Changing DNS Servers
I'm using the DNS Resolver in pfSense so I can do blocking at the DNS level. I've been using 220.127.116.11 and 18.104.22.168 as the pfSense DNS servers. I also set these up on my modem since there is one subnet that is not behind the pfSense firewall. Until now, everything's been working fine.
Today, I tried to switch over to CloudFlare's new Family DNS, 22.214.171.124 and 126.96.36.199, for blocking malicious sites and adult content. I made the switch on my modem and that seems to be working fine for the non-pfSense subnet.
I also made the switch in:
- pfSense -> General Setup -> DNS Server Settings
- Services -> DNS Resolver -> Custom Options
My DNS Resolver Custom Options now look like this:
server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 188.8.131.52@853 forward-addr: 184.108.40.206@853 server:include: /var/unbound/pfb_dnsbl.*conf
However, I am still able to successfully do
nslookupon sites that CloudFlare's DNS blocks (ie,
nslookup badsiteis successful, while
nslookup badsite 220.127.116.11fails). Since specifying 18.104.22.168 is the correct behavior, I suspect there's something wrong with my setup. I've tried doing
ipconfig /flushdnson my computer and did a complete reboot of pfSense after simply restarting the DNS Resolver didn't do anything.
Are there any more places in pfSense that need to be updated to use the new DNS?
Check option "Disable DNS Forwarder"
@Alekceu16 Thank you for your response. I did not have that option checked before, but unfortunately after checking it, nothing seems to have changed.
Bob.Dig last edited by Bob.Dig
@Tamaz You have to Enable Forwarding Mode (DNS Query Forwarding) in the resolver first.
22.214.171.124 not support DoT
So it works
@Alekceu16 This solved it! Thank you so much!
@Bob-Dig Thanks for the input! Ended up being because 126.96.36.199 doesn't support DoT yet.