• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver Enable SSL/TLS Service - automatic interface response routing behavior

Scheduled Pinned Locked Moved General pfSense Questions
5 Posts 2 Posters 445 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    shoulders
    last edited by Jul 22, 2024, 11:52 AM

    Hi

    I am setting up a pfSense to accept DoT (DNS over TLS) queries on port 853 and to do that you enable it here:

    Services --> DNS Resolver --> General Settings --> Enable SSL/TLS Service
    dc72bd2d-47e8-48a4-8411-06cd30bf8f7d-image.png

    On the description it has the following message:

    Activating this option disables automatic interface response routing behavior, thus it works best with specific interface bindings.

    I have read the help files but cannot find anywhere what this means and what will change. Can someone give me a simple explanation as what this means and if there is anything I should do?

    Thanks

    G 1 Reply Last reply Jul 22, 2024, 12:18 PM Reply Quote 0
    • G
      Gertjan @shoulders
      last edited by Gertjan Jul 22, 2024, 12:50 PM Jul 22, 2024, 12:18 PM

      @shoulders

      That works for me©®™ :

      Use the default :

      81b0f01f-df7b-4402-928c-ef86c7c2e220-image.png

      Then, when Saved and Applied, fact check :

      [24.03-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep '853'
      unbound  unbound      563 7   udp6   *:853                 *:*
      unbound  unbound      563 8   tcp6   *:853                 *:*
      unbound  unbound      563 9   udp4   *:853                 *:*
      unbound  unbound      563 10  tcp4   *:853                 *:*
      

      this says : unbound listens on All interfaces, using TCP and UDP, on port 853.
      Yeah; strange, UDP and TLS .... that new to me, but why not ^^

      Responds to incoming SSL/TLS queries from local clients" only f you don't trust your own 'LAN' networks, for example : you use Wifi stuff and you think some one has broken into your Wifi ....

      If this is not the case, don't bother yourself with it.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      S 1 Reply Last reply Jul 22, 2024, 12:35 PM Reply Quote 0
      • S
        shoulders @Gertjan
        last edited by shoulders Jul 22, 2024, 12:35 PM Jul 22, 2024, 12:35 PM

        @Gertjan I have no idea what you are on about, perhaps lost in translation 😄

        What does the below statement mean, I understand the other settings:

        Activating this option disables automatic interface response routing behaviour, thus it works best with specific interface bindings.

        G 1 Reply Last reply Jul 22, 2024, 12:54 PM Reply Quote 0
        • G
          Gertjan @shoulders
          last edited by Jul 22, 2024, 12:54 PM

          @shoulders said in DNS Resolver Enable SSL/TLS Service - automatic interface response routing behavior:

          Activating this option disables automatic interface response routing behaviour, thus it works best with specific interface bindings.

          Some one was asking that question a while ago :

          https://forum.netgate.com/topic/135832/quad9-dns-over-tls-setup-with-unbound-forwarding-in-2-4-4-rc/3

          The answer was :

          The warning there is about unbound's behavior when bound to multiple interfaces, especially bound to all. With that box active, it responds back to the client from the closest interface routing-wise for UDP. With it inactive, unbound is smart enough to always reply back to the client from the address to which the original query was sent. That behavior doesn't matter for most. Primarily things like DNS over IPsec tunnels are affected.

          Don't try to translate this 😊

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          S 1 Reply Last reply Jul 22, 2024, 1:07 PM Reply Quote 1
          • S
            shoulders @Gertjan
            last edited by Jul 22, 2024, 1:07 PM

            @Gertjan thanks, really helpful. Still I don't know why Netgate have not fixed this. Enabling DoT should just be that and not affect anything else.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received