Enabling DoT (DNS over TLS) breaks IPSec VPN DNS

seanmcb

We have a setup that has worked well for a long time. Among other services, we run DNS and 'road warrior' IPSec VPN to access the office from home. We're using pfsense plus 22.05 (current newest).

Then we turned on DoT for local clients. i.e. enabled the Respond to incoming SSL/TLS queries from local clients checkbox. Inside the LAN, it works great! UDP port 853 is open, and DoT works according to tests with kdig.

Alas, for those connected from home by IPSec VPN, DNS is totally broken, for clients on Windows, Mac, and Ubuntu. It's not only that DoT doesn't work, but plain old DNS doesn't work either. I did a port scan with nmap and it shows that port 53 and 853 are not open.

If I disable the DoT checkbox, DNS works again. I redo the port scan and port 53 is back open.

How can I debug this further?

Thanks.

seanmcb

Today we tried turning off DNSSEC, but that made no difference.

Also, it's not clear to me if DoT uses UDP or TCP, or both/either. But in fact, both over IPSec and inside the LAN, TCP 853 is open and working.

But plain old UDP 53 is still broken (only over IPSec) by enabling DoT, which is what I'm looking to solve.

seanmcb

Solution: https://redmine.pfsense.org/issues/13454