• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS

Scheduled Pinned Locked Moved pfBlockerNG
12 Posts 3 Posters 2.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Bob.Dig LAYER 8
    last edited by Bob.Dig Jun 29, 2021, 6:54 AM Jun 28, 2021, 2:45 PM

    Enabling DNS over HTTPS/TLS Blocking under DNSBL-SafeSearch will also cripple the DNS Lookup under Diagnostics. At least if you use DNS Query Forwarding together with Use SSL/TLS for outgoing DNS Queries to Forwarding Servers in the Resolver. Is this intended?

    1 Reply Last reply Reply Quote 0
    • T
      Tzvia
      last edited by Jun 28, 2021, 3:34 PM

      Back when I was forwarding instead of resolving, I didn't bother to block what I was using anyway, what's the point, I was forwarding to them. Once I determined I really didn't want to use any of these companies that were dangling 'free dns', encrypted or otherwise (they obviously wanted to gather market data they could sell) I realized I didn't want to be a part of it. Blocking them only makes sense if you don't then decide to use them anyway.
      It sounds like PFSense is doing a resolve using what is on the general tab, which is being blocked, as opposed to forwarding.

      Tzvia

      Current build:
      Hunsn/CWWK Pentium Gold 8505, 6x i226v 'micro firewall'
      16 gigs ram
      500gig WD Blue nvme
      Using modded BIOS (enabled CSTATES)
      PFSense 2.72-RELEASE
      Enabled Intel SpeedShift
      Snort
      PFBlockerNG
      LAN and 5 VLANS

      J 1 Reply Last reply Jun 28, 2021, 4:09 PM Reply Quote 0
      • B
        Bob.Dig LAYER 8
        last edited by Jun 28, 2021, 4:04 PM

        You are right. I would wish though the firewall itself would be excluded from this and still could use the resolver, but it seems to be no option.

        J 1 Reply Last reply Jun 28, 2021, 4:29 PM Reply Quote 0
        • J
          JeGr LAYER 8 Moderator @Tzvia
          last edited by Jun 28, 2021, 4:09 PM

          It sounds like PFSense is doing a resolve using what is on the general tab, which is being blocked, as opposed to forwarding.

          That sentence makes no sense to me. Either pfSense is resolving itself (via localhost and unbound as resolver), then it's using ROOT DNS servers. Or it is forwarding, then it is using those forwarders from the System/General page. There's no "resolving with those in general tab". Resolving is done via the Root DNS servers :)

          Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

          If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

          1 Reply Last reply Reply Quote 0
          • J
            JeGr LAYER 8 Moderator @Bob.Dig
            last edited by Jun 28, 2021, 4:29 PM

            @bob-dig said in (solved) DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS:

            You are right. I would wish though the firewall itself would be excluded from this and still could use the resolver, but it seems to be no option.

            Also: can't reproduce the error myself. Just activated DNSBL, switched on all DoH/DoT blocking and ran a force update. Can't see that failing afterwards:

            c96e52ac-78e2-4d50-b8de-ae52a9da98ab-image.png

            Used a domain that wasn't in the cache either. Resolver (locally) had no problem as did Cloudflare or he.net - all resolved the name without problems.

            I also verified it is blocking DoH/DoT domains:

            e16f8eaf-6ad4-4a5b-8c2a-e3b7ecc730b1-image.png

            locally - NXdomain. Asking cloudflare directly: resolving. So everything running as it's supposed to. :)

            Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            B 1 Reply Last reply Jun 28, 2021, 4:38 PM Reply Quote 1
            • B
              Bob.Dig LAYER 8 @JeGr
              last edited by Bob.Dig Jun 29, 2021, 6:55 AM Jun 28, 2021, 4:38 PM

              @jegr said in (solved) DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS:

              So everything running as it's supposed to. :)

              I use Enable Forwarding Mode and Use SSL/TLS for outgoing DNS Queries to Forwarding Servers.

              1.1.1.1 is the DNS-Server in General Setup and I have disabled DNS Server Override there.
              In the end the following dns lookups failed:
              one.one.one.one
              dns9.quad9.net

              What I wanted to do was putting in some other DNS-Servers in General Setup and for filling in the hostname field there I did the (failing) dns-lookups (or it was to find the corresponding IPv6 addresses).
              Later I noticed that is was related to DNS over HTTPS/TLS Blocking in pfBlocker, although the resolver worked for me without a problem otherwise.

