Different DNS Forwarding Servers TLS for each interface


  • Good Day,

    Let's start by saying that pfsense is a great product.

    I would like to ask a question about DNS over TLS (port 853).
    I'm trying to achieve different DNS Servers (Quad9, Cloudflare, OpenDNS) for each interface.
    Every interface has it's own DHCP Server, with DNS Servers of Quad9, Cloudflare or OpenDNS.
    So every client connected to an interface get's an IP-address, Gateway and DNS Servers.

    Is this the correct way to send all DNS over TLS requests from clients?

    I found several topics but they all explain how to send all DNS traffic over port 853.

    • System -> General Setup ->set primary and secondary DNS servers
    • System -> General Setup ->disable "DNS Server Override” and “DNS Forwarder”
    • Services -> DNS Resolver enable “DNS Query Forwarding”
    • Services -> DNS Resolver enable "DNSSEC” and “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers”

    Looking forward to your reactions, kind regards MvdV.

  • Rebel Alliance Developer Netgate

    If you are configuring DHCP to send those DNS servers to clients directly, they would never hit the DNS resolver. So it's up to the clients to do DNS over TLS directly in that case.

    If you want pfSense to handle DNS over TLS then there is no way in the GUI to split up the servers like that. They all access the DNS Resolver and then the Resolver will contact whichever upstream DNS over TLS server(s) you have configured.

    Even if you were to manually setup views in the advanced config so each one forwarded a different way, I think the cache is still shared so you can't really rely on the results to be isolated.


  • @jimp Thank you for your answer, you're absolutely right.

    So the solutions are, and please correct me if i'm wrong:

    • Send clients direct to a DNS resolver other then Pfsense, many client do not support DNS over TLS? So DNS communication will be over port 53.
    • Set primary and secondary DNS servers (System -> General Setup), so that Pfsense is the DNS resolver, but then only 1 DNS resolver can be used. This can be DNS over TLS.
  • Rebel Alliance Developer Netgate

    @mvdv said in Different DNS Forwarding Servers TLS for each interface:

    • Send clients direct to a DNS resolver other then Pfsense, many client do not support DNS over TLS? So DNS communication will be over port 53.

    Correct. Most clients do not support DNS over TLS. Recent versions of Android do, but I don't think it supports it via DHCP-supplied servers, I think it's manual.

    • Set primary and secondary DNS servers (System -> General Setup), so that Pfsense is the DNS resolver, but then only 1 DNS resolver can be used. This can be DNS over TLS.

    You could set pfSense to use Quad9, Cloudflare, OpenDNS under System > General, so long as they all support DNS over TLS, then telling the DNS Resolver on pfSense to use DNS over TLS will work. Though you can't really predict which server it will use at any given time in that scenario.


  • @jimp Thank you for your reactions, is much appreciated.

    So can we accomplish the same with Pfsense standard build or with packages?
    Not to promote OpenDNS but here are they features they support:

    • Web Content Filtering
    • Malware/Botnet Protection
    • Phishing Protection

    So based on source IP or interface we decide if they can access a certain domain?

  • Rebel Alliance Developer Netgate

    You could look into the pfBlockerNG package for things like that (DNSBL, specifically), but that's more of a question for a separate thread in that category, not here.


  • @jimp I'll investigate first, thanks again for your answers.