Encrypt DNS unable to resolve
-
Dear All,
I followed the pfsense official guide to encrypt DNS but when Uncheck Allow DNS server list to be overridden by DHCP/PPP on WANMy DNS Server cannot resolve any DNS queries.
Anyone can help me. Very appreciate for any help. Thanks.
-
@peter_apiit said in Encrypt DNS unable to resolve:
pfsense official guide to encrypt DNS
And which guide was that? Can you please post the url, and lets see your settings.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls
-
@johnpoz https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
-
@peter_apiit ok - lets see your setup, because I have set this up multiple times. It takes all of a few minutes.
I turn it off, I turn it on. Not a fan of forwarding, so I don't use it - but have never had a problem getting it working when people have issues.
So here I just set it up to cloudflare.
Working just fine.. all of 30 seconds to setup.
If you can not talk to 1.1.1.1 over 853, then sure you would have a problem - check your state table. Do a packet capture on your wan, are you seeing traffic going to 1.1.1.1 over 853?
-
-
@peter_apiit And again - Lets see your settings... You sure your client even pointing to pfsense for dns?
From that test, you didn't use cloudflare at all.. Are you routing through a vpn? Do you have a router in front of pfsense, your isp doing interception?
Where was the sniff showing what is going on when you query pfsense, etc..
-
I don't have router in front of pfsense. I don't use VPN at all. I don't know whether my ISP doing interception to see my browsing history.
Where was the sniff showing what is going on when you query pfsense, etc..
What u mean by this?
-
@peter_apiit why do you have those others in there?
Just set cloudflare, or other dot enabled services. But I would start with just the 1 to make sure its working.
Under diagnostic menu, the packet capture..
Why do you have 127.0.0.1 listed there?
-
@johnpoz Let me remove the others dns service.
-
My pfSense DNS/Resolver worked just fine from day one. Never had anything to change. I guess I've enforced DNSSEC on my initiative.
Step one :
Step two : resolvers settings :
Step three : I de activated pfBlockerNG-devel as I normally block all these :
Note that by default "pfBlockerNG-deve" isn't present on pfSense, so this step is optional.
I tested :
So, it works for me : forwarding to 1.1.1.1 using DNS over TLS (port 853).
-
@gertjan After removed all others dns services, the dns over tls is working as show in the pic.
-
@gertjan Anything i can do to secure my DNS query process except the one that I did?
-
@peter_apiit said in Encrypt DNS unable to resolve:
secure my DNS query
From who for why?
You do understand your isp still knows where you go, IP, and even your https has the clear fqdn right there for them to see, just like your dns query..
Your not actually hiding anything from you isp doing your dns over a tunnel.
Until such time that esni actually is a thing and deployed across the internet.. Well now ECH because esni died before it really got any traction. While you can hide the actual dns query from them, they still know exactly where your going via the clear sni sent when you make your https connection.
encrypted dns is more about circumvention, be it your isp was doing interception of dns. Or bypassing your local dns by doing doh..
-
@johnpoz I want to secure the DNS query process from my ISP because I suspect my ISP seeing my browse website history so I want to completely hide it.
May I know what is the step to configure this process?
-
@peter_apiit said in Encrypt DNS unable to resolve:
ISP seeing my browse website history so I want to completely hide it.
Which your not with encrypted dns.. because while they don't see the dns query - they still see where you go via IP when or the actual sni included in the https handshake that is in the clear..
It is trivial for a company that was sniff your dns traffic, to just sniff https and get the sni, etc.
The only way to hide where you actually go from your isp is a vpn.. Then all they see is the amount of traffic between you and the vpn service IP. But that is just handing off trust from your isp to the vpn service, etc. And then paying them too boot ;)
