Forced to use TCP 853 over VPN connections after enabling DoT(DNS over TLS)
-
Greetings everyone,
I am using a remote access IPsec VPN and it works really well, the only problem is that when I enable the option
Respond to incoming SSL/TLS queries from local clientson the DNS Resolver section, port 53 UDP closes and 853 TCP opens up forcing remote access connections to use DoT for name resolution.The LAN is unaffected, port 53 UDP remains available on top of the newly available 853 TCP after enabling said option.
Is this normal
DNS Resolverbehaviour after enabling this option for IPsec or am I doing something wrong with my current configuration ?For information I am using the current config:
DNS Resolver[√] : Network Interfaces -> ALL; Outgoing Network Interfaces -> ALL;
DNS Forwarder: DisabledUnder System > General setup:
DNS Override: [√] Allow DNS server list to be overridden by DHCP/PPP on WAN or remote OpenVPN server
DNS Resolution Behavior: [Use loca DNS(127.0.0.1), fall back to remote DNS Servers(default)]Under IPsec > Mobile:
SplitDNS [Unchecked]
DNS Servers [√] > Server#1 : Firewall's Local IPI am also running pfBlockerNG-devel
Thanks in advance !
-
We figured it out thus I will be posting our solution here in case anyone finds the same issue in the future.
Basically once the DoT option is enabled
unboundchanges behavoir because of the way is implemented in pfSense software. See: https://redmine.pfsense.org/issues/13393To make sure enabling DoT works, you should choose specific network interface(s) to which the DNS Resolver will bind when listening for queries from clients and not listening on ALL interfaces, i.e DNS Resolver > Network Interfaces > ALL , which is the default option for pfSense.
In short changing our DNS Resolver's listening interfaces from ALL to just the LAN, DMZ and localhost solved the issue.
Hope this helps,
Alejandro
-
This post is deleted!
