For Pfsense to do DNS resolution you need to have the 127.0.0.1 entry OR click on the forwarder under DNS resolver.
Since you have been using nslookup, I would recommend doing an ipconfig /release. Then do an ipconfig /renew.
To confirm if you are redirecting, use the packet capture under Pfsense diagnostics. Use port 53, start the capture, then go to the computer in question and visit a few web sites, then come back to Pfsense and stop the capture and look up the results at the bottom. This is the best way to verify where the DNS requests are going.
Again, seeing all of the rules and NAT rules as well as your DNS Resolver settings would really help. I just fired up a windows machine and everything is redirecting perfectly here.
Turn off the last rule under LAN…looks to be a duplicate. The only other thing I would try as a test is to turn on the DNS forwarder under the DNS resolver.
If this fails, restart the DNS resolver as it may be confused when you didn’t have any DNS servers under general setup.
My suggestion to @msjohn is that you need to plan out your network first, I was in your shoes and found I had to suss out several things simultaneously before any one thing would work.
To me it looks like you are not using vLans, if you buy a switch it will really make your life easier further down the line.
If you manage to get your current set up to work, I will gurantee it will be hell to set up AirVPN. For sure if you stick with your setting of ALL on your Network Interfaces and Outgoing Network Interfaces, when you set up your VPN you will be using your Cloudflare DNS so your IP address will be leaked. However, I believe AirVPN will fail by design if you don’t use their DNS servers which is what you want.
My basic logic is anything going out via my ISP is insecure and anything via AirVPN is secure with respect to connecting back to my real IP address.
For DOT, go to the DNS Resolver, use the check boxes and turn on forwarding and SSL/TLS right below forwarding. Make sure the DNSvIP addresses under general setup support DOT. I use cloud flare and all works fine.
If you exclusively use cloudflare, you can check for proper operation by browsing to https://cloudflare-dns.com/help/. You can also check by using packet capture by looking at ports 53|853 (that is 53 pipe 853). Start a capture session and make sure everything goes out port 853
I don’t use the client at all. I have a server setup. My preference is I’d rather remotely log into my home network when traveling as I’ve got things real secure here. Works well
I do use the client on phone and laptop. I use server on Pfsense. I so not use a 3rd party VPN company. When remote, I route everything back to my openvpn server running on pfsense and access the internet as if I was at home. I route all traffic so DNS is secured as if it was at home.
Lol I’m trying to wrap my head around all these options to determine the optimal solution.
As I understand it PfSense can set the DNS used regardless of what DNS a client uses, that’s helpful at home and in enterprises. When using DoH that DNS request is encrypted, when combined with DNSSEC the returned resolution is legitimate. So that sounds good to me I have both privacy and security.
Right now it’s not clear to me what advantage I get with DoT and DNSSEC, is it marginal or the same but different.
If I’m correct about the above then if I connect to the free wifi in the pub, they can still control which DNS i will use regardless of DoH or DoT on the client. In this scenario the only secure way I know is to connect to a VPN via an IP address and let the VPN do DNS resolution.
Hence, on your own network it’s (DoT or DoH) probably ok, when away the only solution is a VPN. If I have to stay quarantined any longer I’ll crack it!