Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS over TLS issues with Resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 397 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      themadsalvi
      last edited by themadsalvi

      Good Morning all,

      I have started trying to use DNS over TLS with quad 9 as my DNS provider. There is an issue that I am seeing where certain sites do not resolve correctly versus when using Pfsense as my DNS resolver(local unbound resolver). Below is my setup under general
      5457c490-a95f-4fbc-8f7d-5accca4890a1-image.png

      Then we have my DNS settings
      eeb57362-0313-45b7-9a0b-b9b3a5aff529-image.png

      ed1f25df-a313-4269-89f1-04398a02893d-image.png

      My LAN rules are as follows (leaving the port 53 rules up and active as I am testing, so switch between local and quad 9 DNS)
      ffd965cc-cbf5-4229-a723-774e21f6bc5c-image.png

      And below is what comes out for this specific site

      f46baafa-7c2e-4074-9db1-bdce6ed51335-image.png

      This is what shows up in the logs for DNS when I reload the page
      a4db0ebc-5c97-46d7-ae8a-ee4fd2304365-image.png

      Any help or insight as to why the page correctly loads the images when using local DNS for unbound vs quad9 ( also happens when using cloudflare and google DNS)? Thank you in advance.

      EDIT: added the logs for when local Pfsense DNS is used on the same site, and the images load correctly on the site
      107fd927-7d0d-481d-af55-8a9d1e166e33-image.png

      1 Reply Last reply Reply Quote 0
      • T
        themadsalvi
        last edited by

        I don't know if this is going to only be temporary or permanent fix, but for the specific site, putting cloudflare DNS first helped it. It seemed that the quad 9 had an issue trying to resolve the site.

        1 Reply Last reply Reply Quote 0
        • M
          mlindman
          last edited by

          I’ve been trying to get DoT working today, and 149.112.112.112 gives invalid signatures when checked using https://dnssec.vs.uni-due.de
          Only 9.9.9.9 by itself, or servers from cloudflare get a "thumbs up."

          This may not be your issue, but "your mileage may vary."

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.