DNS Query Forwarding setting problem

  • DNS resolution stopped working all of a sudden without me touching the router at all. After much trial and error, I noticed I could fix it by disabling "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting.
    Can anyone guess what's going on? I've had it all working just fine until today. Just WTF 😨

  • @Octopuss SSl/tls means also a properly configured dns server at the other end.
    I could suspect that something on their side expired, so no more requests can be served.
    Try changing to another dns supporting tls and see if it works there.

  • You might be correct, it seems to work now.
    Friend pointed me out to http://www.dnssec-or-not.com/ though, and it says I'm not protected, so I'm wondering what the hell is going on.

  • Do you actually need dns sec? Its nice to have, but not really very helpful, unless you are e.g. behind the great china firewall of sorts...

    Have you changed dns? What ns are listed on the status dashboard?
    Does the new one support tls?
    Many isp dns do not, and pfsense uses them automatically unless instructed not to.

  • I don't think I need them, I just like the concept.
    I don't use my ISP's DNSes, they don't even seem to suport SSL.
    I use external DNSSEC servers and they do show up in the status screen indeed. I don't think I have any misconfiguration anywhere. I have DNSSEC, DNS Query Forwarding and Use SSL/TLS for outgoing DNS Queries enabled, and just the two DNS servers ( and set in the general setup screen.

  • You have a choice to make :
    Use a forwarder - dnsmasq or the so called forwarder in pfSense - and some external DNS resolver(s) - and loose end-to-end DNSSEC
    Or use a resolver like the pfSense build-in Resolver, unbound, who can manage DNSSEC end-to-end for you.

    Forwarder mode, which can offer you DNS over TLS, can not be combined with DNSSEC. The DNSSEC end-part is the resolver you forward to (or from). So you have to trust these external resolvers.

    Using a/the forwarder and DNSSEC makes no sense.

    Btw : DNSSEC and DNS-over-TLS together could exist in the future, but this would increase a lot the load on public DNS server, acting as a resolver.

  • The website might just not work correctly - I tried a few others and those do report secure DNS, so I guess it's fine after all.

Log in to reply