How to verify DNS over TLS is working through packet capture?



  • Hello, I'm trying to verify that DNS over TLS is working through packet capture, I selected the WAN interface, and port  853 but the capture is showing nothing, does this mean it is not working or I am not capturing correctly?


  • LAYER 8 Global Moderator

    If your not seeing anything capture on your wan interface and using 853 as the port then either your not sending anything on 853 or you not using your wan interface you think you are.  If you capture just wan without setting port do you see data?

    Do you see queries go out on just 53, normal dns?



  • @johnpoz:

    If your not seeing anything capture on your wan interface and using 853 as the port then either your not sending anything on 853 or you not using your wan interface you think you are.  If you capture just wan without setting port do you see data?

    Do you see queries go out on just 53, normal dns?

    I see data without selecting a port, also on port 53 but nothing on port 853, I only have one WAN interface.


  • LAYER 8 Global Moderator

    Well if your seeing stuff go out on default dns, is it going to where your wanting to forward it?  Or all over the place like a resolver does out of the box.

    Are your clients actually pointing to pfsense for their dns are they going directly out to some dns server.



  • @johnpoz:

    Well if your seeing stuff go out on default dns, is it going to where your wanting to forward it?  Or all over the place like a resolver does out of the box.

    Are your clients actually pointing to pfsense for their dns are they going directly out to some dns server.

    It turns out the issue was because of my wireless router running IPFire which set the DNS server to "local recursor" instead of using pfSense as a DNS server through DHCP  :-[ I had to force it to use pfSense as a DNS.

    now capturing packets on port 853 shows requests going through 9.9.9.9

    Thanks for the help!


Log in to reply