Does encrypting DNS queries over TLS have an effect on streaming TV ?

  • Hello. I have been using a SG-1000 microfirewall for a while and it suits me well. It performs double NATting (acts as a second router) behind my ISP's madatory-supplied first router (Orange). For security purposes, I felt like encrypting DNS queries over TLS was a good idea, using Clodflare and/or Quad-9. Since the conclusion of the following post (Send DNS queries over TLS) , my setup has been:
    On System > General
    The DNS server entries are set to,, and
    "DNS Server Override" and "Disable DNS Forwarder" are not checked.
    On Services > DNS Resolver
    "Enable DNSSEC support", "Enable Forwarding Mode" and "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" are checked.
    On Services > DNS Forwarder, DNS Forwarder is not enabled.

    This has worked for me, so far. However, at these times, my TV set was only connected to an antenna and not to the internet.

    A week ago, given that my VDSL Download rate, being about 20000 to 25000 kb/s, seems more than sufficient for HD TV streaming, I decided to use an Apple TV 4th generation and streaming services like Molotov TV. The Apple TV is connected to the pfSense SG-1000 main LAN and traffic shaping is unchanged on the pfSense box (HFSC standard).

    The Apple TV went immediately wrong. While Speedtest on the Apple TV indicated strong and stable download rate (except it could not determine whether or not packets were lost), any connection took over a minute, or an eternity, to establish, or I would receive the sound but not the image. Something was wrong. I suspected traffic shaping: more on that later as traffic shaping was not the primary cause. Then I read on stackexchange that not using my ISP's DNS servers could be the cause.

    Indeed the primary cause was on my DNS setup.

    After exploring my options by trial and error, I decided as a starting point to select and pinpoint to this forum (pfSense) the configuration which works with one and only one change.

    The working configuration is the same as the above, except that "Enable Forwarding Mode" is no longer checked.

    I like to understand matters: it helps finding rational solutions. What could be the cause of this drastic change:

    When I check "Enable Forwarding Mode", Molotov TV does not work on my Apple TV; and

    When I uncheck "Enable Forwarding Mode", Molotov TV works beautifully on my Apple TV.

    Can anyone suggest a cause for that behavior ?

    Then could anyone propose optimisation to my DNS setup ?

    How do I determine that I can save my choice of encrypting DNS queries ?


  • Rebel Alliance Developer Netgate

    With forwarding mode on, the queries are sent to those (public, generic) servers so sometimes content delivery networks can't find an optimal path to you. Those public DNS servers may also be sending you responses that aren't what you expect.

    With forwarding mode off, the resolver sends queries straight to the roots and CDNs are probably much happier with seeing the queries that way.

    DNS over TLS would only be active in forwarding mode, but I don't see that specifically being the only cause here. It would be slower, but that would only be slow building the initial connection, not once it was established.

  • Thank you jimp. On my question to them, Molotov TV confirmed to me that they cannot warrant anything if I do not use my ISP's DNS servers. Well: my chosen servers are cloudflare's and Quad9: nothing to do with my ISP.

    So I used this setup two or three evenings with, on the pfSense firewall, formarding mode unchecked (off). I could watch TV through the Apple TV and Molotov, everything worked.

    To be extra sure, I tried as a last attempt to check again forwarding mode, to return my setup exactly to what it was in the first place when my tests failed. Il should fail as it did before. But it now works beautifully. I double-checked and rebooted the firewall. Still works.

    I feel like a fool with my silly questions. Maybe my little DNS server knows it all and no longer need any assistance. Thank you for the reply. It helped a lot, and my Apple TV now works, hopefully with DNS over TLS using Cloudflare and Quad9's DNS servers.

Log in to reply