DNSCrypt for pfsense 2.3 :)


  • Rebel Alliance Developer Netgate

    Use a VPN. Even the dnscrypt site says that it isn't enough to hide what is being requested.

    Direct from https://dnscrypt.org/

    Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity. The TLS protocol, as used in HTTPS and HTTP2, also leaks leaks websites host names in plain text, rendering DNSCrypt useless as a way to hide this information.

    I  still don't get its appeal, given its limitations. It's DNSSEC made over for resolvers that want to deliberately alter records and break end-to-end trust (like OpenDNS). It isn't for privacy.


  • LAYER 8 Global Moderator

    "I  still don't get its appeal"

    Because its a buzz word that users think they need because they heard words like privacy, etc..  Prob 99% of them have no real clue to what it is does or how dns works anyway..  But my god they run to a site that tells them they have a "dns leak"  Oh My F'ing gawd the black helicopters are coming, the black helicopters are coming ;) rofl…

    If your so worried about privacy.. Maybe not use that company discount card when you by your groceries or your condoms.. Sure an the hell wouldn't use a CC.. Better be cash, and you should prob be wearing something to hide your face from the facial recognition camera's - you prob passed 20 of them walking through the store ;)

    There is concern for info that doesn't need to be made public, there is understanding the technology you use and then there is just tinfoil hat crazy ;)  Do you have your rfid blocking wallet? You have tape over your camera on your laptop right.  What about your phone, your tablet?  You don't care the nsa is watching while you surf your porn - but your worried about someone sniffing your dns queries between you and the dns your using dnscrypt too? ;)  What about the fact that opendns knows everything your doing queries for??  Everything!!  From a privacy concern don't you think it better to resolve vs forward.. If you forward your just handing someone ever query you ever make.  If you resolve, they really have to be watch all your traffic because your going to be talking to ns all over the globe.. Which do you think is easier to use and get info with? ;)



  • regardless if people think its pointless, I am scratching my head as to why there is no dnscrypt package on pfsense.

    The 2.2 thread suggests it used to be supported as someone posted a command to install it via pkg.

    VPN's have too much of a performance hit, dnscrypt is a nice middle ground.


  • LAYER 8 Global Moderator

    The pkg linked too was on opnsense package.  A fork of pfsense that has had some heated discussions lets say.  That the OP linked to a package of theirs on a pfsense forum is pure douchebaggery..



  • Some thoughts:

    • as chrcoluk mentioned VPN will impact performance, so I would also prefer a DNSCrypt package for pfSense

    • I disagree with johnpoz because there are several DNSCrypt resolvers out there that can be used as proxies and anybody could also host his/her own DNSCrypt server. You don't have to trust OpenDNS for all your DNS traffic, that would be definitely a bad idea from a privacy point of view.

    • I also disagree with jimp in regards to the analogy with TLS. It's true that DNSCrypt cannot encrypt the address/hostname of the server but the actual content (request and response) are encrypted and that's a big difference.DNSSEC had nothing to do with privacy but DNSCrypt definitely does


  • Rebel Alliance Developer Netgate

    You did not understand what I said. DNSCrypt encrypts the contents of the DNS request/reply but your request to the web server will send the hostname in plain text in the request and the host is also visible in the certificate exchange. Read the text on their page, it isn't talking about their protocol but HTTPS and TLS in general.

    Without a VPN, your request can be sniffed enough to tell where you're going even if it's not an exact full URL or page contents. You must use a VPN to hide that from your ISP or anyone intercepting your line.

    If you think DNSCrypt without a VPN is doing anything for privacy you don't understand the limits/flaws of all the other protocols in play.

    Use a VPN, don't bother with dnscrypt, you'll be better off. Or use both if you want, but the VPN part is non-negotiable if you want privacy. And of course the VPN has to be one with privacy-compatible policies and regulations.


  • LAYER 8 Global Moderator

    ^ exactly!!

    So what is the point of of dnscrypt exactly??  All it does is validate that your talking to the NS you were hoping to talk too..  Its not actually hiding where you going or what your asking for.  Well it does hide what your asking when you ask.. .But then when you actually go there.. As jimp points out its in the tls exchange, and to be honest they could still see what IPs and protocols your talking to, etc.

