DNS over Port 853 and 53

manjotsc

I setup dns over TLS/SSL on pfsense, but I have a windows dns server running on port 53, I would like to keep dns over tls and normal dns on port 53, I want to setup pfsense to listen on local DNS also.

Screenshot_2020-06-22 pfSense manjot net - Services DNS Resolver General Settings.png

riften

Hello manjotsc. The way I have set it up is, through Windows server dhcp (server 2016 in my case) I pass my two domain controller IPs as the clients DNS. My clients and servers cannot connect to the internet on port 53, the port is not open from LAN or the server vlan. The domain controllers DNS forwards to the default gateway (PFSense), which then takes over using the DNS servers I set in SYSTEM/GENERAL SETUP. The response comes back to my domain controllers which pass the resolved addresses to all the clients. DOT is configured in PFSense and as everything runs through that, my internet DNS is encrypted.

manjotsc

@riften I am not that good with these, is it possible if you can show screenshot of something. I am bit confused.

Thanks,
Really appreciated.

riften

@manjotsc- If you are using Windows server DNS, are you also using Windows server DHCP? If using PFSense DHCP, you need to make sure that on the SERVICES/DHCP SERVER/LAN page, that you have filled out the IP(s) of your DNS server(s), under SERVERS. Also the Default Gateway. If you have a domain internally and not just a DNS stand-alone server, fill out the DOMAIN NAME and DOMAIN SEARCH LIST with the domain name, under OTHER OPTIONS. I don't use PFSense DHCP, I use Server 2016 DHCP and DNS.
If you are using Windows Server DHCP, you would need to use either SERVER OPTIONS or SCOPE OPTIONS to make DHCP hand out your DNS server IP as the DNS all the clients use. You can use SERVER OPTIONS for any option that applies to all scopes, and SCOPE OPTIONS for any setting that is scope specific only. Right-click on a blank area on the right side under SCOPE OPTIONS and set the needed options (DNS SERVER and ROUTER at least). Sorry I don't have a way to upload images.
Either way, once you have DHCP handing out your internal DNS server and default gateway (router) options to all the clients, you then have to set your DNS server to forward all DNS requests it can't resolve directly, to the PFSense router. In the DNS console, right click on the server name, and choose PROPERTIES. Click FORWARDERS. Here you specify the LAN side ip address of the PFSense router. That's it.

manjotsc

@riften Thanks