Possible for pfSense to intercept/redirect DNS over TLS requests?

  • I'm assuming not, by virtue of it being TLS, but...

    I'm attempting to force all DNS requests to go through pfSense, including those from "smart" hardware and guest devices where I can't necessarily control the device's DNS settings, so I've set up standard DNS port forwarding (guide). However, I'm running into issues with DNS over TLS, where the port 53 forward rule is not applicable and a matching port 853 rule causes connectivity issues.

    Example use case: Android 10 device has a custom DNS setting of 1dot1dot1dot1.cloudflare-dns.com. Upon successfully connecting to the network, Android reports it's can't connect to its custom DNS server and that the network has no internet (though direct IPs still work). Removing the Android DNS setting or the pfSense forward rule restores full connectivity but defeats the purpose.

    With DNS over TLS becoming more common, are we destined to lose control over DNS on our own networks or is there some way around this? At the very least I expected most devices would fall back to the network (pfSense) DNS upon failing to connect to their own.

  • Welcome to the club !

    And you're right, if a device want to "TLS" to 1dot1dot1dot1.cloudflare-dns.com and the device that take the request (your own DNS) it will not have a cert that states it's "1dot1dot1dot1.cloudflare-dns.com" so it gets refused.
    This forum has already many incidental questions and discussions about the subject.

    Anyway, if it was possible, then MITM would actually work. And that will be much worse.

Log in to reply