Problem with DNS over TLS

pietsnot56 · Jan 19, 2023, 3:35 PM

Hi,
I'm trying to make my home network more secure.
Now i'm trying to configure "DNS over TLS".
I saw different youtube's to configure this, but it doesn't work.
When I check on "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" , then loss my internet connection.

I seems to me that something is wrong with the Dns settings or firewall rules.
Any idea whats wrong?

viragomann · Jan 19, 2023, 3:50 PM

@pietsnot56
Are your local devices configured to use DoT at all?

Do you really need DoT inside your network?

Alejo 0 · Jan 19, 2023, 3:53 PM

@pietsnot56

When I check on "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" , then loss my internet connection.

Do you actually lose internet access or DNS fails to resolve requests? These are two different things.

Try changing the Outgoing Network Interfaces to your localhost instead.

Another recommandation is to uncheck the DHCP Registration option this setting will restart your dns aka unbound everytime your pfsense need to assign a new DHCP lease. Also make sure your certificate is valid.

pietsnot56 · Jan 19, 2023, 4:19 PM

The wan port on dashboard is still online (green).
localhost: do you mean changing ip in the Lan rules (2° line) by "localhost"?
Uncheck DHCP doesn't help.

"Are your local devices configured to use DoT at all?" ; i don't know, not shure for this.

"Do you really need DoT inside your network?" : no

viragomann · Jan 19, 2023, 4:26 PM

@pietsnot56 said in Problem with DNS over TLS:

"Are your local devices configured to use DoT at all?" ; i don't know, not shure for this.

So they probably aren't.
You need to set up DoT clients and also would need to add the SSL certificate used by the DNS Resolver to all your machines, otherwise they will not trust and hence not request it.

"Do you really need DoT inside your network?" : no

So don't do it.

Maybe you want to use DoT for outgoing DNS requests. This makes more sense in my opinion.

You can do this by setting the Resolver into forwarding mode and configure known DoT DNS servers with their host names in System > Gerneral.

pietsnot56 · Jan 19, 2023, 4:27 PM

In diagnostics lookup; i can ping to 1.1.1.1 but by pinging to www.microsoft.com i recieve

"The following input errors were detected:

Host "www.google.com" did not respond or could not be resolved.
Ping"

Alejo 0 · Jan 19, 2023, 4:33 PM

@pietsnot56

The wan port on dashboard is still online (green).

That means you don't lose internet access, it probably means that your unbound can no longer resolve any query.

localhost: do you mean changing ip in the Lan rules (2° line) by "localhost"?

No, I meant in the DNS Resolver tab, that is Services > DNS Resolver > Outgoing Network Interfaces > Remove WAN and add localhost.

Uncheck DHCP doesn't help.

Doesn't help resolving your issue but it DOES help your pfSense and thus your DNS resolver. It was a recommendation take it or leave it.

Cheers

pietsnot56 · Jan 19, 2023, 4:30 PM

In general set up i have 2 DNS servers:

1.1.1.1 cloudfare-dns.com
1.0.0.1 cloudfare-dns.com

pietsnot56 · Jan 19, 2023, 4:38 PM

Is this not strange: i can replay on this forum but i can't browsing on the net?

viragomann · Jan 19, 2023, 4:47 PM

@pietsnot56
The forum IP might exist still in your DNS cache.

Uglybrian · Jan 19, 2023, 5:01 PM

I suggest that you go to Netgates U-Tube page. There he will find a video titled ‘’local DNS with PF sense 2.4.’’ at about 36 minutes in there is a DNS over TLS overview. This information is still relative today and gives you a good foundation.

viragomann · Jan 19, 2023, 5:21 PM

@pietsnot56
Configuring pfSense to use DoT on upstream requests is not really a big deal.

You have to ensure to state host names next to the DNS server IPs in System > General. The host names must match that ones the servers SSL certificate, otherwise the requests fail.

And you have to check these two boxes in the Resolvers general settings:

pietsnot56 · Jan 19, 2023, 10:59 PM

I will look to the video.

Probably there is something wrong with the certificates.
That's the next thing to investigate.
Aniway thanks a lot from Belgium.

johnpoz · Jan 19, 2023, 11:25 PM

@pietsnot56 clients don't normally do dot, dot is normally for NS to forward to some other NS.. Clients normally want to use doh.. They are completely different things.

If you want your clients to use dot to pfsense, then yeah you would need to create a cert and use that cert and your clients would need to trust it, and they would need to know and use the fqdn you setup in the cert, or the IP in the san, etc. Use or dot or doh inside your network is a bit over the top to be honest. Is your local network hostile? Is someone able to sniff your dns traffic on your local network that is not you?

If you want to use dot for unbound to forward to say clouldfare that is clickly clickly to setup..

What exactly are you trying to accomplish. Your clients would talk to unbound locally via normal dns, and then unbound would use dot to talk to cloudflare dot servers?

pietsnot56 · Jan 20, 2023, 5:42 PM

hi,

My problem seems to be resolved:

I saw in the youtube video this custom settings:

"forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853"

By adding this in the service and got this result with 1.1.1.1/help

"Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No"

Browsing on internet is ok now!

thanks for your assistance.

johnpoz · Jan 20, 2023, 6:36 PM

@pietsnot56 said in Problem with DNS over TLS:

I saw in the youtube video this custom settings:
"forward-zone:
name:"."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853"

That is old - you no longer need to do that, just need to click the little button. That says forward using tls, and put those in your dns via general.

https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

pietsnot56 · Jan 20, 2023, 9:31 PM

hi johnpoz,

i did the test again without the customs settings and i got the same problems again.
My settings are identical as in those in
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#configuring-dns-over-tls

Could there be something else wrong?

johnpoz · Jan 20, 2023, 9:52 PM

@pietsnot56 not sure what you could be doing.. Click Click and using dot to 1.1.1.1

Even did a sniff on wan to validate talking to them over 853

And can see in the resolver status, its only talking to them.

edit: now back to normal resolving - not a fan of dot.

pietsnot56 · Jan 20, 2023, 10:12 PM

I have similar results in status/ dns resolver with my settings.

Those are absolutly identical to your setup.

idem for "1.1.1.1/help"

Debug Information
Connected to 1.1.1.1 Yes
Using DNS over HTTPS (DoH) No
Using DNS over TLS (DoT) Yes
Using DNS over WARP No
AS Name Cloudflare
AS Number 13335
Cloudflare Data Center BRU
Connectivity to Resolver IP Addresses
1.1.1.1 Yes
1.0.0.1 Yes
2606:4700:4700::1111 No
2606:4700:4700::1001 No
1.1.1.1 FAQ Terms Privacy Policy Purge Cache

Could there be a wrong firewall rule that makes the custom settings necessary?

johnpoz · Jan 20, 2023, 10:27 PM

@pietsnot56 said in Problem with DNS over TLS:

Could there be a wrong firewall rule that makes the custom settings necessary?

Sure wouldn't think so.. Any firewall rules would apply if using custom or not.. Are you not hitting save somewhere?

You need to set the dns in general, before you set the unbound to forward and dot mode.