    To me its one of those my tinfoil hat is so tight its driving me crazy I have to do something, even if its not really doing anything.. It keeps my tinfoil hat from itching ;)

    "several DNSCrypt resolvers out there that can be used"

    So your saying they don't cache, and actually do a clean resolve every time someone asks..  Or do you get back a cache answer that is outside your control?  if so how is that any freaking different then asking any public dns?? You do understand at some point a resolver has to be involved!! Be it the NS you asked or something upstream that they asked..  Your missing the point completely on doing your own resolving and dnssec.

    If your tinfoil hat is itchy.. Use a vpn, and resolve.. Now your not handing your dns queries off to any specific place.. And your traffic is encrypted from your isp, etc.  Now you are sending everything through this vpn.. So you trust them more than your isp..  This is the part I don't get.. How do you think these vpn companies that make any money when you get vpn for LIFE for $49 bucks ;)  Something is being sold to make create a continuous stream of cash.. If your not giving them cash every month to pay the bills to provide the service they give you, then they are getting it from somewhere else - most likely selling info about what their users do ;)

    So I pay a company X $ a month to connect me to the internet, I don't trust these guys to not watch what I do.. So I will pay a different company Y $ a month to funnel all my internet traffic through – why do I trust them and not the isp?? ;)  Because they say they don't log??



  • Hehehe, that's an interesting thread.
    I think we all agree that VPN is better than DNSCrypt for privacy and when performance is not a concern. However as johnpoz also mentioned you have to trust a VPN provider…and why should you do that? You could also get a cheap VPS, hosted in a certain country and provider, that you can use as an exit point and have a VPN tunnel between your pfsense and that host. An advantage of a VPN provider and disadvantage of this approach is that the provider adds a lot of noise and multiple users use the same exit nodes. That means it's not easy to match individual users with their traffic. If you use your own VPN server and you are the only user using it as an exit node, then at least make sure that the VPN host resides in a country which is not an ally of the country your pfsense resides. :)

    Tor would be a better option for privacy but with certain limitations around usability, stability and performance.

    Tor over VPN would be even better, protecting your traffic between you and the Tor entry node...but come on, you are a paranoid or cyber criminal if you really consider this option. :)


  • LAYER 8 Global Moderator

    And who says the black helicopter guys are not running their own exit nodes? ;)


  • Banned



  • I am not going to get further tangled into is the dnscrypt pointless debate, but for those of us who want to use dnscrypt I have discovered that the freebsd dnscrypt package does work out of the box on pfsense, but obviously you have to manually configure it in the shell and manage its init script yourself.  So the actual situation is ok for me as I am ok doing stuff in the shell.



  • has anybody a copy of this tutorial somewhere?
    can you post it?



  • I can also confirm dnscrypt-proxy 1.9.1 does work on pfSense 2.3.2. I don't have time (at this moment) to do a full tutorial, but these are the steps I took.

    Since 2.3 took the base FreeBSD pkg repos out, I did not want to muddy up the pfSense install (or compromise security) by adding other repos back in. I also couldn't locate a pre-compiled package for FreeBSD 10.3, therefore:

    • I spun up a FreeBSD 10.3 VM with the standard packages (it'll come with dnscrypt-proxy in /usr/ports/dns/dnscrypt-proxy once ports is configured, but that was only 1.6.1 for me)
    • Downloaded the source from github for 1.9.1
    • Compiled the exec and libraries from source in the VM, tested that it worked properly in the VM
    • Moved the exec and the library files over to pfSense, using essentially the directories and config instructions as listed at https://github.com/jedisct1/dnscrypt-proxy/wiki
    • Configure dnscrypt-proxy from the command line, get it running and test from CLI with dig or similar, to ensure the proxy is running
    • Then setup the DNS forwarder in pfSense to point to 127.0.0.1, and your proxy port (this is similar to the instructions in prior versions)

    Great success!

    I've had a goal for a few years to put together a proposed pfSense package for it. Hopefully I can find the time soon. DNSCrypt is definitely not some magic panacea of security, it serves just one singular purpose in the chain of networking - but if people want to run it, it seems like they should be allowed to.


