pfSense, Unbound & Netflix = No go...

johnpoz

@moonknight said in pfSense, Unbound & Netflix = No go...:

then i can remove the 853 rules from my local networks :)

Sure - while sure you could setup some client on your network to use dot to talk to unbound.. I just don't see the point/value of such a setup.. I mean it is your network, who would be hostile on your network sniffing for your dns traffic? ;)

Now if this unbound was out on the net somewhere, and you wanted to forward your local dns to it via dot then that could make sense.

But redirection of dot would be designed to fail redirection. Because the dot client should validate the cert is for the fqdn or IP the client is setup to talk to.. So for example if suppose to be talking to quad9.dns.net or whatever your unbound sure would not be able to return a cert for that that the client trusted as you being quad9.dns.net..

Now you could actually do that - but how do you know what your client might be wanting to talk to - you would have to be able to generate the correct cert on the fly, and then your client would also have to trust your CA you were signing the cert with, etc.

MoonKnight

@johnpoz said in pfSense, Unbound & Netflix = No go...:

@moonknight said in pfSense, Unbound & Netflix = No go...:

then i can remove the 853 rules from my local networks :)

Sure - while sure you could setup some client on your network to use dot to talk to unbound.. I just don't see the point/value of such a setup.. I mean it is your network, who would be hostile on your network sniffing for your dns traffic? ;)

Well, maybe my wife or kids

Now if this unbound was out on the net somewhere, and you wanted to forward your local dns to it via dot then that could make sense.

But redirection of dot would be designed to fail redirection. Because the dot client should validate the cert is for the fqdn or IP the client is setup to talk to.. So for example if suppose to be talking to quad9.dns.net or whatever your unbound sure would not be able to return a cert for that that the client trusted as you being quad9.dns.net..

Now you could actually do that - but how do you know what your client might be wanting to talk to - you would have to be able to generate the correct cert on the fly, and then your client would also have to trust your CA you were signing the cert with, etc.

I do use Quad9 DNS servers. I just like to have little bit more control of all the DNS traffics leaving my pfsense.
There is so many devices that have hardcoded DNS, you know, smart thigs, SmartTV, browsers, cell phones etc. I don't see the point why they use hardcoded DNS or DNS over HTTPS... It's my fu...... network

Thanks again for your Informations @johnpoz