• I'm using the DNS Resolver in pfSense so I can do blocking at the DNS level. I've been using and as the pfSense DNS servers. I also set these up on my modem since there is one subnet that is not behind the pfSense firewall. Until now, everything's been working fine.

    Today, I tried to switch over to CloudFlare's new Family DNS, and, for blocking malicious sites and adult content. I made the switch on my modem and that seems to be working fine for the non-pfSense subnet.

    I also made the switch in:

    • pfSense -> General Setup -> DNS Server Settings
    • Services -> DNS Resolver -> Custom Options

    My DNS Resolver Custom Options now look like this:

    name: "."
    forward-ssl-upstream: yes
    server:include: /var/unbound/pfb_dnsbl.*conf

    However, I am still able to successfully do nslookup on sites that CloudFlare's DNS blocks (ie, nslookup badsite is successful, while nslookup badsite fails). Since specifying is the correct behavior, I suspect there's something wrong with my setup. I've tried doing ipconfig /flushdns on my computer and did a complete reboot of pfSense after simply restarting the DNS Resolver didn't do anything.

    Are there any more places in pfSense that need to be updated to use the new DNS?

  • System\General Setup
    Check option "Disable DNS Forwarder"

  • @Alekceu16 Thank you for your response. I did not have that option checked before, but unfortunately after checking it, nothing seems to have changed.

  • @Tamaz You have to Enable Forwarding Mode (DNS Query Forwarding) in the resolver first.

  • So it works
    name: "."
    forward-first: yes
    #forward-tls-upstream: yes

  • @Alekceu16 This solved it! Thank you so much!

  • @Bob-Dig Thanks for the input! Ended up being because doesn't support DoT yet.