• I'm using the DNS Resolver in pfSense so I can do blocking at the DNS level. I've been using 1.1.1.1 and 1.0.0.1 as the pfSense DNS servers. I also set these up on my modem since there is one subnet that is not behind the pfSense firewall. Until now, everything's been working fine.

    Today, I tried to switch over to CloudFlare's new Family DNS, 1.1.1.3 and 1.0.0.3, for blocking malicious sites and adult content. I made the switch on my modem and that seems to be working fine for the non-pfSense subnet.

    I also made the switch in:

    • pfSense -> General Setup -> DNS Server Settings
    • Services -> DNS Resolver -> Custom Options

    My DNS Resolver Custom Options now look like this:

    server:
    forward-zone:
    name: "."
    forward-ssl-upstream: yes
    forward-addr: 1.1.1.3@853
    forward-addr: 1.0.0.3@853
    server:include: /var/unbound/pfb_dnsbl.*conf
    

    However, I am still able to successfully do nslookup on sites that CloudFlare's DNS blocks (ie, nslookup badsite is successful, while nslookup badsite 1.1.1.3 fails). Since specifying 1.1.1.3 is the correct behavior, I suspect there's something wrong with my setup. I've tried doing ipconfig /flushdns on my computer and did a complete reboot of pfSense after simply restarting the DNS Resolver didn't do anything.

    Are there any more places in pfSense that need to be updated to use the new DNS?


  • System\General Setup
    Check option "Disable DNS Forwarder"


  • @Alekceu16 Thank you for your response. I did not have that option checked before, but unfortunately after checking it, nothing seems to have changed.


  • @Tamaz You have to Enable Forwarding Mode (DNS Query Forwarding) in the resolver first.



  • So it works
    forward-zone:
    name: "."
    forward-first: yes
    #forward-tls-upstream: yes
    forward-addr: 1.1.1.3@53
    forward-addr: 1.0.0.3@53


  • @Alekceu16 This solved it! Thank you so much!


  • @Bob-Dig Thanks for the input! Ended up being because 1.1.1.3 doesn't support DoT yet.