              J 1 Reply Last reply Jun 29, 2021, 4:14 PM Reply Quote 0
              • J
                JeGr LAYER 8 Moderator @Bob.Dig
                last edited by Jun 29, 2021, 4:14 PM

                @bob-dig said in DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS:

                I use Enable Forwarding Mode and Use SSL/TLS for outgoing DNS Queries to Forwarding Servers.

                OK but then you're using the forwarder, not resolver. That's important. :)
                Nevertheless for normal lookups that doesn't seem important as I switched to forwarding and it seemed to work.

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                B 1 Reply Last reply Jun 29, 2021, 4:20 PM Reply Quote 0
                • B
                  Bob.Dig LAYER 8 @JeGr
                  last edited by Bob.Dig Jun 29, 2021, 4:20 PM Jun 29, 2021, 4:20 PM

                  @jegr said in DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS:

                  OK but then you're using the forwarder, not resolver.

                  I am using unbound. :)

                  Not watching the game or r u multitasking? 😉

                  J 1 Reply Last reply Jun 29, 2021, 6:17 PM Reply Quote 1
                  • J
                    JeGr LAYER 8 Moderator @Bob.Dig
                    last edited by Jun 29, 2021, 6:17 PM

                    @bob-dig said in DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS:

                    @jegr said in DNS over HTTPS/TLS Blocking & DNS Query Forwarding via SSL/TLS:

                    OK but then you're using the forwarder, not resolver.

                    I am using unbound. :)

                    Not watching the game or r u multitasking? 😉

                    No, you don't understand what I'm talking about. Yes you may be using unbound, but you are NOT using the resolver, but the forwarding engine. That is a totally different procedure as I was already pointing out in my previous posting.

                    Besides that I couldn't reproduce pfBlocker somehow blocking IPs to DNS forwarders. Already wrote that above, too - perhaps you are multitasking? ;)

                    So either it's another setting interfering or some configuration of yours in pfBlocker but mine isn't misbehaving that way? :)

                    Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                    If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                    1 Reply Last reply Reply Quote 0
                    • B
                      Bob.Dig LAYER 8
                      last edited by Bob.Dig Jun 29, 2021, 6:50 PM Jun 29, 2021, 6:48 PM

                      I can reproduce it by enabling this blocking in pfBlockerNG again, reloading or updating it and then rebooting pfSense: The problem (1. pic) occurred again.

                      Screenshot 2021-06-29 at 20-42-17 pfSense home arpa - Diagnostics DNS Lookup.png

                      Screenshot 2021-06-29 at 20-42-53 pfSense home arpa - System General Setup.png

                      Screenshot 2021-06-29 at 20-43-36 pfSense home arpa - Services DNS Resolver General Settings.png

                      Screenshot 2021-06-29 at 20-44-12 pfSense home arpa - Firewall pfBlockerNG DNSBL DNSBL SafeSearch.png

                      Same for: dns9.quad9.net

                      J 1 Reply Last reply Jun 29, 2021, 9:44 PM Reply Quote 1
                      • J
                        JeGr LAYER 8 Moderator @Bob.Dig
                        last edited by Jun 29, 2021, 9:44 PM

                        @bob-dig Where exactly is the sense in "blocking DoH/DoT" - then using exactly that in your unbound config? Don't understand that line of thought. Especially blocking my own forwarders in DoT section of pfBlockerNG and wondering why it wouldn't work ;)

                        Kinda biting your own tail :D

                        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                        B 1 Reply Last reply Jun 30, 2021, 6:45 AM Reply Quote 1
                        • B
                          Bob.Dig LAYER 8 @JeGr
                          last edited by Bob.Dig Jun 30, 2021, 9:17 AM Jun 30, 2021, 6:45 AM

                          @jegr Yep, I thought whatever I do there in pfBlocker wouldn't affect my unbound config, but that is not the case. So it works as intended it seems. That was the question in my first post.

                          1 Reply Last reply Reply Quote 1
                          1 out of 12
                          • First post
                            1/12
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received