Setup DNS over TLS on pfSense 2.4.4 p2 - Guide

Gertjan

@duncan-young said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

I am thinking that local pfsense services are using the /etc/resolv.conf and sometimes not going to 127.0.0.1, in which case a direct UDP to 53 is being used.

That means that these services have some kind of resolver integrated.
In that case you should set up these services to use the local unbound' facilities.
But, as far as I know, such kind of services are not used by pfSense.
Some package ?

@duncan-young said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

PFSense is sending out requests to UDP 53

Do not forget to filter TCP:53 requests.

@duncan-young said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

but idealy the forwarding resolver should be using a different list. i.e. resolve.conf: 127.0.0.1 and forwarding 1.1.1.1, 1.0.0.1 with TLS etc.

Noop.
unbound, as any other local resolver/forwarder uses the system file /etc/resolv.conf
Check also your main unbound config file, /var/unbound/unbound.conf

Qinn

I've configured DoT using Quad9 and a floating rule to reject any to any on port 53,
ScreenHunter_195 Dec. 06 12.07.png
the only difference between the first picture in this tread is my "System / General Setup" as t I have unchecked "disable DNS forwarder".

When I test https://tenta.com/test/ it tells me that tls is false?

Thanks for any help, cheers Qinn

johnpoz

@Qinn said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

as t I have unchecked "disable DNS forwarder".

Then pfsense wouldn't use itself for dns..
Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall

That should always be "unchecked" to be honest. Unless you don't want pfsense using is own local dns be it the the forwarder or the resolver. This is not a guide to how to do dns over tls - its one persons mistaken take on how to do it.. Not correct by any means.

Qinn

Could you tell me then what I should do to use dns over tls?

johnpoz

Click the little buttons in the gui ;)

You do not need to tell pfsense not to use itself.. And you don't want to use dnssec when forwarding..

If you uncheck pfsense to use itself - then it could directly try and contact what is listed in general, and its not going to use tls..

Qinn

@johnpoz said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

Click the little buttons in the gui ;)

You do not need to tell pfsense not to use itself.. And you don't want to use dnssec when forwarding..

If you uncheck pfsense to use itself - then it could directly try and contact what is listed in general, and its not going to use tls..

@johnpoz ROFL ;) "mea culpa" I just had to add all screens (see below), then I could have avoided the response. As you can see those ones were checked when I performed the check at https://tenta.com/test/ and strangely false on tls?

Firefox_Screenshot_2019-12-06T14-33-42.081Z.png

Firefox_Screenshot_2019-12-06T14-34-12.691Z.png

Firefox_Screenshot_2019-12-06T14-34-25.470Z.png

Firefox_Screenshot_2019-12-06T14-42-13.115Z.png

bcruze

only one part missing:

Does Quad9 support DNS over TLS?

We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.

My ISP captures port 53, is there another port I can use for Quad9?

We support standard DNS queries on port 9953 as well as 53. In addition we support DNS-over-TLS on the standard port of 853 using the auth name of dns.quad9.net. For more information on the configuration of DNS-over-TLS see the DNS Privacy Project.

https://www.quad9.net/faq/

Qinn

Maybe someone has an idea why I still get false on tls enabled, when check pfSense ( https://tenta.com/test/ ) using the settings in my last post.

Thanks for any idea's cheers Qinn

MoonKnight

@Qinn said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

Maybe someone has an idea why I still get false on tls enabled, when check pfSense ( https://tenta.com/test/ ) using the settings in my last post.

Thanks for any idea's cheers Qinn

Hi,
Could you try run these tests:
https://www.cloudflare.com/ssl/encrypted-sni/
https://dnssec.vs.uni-due.de/
http://en.conn.internet.nl/connection/
https://1.1.1.1/help

johnpoz

Not sure how you think that test would show you if your using TLS for dns??

The only freaking way they could tell is if you directly asked them... There is no other way for them to know this... Its not possible..

You forward to 1.2.3.4 via tls... So your query to them is encrypted via tls... They look up something.whatever.tld in this dns test.. How does that site have any freaking clue that you asked 1.2.3.4 via encryption or not??

They cant!!! The only way they could know if your client directly talked to one of their NS via tls - which is not how it works... That test is nonsense...

Only way to show that your using tls, is a test site run by who your forwarding to via tls.. Like the cloudflare test when forwarding to them..

Or just sniff on your wan -- are you seeing any dns go out of 53??

here this took 2 seconds..

Me normally resolving

Now me forwarding to 1.1.1.1 via tls.

edit: that stupid site... Now that using clouldflare via tls is now giving me warning and saying not using tls or dnssec.

That site has one goal -- to get you to use their VPN service/browser... Nothing more..

Qinn

@johnpoz Thanks for your patience and time, kudos ;) an the logic is sound, the only site that knows if tls is working is dns you are forwarding to.

Firefox_Screenshot_2019-12-07T15-13-00.140Z.png

Firefox_Screenshot_2019-12-07T15-07-22.227Z.png

johnpoz

So now your sure your ISP doesn't know you did a query for pfsense.org or amazon.com ;) Cloudflare does - but they are really trust worthy - Just ask them ;)

Qinn

@johnpoz Good question, so maybe move over again to just unbound, so without TLS for outgoing DNS Queries to the Forwarding Servers of Cloudflare ;)

This guy jfb sums it up quite nicely...

https://discourse.pi-hole.net/t/general-consensus-to-use-cloudflare-proxy-or-unbound/19120/3

johnpoz

Pfsense out of the box resolves and uses dnssec.. And yeah he makes all good points there about resolving vs forwarding.

Keep in mind while you can turn on the minimization to only ask roots for say .tld vs host.domain.tld, and ask the tld NS only for domain.tld vs host.domain.tls

This will for sure break some domains - can promise you that! Tested this quite some time ago - there is for sure atleast one thread here going over that - before it was even a gui option. So if you want to use that feature - be prepared for some stuff not to work.

Also just because dnssec is enabled and being used, only works for domains that actually use it.. Which is no where close to all of them ;)

The biggest point on that list is #6, complete control over your own resolver.

Qinn

@johnpoz Yes control is a big point, that's why I don't like DoH in browsers might become default. So I am back to using just unbound and no forwarding and thus tls. Btw which settings would you recommend?

Firefox_Screenshot_2019-12-07T16-39-36.945Z.png

musicwizard

@johnpoz Im not using Cloudflare but Quad9 they might not be better but ok.

do you know if there will be a option in pfsense to do the encrypted DNS intern and not longer rely on other parties?

johnpoz

@musicwizard said in Setup DNS over TLS on pfSense 2.4.4 p2 - Guide:

pfsense to do the encrypted DNS intern

Huh??? That makes zero sense... You want to do encrypted dns from your local client to your local NS?

musicwizard

@johnpoz No to the root servers.

jimp

For it to work in resolver mode, that would require the roots and every other authoritative DNS server to support DNS over TLS. I'm not aware of any plans to make that happen.

musicwizard

@jimp Thank you that what i was wondering about.