  • LAYER 8 Global Moderator

    "it serves just one singular purpose in the chain of networking"

    For those users running in forwarder mode.. It has ZERO purpose when running resolver on pfsense. Which is the out of box configuration.. So while anyone creating packages for pfsense that work and add function is a good thing.  Your audience is going to be very small imho..



  • kcmichaelm your method will of course work but is quicker to just download the pre compiled FreeBSD package.

    For pfSense 2.2/2.3 get from here http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/dnscrypt-proxy-1.9.1_1.txz
    For pfSense 2.4 get from here http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/dnscrypt-proxy-1.9.1_1.txz

    Note first browse http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/ in the browser to get the latest package name as the version may change.

    then can simply install with the pkg install dnscrypt-proxy-1.9.1_1.txz command



  • chrcoluk - Thank you - yes this is a much easier way. FreeBSD is not my usual distro so I am not at all familiar with pkg - I could not find the direct pkg links for 10.3, only the archive site for V9 and older. I greatly appreciate it.

    johnpoz - Yes, we're in agreement. This is only for forwarder mode. I do agree the audience is small, too. The number of folks that understand what it does (and the limitations) and know how to use it 'properly' would be small, but in those cases it is an option that is nice to have. Debating whether another option is "better" is mostly vi vs emacs.



  • It is situational use but there needs to be respect that there is valid reasons for some people to use dnscrypt.

    e.g. in the UK some isp's intercept queries even when the queries are for third party resolvers.  They will have a hard time doing that with dnscrypt.



  • how do you DNS forwarder in pfSense to point to 127.0.0.1?
    what command?



  • /usr/local/sbin/dnscrypt-proxy: Undefined symbol "crypto_core_hchacha20"

    what does this means?



  • @johnpoz:

    "it serves just one singular purpose in the chain of networking"

    For those users running in forwarder mode.. It has ZERO purpose when running resolver on pfsense. Which is the out of box configuration.. So while anyone creating packages for pfsense that work and add function is a good thing.  Your audience is going to be very small imho..

    Why is this a small audience? Anybody running a Pfsense router with a VPN will likely be forwarding requests to an upstream DNS server. That's a pretty common thing.


  • LAYER 8 Global Moderator

    "Anybody running a Pfsense router with a VPN will likely be forwarding requests to an upstream DNS server."

    No.. Out of the box pfsense uses unbound as a resolver - not a forwarder, doesn't matter if you sending your traffic down a vpn or not.  Out of the box your resolving - not forwarding.  Dnscrypt has zero use in a resolver mode.

    As to hiding your dns queries from your isp.. Again to be honest dnscrypt is pointless if your using a vpn anyway..  The actual valid use case where dnscrypt of any use at all is minuscule…

    "The number of folks that understand what it does (and the limitations)"

    Completely agree this statement.. To be honest most of the people that actually want to use it - don't actually know why.. They just hear the term dns leak, and oh my gawd did you hear that.. The black helicopters just went into whisper mode.. Those bastards!!!



  • john the same can be said with vpn's tho.

    I dont want my dns queries intercepted, I do want to connect to endpoints directly for performance reasons, dnscrypt is the solution in my case.

    Setting up a vpn just to secure dns queries is way overkill and has performance implications.



  • @jimp:

    You did not understand what I said. DNSCrypt encrypts the contents of the DNS request/reply but your request to the web server will send the hostname in plain text in the request and the host is also visible in the certificate exchange. Read the text on their page, it isn't talking about their protocol but HTTPS and TLS in general.

    Without a VPN, your request can be sniffed enough to tell where you're going even if it's not an exact full URL or page contents. You must use a VPN to hide that from your ISP or anyone intercepting your line.

    If you think DNSCrypt without a VPN is doing anything for privacy you don't understand the limits/flaws of all the other protocols in play.

    Use a VPN, don't bother with dnscrypt, you'll be better off. Or use both if you want, but the VPN part is non-negotiable if you want privacy. And of course the VPN has to be one with privacy-compatible policies and regulations.

    Jim, you clearly do not see nor understand the real world use cases that DNSCrypt solves for. Take your average American ISP, who actively intercepts and manipulates their customers' DNS traffic in the name of profit (I am one such customer affected by these despicable practices). Encrypting DNS requests and responses completely mitigates their abilities to fiddle with traffic through DNS response manipulation. It has nothing to do with privacy, it has everything to do with preventing traffic manipulation via DNS - you need to comprehend this, because your replies here do nothing to show that you acknowledge the specific problem.

