:1 error: duplicate forward zone . ignored. Apr 5 18:29:19 unbound 7412:0 notice: init module 1: iterator Apr 5 18:29:19 unbound 7412:0 notice: init module 0: validator Apr 5 18:29:19 unbound 7412:0 notice: Restart of unbound 1.6.8. Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0 Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0 Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0 Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 Apr 5 18:29:19 unbound 7412:0 info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting Apr 5 18:29:19 unbound 7412:0 info: service stopped (unbound 1.6.. Apr 5 18:29:19 unbound 7412:0 info: start of service (unbound 1.6..
- 
 So when your resolver does not know a host's IP because it is not cached, where does it forward the query? The root servers, of course. https://en.wikipedia.org/wiki/Root_name_server 
- 
 So when your resolver does not know a host's IP because it is not cached, where does it forward the query? No need to get upset, I am just asking a question! promo, just ignore the passive-aggressive tone. Don't worry about it :) “Your greatness is measured by your kindness; your education and intellect by your modesty; your ignorance is betrayed by your suspicions and prejudices, and your real caliber is measured by the consideration and tolerance you have for others.” ~William J.H. Boetcker Unbound is a DNS resolver, which means that it doesn't necessarily need to forward queries to another DNS resolver/forwarder such as Quad9, Google, Cloudflare, OpenDNS, etc. Instead it can query "root hints" servers by itself without any of the previously mentioned providers in between. There is a trade in that process, root hints can be really slow responding to queries. With that in mind, different providers (such as the ones above mentioned and others) put DNS servers closer to you to speed things up. Since their resources is so vast and their services is generally used by millions of users, chances are that your query will most likely hit their cache instead of having to go back to "root hints" to pull a record; which dramatically increases DNS resolution speed, translated into faster browsing experience and so on. Implementing DNSSEC and querying "root hints" reduces the chances of getting poisoned or bogus responses. Yet it does not make your DNS immune to eavesdropping. Anyone (specially your ISP) "listening" on the network for DNS queries can see which sites you're visiting by looking at your DNS queries (DNS isn't encrypted by default), for example. Using services such as Cloudflare, Quad9 and others, may in fact help you escape the eavesdropping by implementing DNS over TLS or HTTPS on top of speeding up your DNS resolution. Yet your DNS queries are at the mercy of the upstream provider. The trade in this case is basically a matter of "trust" in the provider you choose to forward your queries to. That's the watered down version :) 
- 
 @rafaelr: So when your resolver does not know a host's IP because it is not cached, where does it forward the query? No need to get upset, I am just asking a question! promo, just ignore the passive-aggressive tone. Don't worry about it :) “Your greatness is measured by your kindness; your education and intellect by your modesty; your ignorance is betrayed by your suspicions and prejudices, and your real caliber is measured by the consideration and tolerance you have for others.” ~William J.H. Boetcker Unbound is a DNS resolver, which means that it doesn't necessarily need to forward queries to another DNS resolver/forwarder such as Quad9, Google, Cloudflare, OpenDNS, etc. Instead it can query "root hints" servers by itself without any of the previously mentioned providers in between. There is a trade in that process, root hints can be really slow responding to queries. With that in mind, different providers (such as the ones above mentioned and others) put DNS servers closer to you to speed things up. Since their resources is so vast and their services is generally used by millions of users, chances are that your query will most likely hit their cache instead of having to go back to "root hints" to pull a record; which dramatically increases DNS resolution speed, translated into faster browsing experience and so on. Implementing DNSSEC and querying "root hints" reduces the chances of getting poisoned or bogus responses. Yet it does not make your DNS immune to eavesdropping. Anyone (specially your ISP) "listening" on the network for DNS queries can see which sites you're visiting by looking at your DNS queries (DNS isn't encrypted by default), for example. Using services such as Cloudflare, Quad9 and others, may in fact help you escape the eavesdropping by implementing DNS over TLS or HTTPS on top of speeding up your DNS resolution. Yet your DNS queries are at the mercy of the upstream provider. The trade in this case is basically a matter of "trust" in the provider you choose to forward your queries to. That's the watered down version :) Exactly what I was leading up to! ;) 
- 
 Just want to say that I niether could get Cloudflare to work when DNS over tls, but Quad9 works. Haven't looked into logs yet, just that I seemed able to ping sites from within Pfsense, but not from my desktop and other. 
- 
 Just want to say that I niether could get Cloudflare to work when DNS over tls, but Quad9 works. Haven't looked into logs yet, just that I seemed able to ping sites from within Pfsense, but not from my desktop and other. Same here. 



