Changing DNS Servers
-
I'm using the DNS Resolver in pfSense so I can do blocking at the DNS level. I've been using 1.1.1.1 and 1.0.0.1 as the pfSense DNS servers. I also set these up on my modem since there is one subnet that is not behind the pfSense firewall. Until now, everything's been working fine.
Today, I tried to switch over to CloudFlare's new Family DNS, 1.1.1.3 and 1.0.0.3, for blocking malicious sites and adult content. I made the switch on my modem and that seems to be working fine for the non-pfSense subnet.
I also made the switch in:
- pfSense -> General Setup -> DNS Server Settings
- Services -> DNS Resolver -> Custom Options
My DNS Resolver Custom Options now look like this:
server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 1.1.1.3@853 forward-addr: 1.0.0.3@853 server:include: /var/unbound/pfb_dnsbl.*conf
However, I am still able to successfully do
nslookup
on sites that CloudFlare's DNS blocks (ie,nslookup badsite
is successful, whilenslookup badsite 1.1.1.3
fails). Since specifying 1.1.1.3 is the correct behavior, I suspect there's something wrong with my setup. I've tried doingipconfig /flushdns
on my computer and did a complete reboot of pfSense after simply restarting the DNS Resolver didn't do anything.Are there any more places in pfSense that need to be updated to use the new DNS?
-
System\General Setup
Check option "Disable DNS Forwarder" -
@Alekceu16 Thank you for your response. I did not have that option checked before, but unfortunately after checking it, nothing seems to have changed.
-
@Tamaz You have to Enable Forwarding Mode (DNS Query Forwarding) in the resolver first.
-
1.0.0.3 not support DoT
https://community.cloudflare.com/t/community-tip-best-practices-for-1-1-1-1-for-families/160496 -
So it works
forward-zone:
name: "."
forward-first: yes
#forward-tls-upstream: yes
forward-addr: 1.1.1.3@53
forward-addr: 1.0.0.3@53 -
@Alekceu16 This solved it! Thank you so much!
-
@Bob-Dig Thanks for the input! Ended up being because 1.1.1.3 doesn't support DoT yet.