Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DoH Not working on pfSense 2.4.5

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 371 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      memphis2k
      last edited by memphis2k

      This post is deleted!
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        For starters 853 is not doh, its dot.. If you can not talk to 9.9.9.9 over 853 then no dot will not work.

        https://www.quad9.net/faq/
        Does Quad9 support DNS over TLS?

        We do support DNS over TLS on port 853 (the standard) using an auth name of dns.quad9.net.

        you have quad9 as the hostname - that is not correct, its the above dns.quad9.net per their faq.

        Your wan rules have nothing to do with it.

        And to be honest your floating rule has nothing to do with it either - unless your wanting clients to directly talk to quad9 on 853?

        Do want clients to talk to unbound with dot as well? You have it setup to use your webgui cert? do you clients trust that cert?

        You could use the tool kdig to test if dns over dot works..

        user@NewUC:~$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.google.com
        ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
        ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 62981
        ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
        
        ;; EDNS PSEUDOSECTION:
        ;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
        
        ;; QUESTION SECTION:
        ;; www.google.com.              IN      A
        
        ;; ANSWER SECTION:
        www.google.com.         64      IN      A       172.217.9.36
        
        ;; Received 59 B
        ;; Time 2020-11-09 17:33:53 CST
        ;; From 9.9.9.9@853(TCP) in 12.3 ms
        

        If you want to test dot from a windows machine
        https://github.com/ameshkov/dnslookup

        C:\tools>dnslookup www.google.com tls://dns.quad9.net 9.9.9.9
        dnslookup v1.4.4
        dnslookup result:
        ;; opcode: QUERY, status: NOERROR, id: 34052
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
        
        ;; QUESTION SECTION:
        ;www.google.com.        IN       A
        
        ;; ANSWER SECTION:
        www.google.com. 262     IN      A       172.217.8.196
        
        
        C:\tools>
        

        I have to call out 9.9.9.9 in my tests because I locally block dot and doh names from resolving ie dns.quad9.net will not normally resolve on my network. But you can see above how easy to validate I can talk to them (had to turn off my block rules on firewall first)

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          memphis2k
          last edited by

          Yes, DoT, Sorry, I had a typo. You made a lot of great points.

          I was just trying to get DoT working and you nailed my mistake in hostname. I'll do some further research on the topics provided.

          Thanks again for the quick reply and the very in-depth ways to check. Knew about dig but not "kdig".

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Glad it was helpful.. And hopefully the next guy that finds this might also find useful info.

            I'm a huge dig user, and really have zero use for doh or dot.. I block them specifically on my network.. I resolve - have no desire to hand all my dns to some company.. Will just resolve thank you very much. But there are useful tools to test with.

            But no reason can not help others use - even if I think a horrible idea.. I wouldn't mind it too much if was fully opt in.. But these browsers and apps doing doh in the background, without fully and complete sign off from the user specifically to do it - is just horrible horrible direction.. Understanding how it works, how to validate it works - makes it easier to make sure its not viable on my network.. Its wrong - and just another way for these companies to monetize data, sorry but it has zero to do with user privacy or "security"

            dot is better, because its easier to block apps and devices from using it.. But sneaking dns queries inside https normal 443 is not direction should be going..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.