Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dns Server only work if they support 53 and Dot -Dot only=no

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 461 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Docop2
      last edited by

      Hi
      So i did get a dns with Dot working in Pf2.5, but it only work if the server do support port 53 And Dot. If i put a server that work only in DOT it can't resolve.
      1111 work fine, but other DoT like : https://dns.oszx.co/ just don't work in Pf.

      Dns Resolver : setting: dnsses:Off / Query Forward: Ena - Use Ssl:Ena
      Dhcp registration: Off - static: off
      Sys general: the dns server. the ip or ip with hostname..
      dns server override: off / dns resolution behavior: default use local dns, fallb..
      So:
      51.38.82.141 = dnssec Off or on / -advSett: harden On - ok work fine. (Server with no dnssec)
      51.38.82.198 = dnssec Off or On / harden off or On -X nothing. and in Diag: cannot resolve as no ping possible locally. (.198 is with dnssec)

      Here is the log of the dns resolver with the .198 with verbose 3:

      info: processQueryTargets: 1.ch.pool.ntp.org. AAAA IN
Apr 12 23:57:53 	unbound 	22290 	[22290:0] debug: configured stub or forward servers failed -- returning SERVFAIL
Apr 12 23:57:53 	unbound 	22290 	[22290:0] debug: return error response SERVFAIL
Apr 12 23:57:53 	unbound 	22290 	[22290:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Apr 12 23:57:53 	unbound 	22290 	[22290:0] info: validator operate: query 1.ch.pool.ntp.org. AAAA IN
Apr 12 23:57:53 	unbound 	22290 	[22290:0] debug: cache memory msg=70187 rrset=66072 infra=8057 val=66288
Apr 12 23:58:19 	unbound 	22290 	[22290:0] debug: tcp error for address 51.38.83.198 port 853
Apr 12 23:58:19 	unbound 	22290 	[22290:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply

      And with command : -=-= grep 'start' /var/log/resolver.log -=-= there is no auto restart by itself or so. Just my time when i change setting. No update done after the install of pf2.5.

      But this oszx is just an example, as other DoT server can't work too. Prefetch option don't look to do much either..
      Thanks for some hints.

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Docop2
        last edited by Gertjan

        @docop2 said in Dns Server only work if they support 53 and Dot -Dot only=no:

        dns.oszx.co

        dns.oszx.co

        Your trying to use a DNS which plays 'dead'. That won't work.
        Use a DNS that supports dot and is actually up and running (or : reachable - or: accepts your conections).

        TLS, or not, why would you want to hand over your private DNS queries to some 'unknown' entity ?

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • D
          Docop2
          last edited by

          @gertjan Oh.. indeed that one went dead.. what a chance. hehe Here another one.
          https://dns.hostux.net/ads 185.26.126.37

          But i'm not sure about what you wrote. As was it better to put 8.8.8.8 or 1.1.1.1 because they are bigger ? With a default install of PF it is using the wan for dns.. so it's straight the Isp dns. Not better.

          the part of <pf dns resolver queries the root DNS servers.. < i never see that up after multiple install/config.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Docop2
            last edited by Gertjan

            @docop2 said in Dns Server only work if they support 53 and Dot -Dot only=no:

            With a default install of PF it is using the wan for dns.. so it's straight the Isp dns. Not better.

            What ?
            Not a huge issue, easy to correct, and do this asap : Review some of the aspects of what you think you know about how the Internet DNS system works.

            Be default :
            pfSense does not uses your ISP DNS servers.
            It uses these.

            You do not need some one's DNS server - small or big.
            You have the right to use one of the 13 original ones. pfSense does so, out of the box.
            And true, pfSense uses on (over) the public internet the public resource : these 13 root DNS servers. Because they are the root of everything that is domain name related.

            You want to be sure of a DNS reply ? => Activate DNSSEC. This will enforce the 'quality' of the DNS reply. If the site - domain name- your look for wants to protect itself, and you, against DNS spoofing.
            You want to hide your DNS requests ?
            ( which means you are forwarding - which breaks DNSSEC as you include a MITM in your DNS chain )
            then look for 1.1.1.1 (supports DoH) or OpenDNS etc.
            Why some obscure/unknown ones ? They minute they stop, they will stop your DNS .....

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.