Changing DNS Servers
I'm using the DNS Resolver in pfSense so I can do blocking at the DNS level. I've been using 184.108.40.206 and 220.127.116.11 as the pfSense DNS servers. I also set these up on my modem since there is one subnet that is not behind the pfSense firewall. Until now, everything's been working fine.
Today, I tried to switch over to CloudFlare's new Family DNS, 18.104.22.168 and 22.214.171.124, for blocking malicious sites and adult content. I made the switch on my modem and that seems to be working fine for the non-pfSense subnet.
I also made the switch in:
- pfSense -> General Setup -> DNS Server Settings
- Services -> DNS Resolver -> Custom Options
My DNS Resolver Custom Options now look like this:
server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: 126.96.36.199@853 forward-addr: 188.8.131.52@853 server:include: /var/unbound/pfb_dnsbl.*conf
However, I am still able to successfully do
nslookupon sites that CloudFlare's DNS blocks (ie,
nslookup badsiteis successful, while
nslookup badsite 184.108.40.206fails). Since specifying 220.127.116.11 is the correct behavior, I suspect there's something wrong with my setup. I've tried doing
ipconfig /flushdnson my computer and did a complete reboot of pfSense after simply restarting the DNS Resolver didn't do anything.
Are there any more places in pfSense that need to be updated to use the new DNS?
Check option "Disable DNS Forwarder"
@Alekceu16 Thank you for your response. I did not have that option checked before, but unfortunately after checking it, nothing seems to have changed.
Bob.Dig last edited by Bob.Dig
@Tamaz You have to Enable Forwarding Mode (DNS Query Forwarding) in the resolver first.
18.104.22.168 not support DoT
So it works
@Alekceu16 This solved it! Thank you so much!
@Bob-Dig Thanks for the input! Ended up being because 22.214.171.124 doesn't support DoT yet.