Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Query Forwarding setting problem

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 3 Posters 577 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      Octopuss
      last edited by

      DNS resolution stopped working all of a sudden without me touching the router at all. After much trial and error, I noticed I could fix it by disabling "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting.
      Can anyone guess what's going on? I've had it all working just fine until today. Just WTF 😨

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @Octopuss
        last edited by

        @Octopuss SSl/tls means also a properly configured dns server at the other end.
        I could suspect that something on their side expired, so no more requests can be served.
        Try changing to another dns supporting tls and see if it works there.

        1 Reply Last reply Reply Quote 0
        • O
          Octopuss
          last edited by

          You might be correct, it seems to work now.
          Friend pointed me out to http://www.dnssec-or-not.com/ though, and it says I'm not protected, so I'm wondering what the hell is going on.

          1 Reply Last reply Reply Quote 0
          • N
            netblues
            last edited by

            Do you actually need dns sec? Its nice to have, but not really very helpful, unless you are e.g. behind the great china firewall of sorts...

            Have you changed dns? What ns are listed on the status dashboard?
            Does the new one support tls?
            Many isp dns do not, and pfsense uses them automatically unless instructed not to.

            1 Reply Last reply Reply Quote 0
            • O
              Octopuss
              last edited by

              I don't think I need them, I just like the concept.
              I don't use my ISP's DNSes, they don't even seem to suport SSL.
              I use external DNSSEC servers and they do show up in the status screen indeed. I don't think I have any misconfiguration anywhere. I have DNSSEC, DNS Query Forwarding and Use SSL/TLS for outgoing DNS Queries enabled, and just the two DNS servers (193.17.47.1 and 185.43.135.1) set in the general setup screen.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                You have a choice to make :
                Use a forwarder - dnsmasq or the so called forwarder in pfSense - and some external DNS resolver(s) - and loose end-to-end DNSSEC
                Or use a resolver like the pfSense build-in Resolver, unbound, who can manage DNSSEC end-to-end for you.

                Forwarder mode, which can offer you DNS over TLS, can not be combined with DNSSEC. The DNSSEC end-part is the resolver you forward to (or from). So you have to trust these external resolvers.

                Using a/the forwarder and DNSSEC makes no sense.

                Btw : DNSSEC and DNS-over-TLS together could exist in the future, but this would increase a lot the load on public DNS server, acting as a resolver.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • O
                  Octopuss
                  last edited by

                  The website might just not work correctly - I tried a few others and those do report secure DNS, so I guess it's fine after all.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.