Setup DNS over TLS on pfSense 2.4.4 p2 - Guide



  • Getting aware that more and more DNS providers offer DNS over TLS, I decided to try a setup with my pfSense.
    As the netgate guide for DNS over TLS with pfSense does not cover the latest pfSense release 2.4.4 p2, I’d like to share my experience and setup.

    In my case, I use the Quad9 DNS servers.

    Step 1:
    Ensure Quad9 DNS servers are used. Go to System > General Settings and under DNS servers add IP addresses for Quad9 DNS servers and select the WAN gateway.
    Make sure the DNS Server Override is unchecked as we don’t want the Quad9 DNS servers being changed by the ISP.

    0_1547986771355_1.jpg

    Step 2:
    The DNS resolver needs to be changed accordingly. Navigate to Services > DNS Resolver.
    Make sure the DNS resolver is enabled at all. Verify that you selected ALL network interfaces. Enable DNSSEC Support, DNS Query Forwarding and check the usage of SSL/TLS.

    UPDATE: Leave DNSSEC UNCKECKED as it's simply no neccessary as pointed out by @johnpoz in his post below - thx for that!

    With the DNS Query forwarding the Quad9 DNS servers of step 1 will be used.

    0_1547986815803_2.jpg

    Et voila, that’s it!

    Step 3:
    The setup is pretty straight forward, but no setup without verification.

    Therefore go to Diagnostics > States, filter for the Quad9 DNS Server IP (9.9.9.9) and you will see that the DNS protocol is now TCP (whereas default DNS on port 53 is UDP) and the port is 853.
    Don’t get confused here by my interface name (TGINTERFACE). I use a VPN provider and the DNS queries are not send through WAN, but the VPN interface.

    0_1547986849160_3.jpg

    An additional verification is to use Package capture. Go to Diagnostics > Packet Capture. Select your interface (probably WAN if you do not use a VPN provider or something similar) and enter for example the port 853.
    Press “start” and browse a website. Hit the stop-button and you will see a packet capture looking similar to this.

    0_1547986925633_7.jpg

    As you can see, the DNS queries go to the Quad9 DNS Servers over port 853.
    I also put in the default DNS port 53 to double-check if queries go the default port. The packet capture came up empty, so everything looks fine.

    As I am a very careful person, I also added some floating firewall rules to prevent DNS resolution over port 53 and I only allow DNS resolution over Quad9 server using port 853.
    I don’t know if this is actually necessary.

    0_1547986957027_8.jpg

    In a second step, we are going to verify the DNSSEC support. Simply go to https://dnssec.vs.uni-due.de/ and hit “start test”.

    Now if everything works as planned, the little guy gives us a thumb up

    0_1547987020018_5.jpg

    Otherwise you’ll get a:

    0_1547987036758_6.jpg

    Make sure to use private browsing or clearing the cache during toggling DNSSEC on/off and testing.

    That’s it.

    Let me know if I missed anything here. I'd appreciate as well some feedback on the floating rules that block DNS over port 53. I really don't know if this is necessary. If I remembered right I saw some queries going to port 53 even though I had TLS activated. I just tried to reproduce this now, but the package capture on port 53 keeps being empty while I deactivated the floating rules.



  • @laus3r said in Setup DNS over TLS on pfSense 2.4.4 p1:

    Let me know if I missed anything here. I'd appreciate as well some feedback on the floating rules that block DNS over port 53. I really don't know if this is necessary. If I remembered right I saw some queries going to port 53 even though I had TLS activated. I just tried to reproduce this now, but the package capture on port 53 keeps being empty while I deactivated the floating rules.

    I remember now the reason for the floating rule for DNS over port 53 - DNS leak prevention! :-)

    Making sure that absolutely no DNS queries go out on port 53 and only over TLS on port 853, DNS leaks are prevented. This aspect is especially important if you use a VPN provider.
    You can check for DNS leaks on several sites, for example
    https://www.dnsleaktest.com
    http://dnsleak.com/

    When running a test, you should never see your ISP's WAN IP. If that's the case you have a dns leak.


