I am using pfsense 2.4.4-RELEASE-p2 on my lab and I turned on dns over tls and dnssec but when I check what dns servers my devices are using it says that its using my isps dns (i am using dnsleaktest.com to test) but I set pfsense to use cloudflare on the general setup, I fixed it by adding the following custom options on the dns resolver, just putting these here so all of you know
You can verify DNS over TLS by verifying DNS goes out port 853 (the port used by DOT) and not port 53. In pfsense, go to diagnostics, packet capture. First capture port 53. Do some web browsing. You should see no activity. Then capture port 853 and do some more browsing and you will see lots of DNS activity.
Then the forwarder is not working. You must have the forwarder checked/on to send the DNS requests to the identified servers. Take out the custom options then save, update settings. Then under Status, services, restart the resolver (unbound).
BTW, if you want the cloudflare DOT test to pass, uncheck DNSSEC under resolver…Cloudflare does not support DNSSEC and this causes the DOT test to fail.
Here is a good link on setting Pfsense 2.4.4-p2 for DOT. Good tip on reviewing states to verify change to DOT…unencrypted DNS over port 53 is UDP; DOT over port 853 is TCP. The link also reinforces that DNSSEC shouldn’t be checked. I have made this change as well and verified DOT is working well.