    I agree that using a VPN is likely the best real world solution for privacy, but from a minimum viable product perspective all that the affected customers of these ISPs need to do (in today's landscape) is route HTTP (TCP/80) over the VPN tunnel. These ISPs run proxy servers to MiTM their customers' HTTP traffic - injecting ads into the plain text streams, there is clear evidence of this and it is something that can I can personally reproduce 100% of the time if I had to do so). They do not proxy HTTPS. Sure - they can scrape identifiable information from the encrypted streams to identify the hosts that are being requested, but in terms of traffic manipulation all that is needed is DNSCrypt to privatize DNS and a tunnel for plain text HTTP.

    There is no need to tunnel HTTPS to combat this specific problem – they do not proxy or manipulate HTTPS traffic. Hopefully you're able to actually see what the problems are that DNSCrypt solves for.



  • @amunrara:

    /usr/local/sbin/dnscrypt-proxy: Undefined symbol "crypto_core_hchacha20"

    what does this means?

    You need the new libsodium also, get it from here:

    2.2/2.3: http://pkg.freebsd.org/FreeBSD:10:amd64/latest/All/libsodium-1.0.11_1.txz
    2.4: http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/libsodium-1.0.11_1.txz

    (I'm following this instruction on how to setup DNSCrypt for my network, adding only "Query DNS servers sequentially" to make it finally works: http://ramirosalas.com/2015/07/installing-dnscrypt-in-pfssense/)


  • Banned

    what is the point of encrypting your DNS requests? Just resolve via pfsense and skip the middle man. If you really want to encrypt your DNS requests for tin hat purposes, why? Who do you think you're hiding from?

    Don't get me wrong, I'm all for doing crazy hit tin hat things with pfsense just for no reason other than it's neat and you can.

    But with DNS resolver and OpenVPN built into pfsense, what use case is there where DNS encryption is viable?



  • @pfBasic:

    what is the point of encrypting your DNS requests? Just resolve via pfsense and skip the middle man. If you really want to encrypt your DNS requests for tin hat purposes, why? Who do you think you're hiding from?

    Don't get me wrong, I'm all for doing crazy hit tin hat things with pfsense just for no reason other than it's neat and you can.

    But with DNS resolver and OpenVPN built into pfsense, what use case is there where DNS encryption is viable?

    To escape DNS poisoning by my government? I also don't have much money to spare to buy a VPN service for my network…

    I just want to be able to browse whatever sites I want at the speed that I paid for. I am not doing it for tin hat reasons.


  • Banned

    I'm not up to date with government level DNS poisoning, but wouldn't the resolver bypass that if it's passive? Unless you have an exceptionally shit government, no way am I buying that your pfsense box is going to hide you from a state…
    $4/mo gets you VPN.



  • @pfBasic:

    I'm not up to date with government level DNS poisoning, but wouldn't the resolver bypass that if it's passive? Unless you have an exceptionally shit government, no way am I buying that your pfsense box is going to hide you from a state…
    $4/mo gets you VPN.

    Indonesian government impose the ISPs to use transparent DNS proxy to filter DNS query againts a list (provided by the government) to many publicly known DNS server, such as Google's and OpenDNS' and many others that I tested, with something called "Internet Positif" . Read this if you want some more context. So, yeah, maybe my government is an exceptionally shitty one in this regard.
    I'm not hiding from the state, I'm just bypassing their DNS poisoning.

    I was using an OpenWRT-based router to do this, but nowadays the traffic in my network is becoming much larger, the device I used cannot cope with that…


  • Banned

    That sucks man, but I think pfSense still has you covered with Resolver + DNSSEC doesn't it?

    http://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html#4

    Domain Name System Security Extensions

    DNS Security Extensions (DNSSEC) adds security functions to the DNS protocol that can be used to prevent some of the attacks discussed in this document such as DNS cache poisoning. DNSSEC adds data origin authentication and data integrity to the DNS protocol. DNSSEC specifications, implementation, and operational information is defined in multiple RFCs.



