Non-TLS DNS Leaks when PFsense looks up host alias(es)



  • This post is deleted!

  • LAYER 8 Netgate

    Set the firewall to use the local DNS resolver and delete all of those.

    With the new default gateway settings you should not need those multi-wan DNS servers any longer.

    You will probably need to manually set forwarding using custom options though, thinking about it. I'll look at it but it might be tomorrow.


  • LAYER 8 Netgate

    @Kirin Try this:

    Screen Shot 2019-10-26 at 3.36.51 PM.png

    And this:

    Screen Shot 2019-10-26 at 3.35.37 PM.png

    And this in custom options in the DNS resolver:

    server:
    # Forwarding
    forward-zone:
    	name: "."
    	forward-tls-upstream: yes
    	forward-addr: 9.9.9.9@853#dns9.quad9.net
            forward-addr: 149.112.112.9@853#dns9.quad9.net
            forward-addr: 1.0.0.1@853#one.one.one.one
            forward-addr: 1.1.1.1@853#one.one.one.one
    


  • This post is deleted!

  • LAYER 8 Global Moderator

    You understand such a setup not good right... You are forwarding to 2 different types here quad 9 filters, while 1.1.1.1 does not.. This is a borked setup..

    What do you want - filtering or not? Since you are not going to be sure which one gives you an answer.. So you may be filtered when you don't want to be, or not filtered when you want to be..

    And now that is cached, and the next guy asking gets maybe the wrong sort of answer as well. You can not point to NS that resolve differently or you will have problems.. If your going to forward to multiple NS, they need to resolve the same way.. filtered or not filtered - you can not mix them without just having a mess.

    Even picking 2 filtering providers is going to be problematic. Since you have different filtering lists, where site X might be filtered on 1, and not on the other... So sometimes it resolves, sometimes it doesn't.



  • Your dns tls hostname verification servers appear to be wrong for quad9,

    dns.quad9.net



  • This post is deleted!

  • LAYER 8 Global Moderator

    @Kirin said in Non-TLS DNS Leaks when PFsense looks up host alias(es):

    when you have a DNS server under General Setup it gets added to resolv.conf

    Well Duh ;) Not sure why this was even a question then? No shit if you tell the OS to use NS X, that it could use NS X ;)

    Why didn't you just ask that, how do I have unbound forward to NS that Pfsense will not use for its own use..



  • This post is deleted!

  • LAYER 8 Netgate

    It is also pretty useless to use DNSSEC when forwarding. Since you don't get signature information all the way from the roots, you are blindly trusting whatever the forwarding server gives you.


Log in to reply