  • LAYER 8 Global Moderator

    You do understand that the dnssec if your going to forward is pointless right... Using quad9 will pass the dnssec test you pointed to be it you enable dnssec or not... Since they do dnssec without you having enable it..

    Just setup your end machine to point to quad9 for dns... Then run that test you linked too.

    If your going to forward in unbound, there is ZERO reason to checkbox the dnssec. Resolvers validate dnssec, not forwarders.

    dnssec works

    $ dig @9.9.9.9 www.dnssec-failed.org
    
    ; <<>> DiG 9.12.3-P1 <<>> @9.9.9.9 www.dnssec-failed.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5771
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A
    
    ;; Query time: 24 msec
    ;; SERVER: 9.9.9.9#53(9.9.9.9)
    ;; WHEN: Wed Jan 23 05:50:43 Central Standard Time 2019
    ;; MSG SIZE  rcvd: 50
    

    non dnssec dns server.

    $ dig @4.2.2.2 www.dnssec-failed.org
    
    ; <<>> DiG 9.12.3-P1 <<>> @4.2.2.2 www.dnssec-failed.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17404
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 8192
    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A
    
    ;; ANSWER SECTION:
    www.dnssec-failed.org.  7200    IN      A       69.252.193.191
    www.dnssec-failed.org.  7200    IN      A       68.87.109.242
    
    ;; Query time: 34 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Wed Jan 23 05:51:46 Central Standard Time 2019
    ;; MSG SIZE  rcvd: 82
    

    So go ahead and remove your checkbox from dnssec in unbound, and try your test again.. Having your forwarder do dnssec is pretty freaking pointless, and only causes unneeded dns traffic.



  • so your custom options within DNS resolver is left.. blank?

    i am still following the directions posted from https://www.netgate.com/blog/dns-over-tls-with-pfsense.html



  • @bcruze this custom option was necessary on previous version of pfSense. Now you have a checkbox for this. "Use SSL/TLS for outgoing DNS Queries to Forwarding Server"



  • @johnpoz said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

    You do understand that the dnssec if your going to forward is pointless right... Using quad9 will pass the dnssec test you pointed to be it you enable dnssec or not... Since they do dnssec without you having enable it..

    Just setup your end machine to point to quad9 for dns... Then run that test you linked too.

    If your going to forward in unbound, there is ZERO reason to checkbox the dnssec. Resolvers validate dnssec, not forwarders.

    dnssec works

    $ dig @9.9.9.9 www.dnssec-failed.org
    
    ; <<>> DiG 9.12.3-P1 <<>> @9.9.9.9 www.dnssec-failed.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5771
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A
    
    ;; Query time: 24 msec
    ;; SERVER: 9.9.9.9#53(9.9.9.9)
    ;; WHEN: Wed Jan 23 05:50:43 Central Standard Time 2019
    ;; MSG SIZE  rcvd: 50
    

    non dnssec dns server.

    $ dig @4.2.2.2 www.dnssec-failed.org
    
    ; <<>> DiG 9.12.3-P1 <<>> @4.2.2.2 www.dnssec-failed.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17404
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 8192
    ;; QUESTION SECTION:
    ;www.dnssec-failed.org.         IN      A
    
    ;; ANSWER SECTION:
    www.dnssec-failed.org.  7200    IN      A       69.252.193.191
    www.dnssec-failed.org.  7200    IN      A       68.87.109.242
    
    ;; Query time: 34 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Wed Jan 23 05:51:46 Central Standard Time 2019
    ;; MSG SIZE  rcvd: 82
    

    So go ahead and remove your checkbox from dnssec in unbound, and try your test again.. Having your forwarder do dnssec is pretty freaking pointless, and only causes unneeded dns traffic.

    @johnpoz , yeah you are 100% right. Thx for the explanation. I'll update the post accordingly and put the DNSSEC-checkbox to "Unchecked"


Log in to reply