  • @pfBasic:

    That sucks man, but I think pfSense still has you covered with Resolver + DNSSEC doesn't it?

    http://www.cisco.com/c/en/us/about/security-center/dns-best-practices.html#4

    Domain Name System Security Extensions

    DNS Security Extensions (DNSSEC) adds security functions to the DNS protocol that can be used to prevent some of the attacks discussed in this document such as DNS cache poisoning. DNSSEC adds data origin authentication and data integrity to the DNS protocol. DNSSEC specifications, implementation, and operational information is defined in multiple RFCs.

    I think so too (AFAIK, DNSSEC is enabled by default?), but unfortunately it doesn't work… I tried to enable "Experimental Bit 0x20 Support" too, but it still doesn't work.
    So, I had to resort to this method.


  • Banned

    Yeah my understanding is that if you check the DNSSEC box and Resolve with Unbound then you will use DNSSEC.

    You aren't forwarding DNS are you? No DNS servers in general setup, dns server override is unchecked?
    No DNS servers listed in your DHCP servers?

    In DNS Resolver
    Enable DNSSEC checked
    DNS Query Forwarding UNchecked
    DHCP Registration UNchecked
    Static DHCP UNchecked

    on Advanced page:
    Hide Identity
    Hide Version
    Harden DNSSEC, all three checked

    Follow these instructions to make sure all traffic is using your resolver:
    https://doc.pfsense.org/index.php/Redirecting_all_DNS_Requests_to_pfSense

    Try these out to test
    https://dnssec.vs.uni-due.de/
    http://en.conn.internet.nl/connection/

    Should be working if setup like that.

    If not, I know you don't want to pay for it but VPN might be your best option for something that is fully supported.
    PIA has servers all over the world and you get 5 clients for $3.33/mo. There are plenty of tutorials specific to pfSense installations on here for either 128bit or 256bit encryption.
    You can even set up all five clients on your router in a gateway group to utilize multiple cores and have more redundancy if you have a lot of clients, and you can use different servers on each client so that if one goes down or degrades you'll still have internet.

    https://www.privateinternetaccess.com/pages/buy-vpn/



  • You aren't forwarding DNS are you? No DNS servers in general setup, dns server override is unchecked?
    No DNS servers listed in your DHCP servers?

    With DNSCrypt, I'm forwarding DNS…

    I've tried your way, but, well.. something weird happened, I kinda have no internet connection after doing that, I mean, WhatsApp and steam still receive updates but no web browsing...

    Here's my full DNS Resolver config:

    
    =General DNS Resolver Options=
    
    Enable: Yes
    Listen Port: (default)
    Network Interfaces: All
    Outgoing Network Interfaces: All
    System Domain Local Zone Type: Transparent
    DNSSEC: Yes
    DNS Query Forwarding: No
    DHCP Registration: No
    Static DHCP: No
    No Custom Options
    
    =Advanced Resolver Options=
    Hide Identity: Yes
    Hide Version: Yes
    Prefecth Support: No
    Prefecth DNS Key Support: No
    Harden DNSSEC Data: Yes
    Message Cache Size: 4MB
    Outgoing TCP Buffers: 10
    Incoming TCP Buffers: 10
    EDNS Buffer Size: 4096
    Number of Queries per Thread: 512
    Jostle Timeout: 200
    Maximum TTL for RRsets and Messages: 86400
    Minimum TTL for RRsets and Messages: 0
    TTL for Host Cache Entries: 15 minutes
    Number of Hosts to Cache: 10000
    Unwanted Reply Threshold: Disabled
    Log Level: 1
    Disable Auto-Added Access Control: No
    Experimental Bit 0x20 Support: No
    

    I also tried clearing up DNS in General Setup and rebooted my router, APs, PC and phone.

    Oh, and I forgot to mention, my ISP (the sole ISP for my area) doesn't allow bridge mode for connection, and so I set my pfsense router as a DMZ host.



  • Yes, the destination domain is leaked over HTTP/HTTPS/TLS, but it's more strenuous for an entity who wants to listen on your line to examine HTTP/HTTPS traffic and manipulate it.

    DNS traffic is trivially recorded, manipulated, and proxied transparently; HTTPS is not.

    Don't think of DNSCrypt as a solution to total privacy or encryption, but certainly making it nontrivial for someone to spy on and/or manipulate your traffic is certainly a good value for such an easy setup.

