DNS SSL/TLS + pfBlockerNG -Develop + VLANs +Quad9 ?

Velcro

Looking to make my DNS as strong and as safe as I can. As the title suggests I was hoping to layer Quad9 and the pfBlocker functionality with my multiple Vlans. Is this possible? If so any suggested guides? My setup is:

2 VLANs
Currently using Unbound
pfBlockerNG
I use a VPN provider and move my traffic though VPN
My DNS traffic and ports 80 and 443 are forced thru my VPN

I have been using pfBlockerNG for a while and again can't thank BBCan enough. Just recently succesfully upgraded to 2.4.4 and was looking to do the same with pfBlocker-develop as well.

Thanks for any thoughts or help.

occamsrazor

DNS SSL/TLS + pfBlockerNG -Develop + VLANs +Quad9?

I'm running 3 out of 4 of those :-) Sorry not routing through VPN or using any VLANs, but maybe you will find some parts of this thread useful.....

https://forum.netgate.com/topic/135832/quad9-dns-over-tls-setup-with-unbound-forwarding-in-2-4-4-rc

Velcro

Very helpful...Thx. It appears to be working:

dnsleaktest.com = Quad9 = Woodynet
IPv4 and DNSBL alerts are triggered

What concerns me is that the Netgate instructions ask that you add the following into the "Custom Options" of the "DNS Resolver":

forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

Is this needed if you have the "Enable Forwarding Mode" checked per your link?

Thanks again to any one who can help...

(I have a few other "DNS TLS" and "pfBlocker-Devel" questions but I'll open a seperate topic...seperate topic...

doomrapta

Looks like those forward and TLS settings are in the GUI:
Enable Forwarding Mode
Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

per: https://forum.netgate.com/topic/135974/dns-over-tls-2-4-3-to-2-4-4/2

talaverde

I, also, have been trying to make my DNS as secure as possible while using CARP, pfBlockerNG (devel) and PIA VPN. I tried configuring the Quad9 DNS, but ended up with a large list of DNS responses in dnsleaktest.com. According to the PIA KB / support, they say that as long as you use their DNS servers (209.222.18.222 & 209.222.18.218), your DNS is running inside their encrypted VPN tunnel anyway, so SSL/TLS isn't necessary. That logic seems sound. When properly configured, dnsleaktest.com responses with only one (PIA) DNS server. This is the only configuration I've found to do so. At this point, I've given up on Quad9.

I might be wrong. Having 12 Quad9 DNS servers respond to my DNS test may be better than one PIA VPN DNS server responding. I just don't trust seeing 12+ as I can't keep track of them all and don't like that many servers logging my data, even if they are (supposedly) anonymous.

Further, I've found PIA VPN to be the only one with their own DNS servers. I spent a lot of time testing out ExpressVPN. It's supposedly faster, but I did not find that to be true. Best guess, that is just based on some 'paid for' reviews.