Cannot use Cloudflare DNS without enabling DNS Server Override

drzoidberg33

I have a strange issue. I'm trying to use Cloudflare's DNS (1.1.1.1 and 1.0.0.1) as my default DNS and ignore my ISPs DNS.

However when I try to set it up this way the system ignores both these IPs. It works fine using Google DNS, Quad9, etc but when using Cloudflare's it looks the system is ignoring my entries.

Example trying to set to Cloudflare:

Using Google:

Does anyone have any idea what is going on here? I Googled a bit and didn't come up with anything except a possible issue with Pfblocker using 1.1.1.1 - but even after disabling pfBlocker completely the same thing happens.

I'm stumped

drzoidberg33

Oh and yes, as per the title - when I enable DNS Server Override it works (but also includes my ISPs DNS):

provels

No real clue, but if you "wiggle" it by choosing the gateway, does it hook?

aljames

By checking the override box you are handing off DNS requests to your ISP on the WAN side. If your goal is to use specific external DNS server(s), you uncheck the override, and you must be using either DNS forwarder or DNS Resolver with Query forwarding enabled.

If DNS Resolver (without forwarding) is used then pfsense ignores your server entries (as you’ve shown here), and instead uses the 11 root DNS resolvers (as mentioned by @Gertjan here: https://forum.netgate.com/topic/142103/controlling-ipv6-or-ipv4-preference/5). Another reason to not add servers here is if you are configuring pfsense to handle all external DNS requests.

I’m not a pro network user like many here at Netgate forums, so maybe others can add more context. I’m still a newbie...but learning.

drzoidberg33

Thanks for taking the time to respond guys.

@aljames I'm using the DNS resolver and my goal is exactly to make pfSense the only DNS provider in the network (I'm blocking external DNS requests).

I'm just rather stumped as why it works fine with all other DNS providers I've tested but doesn't work for Cloudflare. I guess that's my main question here.

drzoidberg33

@provels I tried that but no unfortunately the only way I can get Cloudflare DNS to take is to set the DNS Server Override option, which I guess isn't the end of the world but I don't want the ones from my ISP being used as they don't support DNS over TLS.

I'm using a dual WAN (set up in failover) btw, if that matters.

provels

@drzoidberg33 Have you tried using Resolver without using forwarding? That way DNS reqs just go to the root servers. That way, you don't need overrides or any servers at all listed in General Setup. All that will show on the Dashboard will be 127.0.0.1. But no TLS AFAIK.