    DNSCrypt is like small lock on your luggage; it makes it just difficult enough for most people not to open it and just take something, but it wouldn't protect against someone who is highly determined. There are a massive amount of sniffers in the world, and giving them less data by encrypting DNS without sacrificing throughput or money from your pocket is… well... cool.



  • The real question for me is "who's my opponent?"  For me, the answer is "any of my service providers."

    I run both dnscrypt and a VPN.  Some of my traffic can't pass over the VPN - Netflix, some of the vehicle forums - because the websites reject connections from VPN providers.

    My ISP resells an ATT product, and ATT has the worst possible privacy policies.  The up side is that the ATT data cap doesn't apply, but the down side is that I'm transiting the ATT network.  I don't let ATT see DNS requests in the clear any more than I have to.  I use pfsense as my resolver for everything on the network, and pfsense runs its queries via dnscrypt once the system is fully up, and to cleartext servers earlier on in the startup process - pfsense is the only box on my network permitted to use outbound 53.  In my design, traffic runs over VPN by default, but of course you have to get VPN and other services spun up during boot…  (And no, this design isn't that popular in the house, since if I restart the box during the day, the time to fully operational is a little long.)

    If my opponent was a government, there'd be precious little I could do if they decided to target a VPN.  I expect there is covert access to most VPN providers' egress nodes and connection information - many companies don't log, but a government grade attacker with access to their colos could set up logging.  Given the amount of play that VPN gets in the tech press, I think VPN colos are a target but I also think that the government would prefer not to launch prosecutions or share data with public companies gleaned from it.  A court filing that admitted intercepting VPN providers en bloc would lead to another round of tut-tut in the press and would drop real threat actors off the technology.

    By contrast, the public companies obviously share a ton of data with one another, and realistically, that's an opponent I can make life more annoying for.  ATT knows I own an old Ford and knows when I'm watching Netflix.  They also know that I make the rest of it a PITA to get into...

    (Personally, I hope that a lot of the data the NSA is storing in Utah is Youtube videos being streamed over VPNs and awaiting decryption - but I suspect that they built themselves an easy button for intercepting and attributing VPN traffic long ago.  On the other hand, given how much of the internet is devoted to Netflix content, perhaps some of the nonsense Netflix is doing with blocking VPNs and refusing to tell customers which hosts they need to bypass their VPN for is a policy set up at the request of entities which do bulk interception and got fed up with storing Netflix streams.  The rationale for not telling people what hosts to permit access to makes no sense.  My suricata DNS logs from the LAN interface were very helpful in figuring out which hosts I needed to have bypass the VPN.)


  • Banned

    @dork.buttons:

    …the down side is that I'm transiting the ATT network.  I don't let ATT see DNS requests in the clear any more than I have to.  I use pfsense as my resolver for everything on the network...

    ...pfsense is the only box on my network permitted to use outbound 53.

    In my design, traffic runs over VPN by default,

    but of course you have to get VPN and other services spun up during boot...

    If you're only using pfSense to resolve all DNS for your network, and you're only letting traffic exit through your VPN client, why do you care about DNScrypt? Especially against AT&T? You aren't using their DNS servers, and you are encrypting all of your traffic to include your DNS requests.

    And what do you mean you have to wait for VPN to spin up, and why would it matter from a privacy standpoint? My system runs OpenVPN, pfBlockerNG, Suricata, and other packages and if I reboot all services are up and running as soon as my system comes back online to be able to logon, and I boot from USB 2.0 flash drives.

    No matter what, it doesn't matter from a privacy standpoint that they need to "spin up" if you are only letting your traffic exit on a VPN gateway, if the gateway isn't up, then traffic isn't leaving until it is up.



  • I need some guidance please.

    i use expressvpn for all traffic except;
      - my work laptop which has its own vpn. i route the static ip out of the wan both so get both encrypted and unencrypted depending on vpn status
      - i route my voip phone out of the wan port, because over the vpn i couldn't get it working reliably

    my dns servers for pfsense are opendns and google.
    i fail dns leak tests.

    if i understand correctly, in this scenario i should be using dnscrypt and redirecting all client dns requests to pfsense. is that correct?


Log in to reply