How to Use DNS Over TLS Server Option

jimp

I added the option I mentioned above to 2.5.0, so now all you have to do is go to System > General and set DNS Resolution Behavior to Use local DNS (127.0.0.1), ignore remote DNS Servers.

https://redmine.pfsense.org/issues/10931

Also cleaned up a giant mess in DNS-related code throughout the code base.

ProfessorManhattan

For anybody else trying to get this to work, follow this guide:

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html

And then if you're using systemd-resolved (Ubuntu, Arch Linux etc.), then modify /etc/systemd/resolved.conf by changing:

#DNSOverTLS=

To:

DNSOverTLS=opportunistic

Using opportunistic is the only time when I saw port 853 getting requests on the firewall. After setting it up this way, I no longer saw any requests on port 53. I tried using Stubby but was unable to get it working. The Arch Linux wiki says you're supposed to also set DNS={{ router_ip }}#router.domain.name. However, I got it working without specifying this. It may be because I used ACME to get a certificate. The hostname/domain you're using with ACME should probably match the information provided in General Setup.

@jimp said in How to Use DNS Over TLS Server Option:

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html