DNS SSL/TLS + pfBlockerNG -Develop + VLANs +Quad9 ?



  • Looking to make my DNS as strong and as safe as I can. As the title suggests I was hoping to layer Quad9 and the pfBlocker functionality with my multiple Vlans. Is this possible? If so any suggested guides? My setup is:

    2 VLANs
    Currently using Unbound
    pfBlockerNG
    I use a VPN provider and move my traffic though VPN
    My DNS traffic and ports 80 and 443 are forced thru my VPN

    I have been using pfBlockerNG for a while and again can't thank BBCan enough. Just recently succesfully upgraded to 2.4.4 and was looking to do the same with pfBlocker-develop as well.

    Thanks for any thoughts or help.



  • DNS SSL/TLS + pfBlockerNG -Develop + VLANs +Quad9?

    I'm running 3 out of 4 of those :-) Sorry not routing through VPN or using any VLANs, but maybe you will find some parts of this thread useful.....

    https://forum.netgate.com/topic/135832/quad9-dns-over-tls-setup-with-unbound-forwarding-in-2-4-4-rc



  • Very helpful...Thx. It appears to be working:

    dnsleaktest.com = Quad9 = Woodynet
    IPv4 and DNSBL alerts are triggered

    What concerns me is that the Netgate instructions ask that you add the following into the "Custom Options" of the "DNS Resolver":

    forward-addr: 9.9.9.9@853
    forward-addr: 149.112.112.112@853

    https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

    Is this needed if you have the "Enable Forwarding Mode" checked per your link?

    Thanks again to any one who can help...

    (I have a few other "DNS TLS" and "pfBlocker-Devel" questions but I'll open a seperate topic...seperate topic...



  • Looks like those forward and TLS settings are in the GUI:
    Enable Forwarding Mode
    Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

    per: https://forum.netgate.com/topic/135974/dns-over-tls-2-4-3-to-2-4-4/2



  • I, also, have been trying to make my DNS as secure as possible while using CARP, pfBlockerNG (devel) and PIA VPN. I tried configuring the Quad9 DNS, but ended up with a large list of DNS responses in dnsleaktest.com. According to the PIA KB / support, they say that as long as you use their DNS servers (209.222.18.222 & 209.222.18.218), your DNS is running inside their encrypted VPN tunnel anyway, so SSL/TLS isn't necessary. That logic seems sound. When properly configured, dnsleaktest.com responses with only one (PIA) DNS server. This is the only configuration I've found to do so. At this point, I've given up on Quad9.

    I might be wrong. Having 12 Quad9 DNS servers respond to my DNS test may be better than one PIA VPN DNS server responding. I just don't trust seeing 12+ as I can't keep track of them all and don't like that many servers logging my data, even if they are (supposedly) anonymous.

    Further, I've found PIA VPN to be the only one with their own DNS servers. I spent a lot of time testing out ExpressVPN. It's supposedly faster, but I did not find that to be true. Best guess, that is just based on some 'paid for' reviews.