Found a problem in pfsense

#1

I am using pfsense 2.4.4-RELEASE-p2 on my lab and I turned on dns over tls and dnssec but when I check what dns servers my devices are using it says that its using my isps dns (i am using dnsleaktest.com to test) but I set pfsense to use cloudflare on the general setup, I fixed it by adding the following custom options on the dns resolver, just putting these here so all of you know

server:
forward-zone:
name: “.”
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853

#2

Yes, PFSense says to do as much in their documentation.

There are also settings, as Tom has detailed in a video, that you need to set up in your browser as well.

#3

but thats weird since there is a checkbox. do you have to add the custom options just to select a dns server?

#4

I think so. There are several steps to get t up an running. I had to do some tweaking to get a pass on all four parameters detailed in the link below

You can use this to see if you’re all good - https://www.cloudflare.com/ssl/encrypted-sni/

#5

There has been lots of internet discussion on how cloudflare implements their test. For many folks it does not work right.

In pfsense 2.4.4 you do not need the custom options. Just use the GUI:

You can verify DNS over TLS by verifying DNS goes out port 853 (the port used by DOT) and not port 53. In pfsense, go to diagnostics, packet capture. First capture port 53. Do some web browsing. You should see no activity. Then capture port 853 and do some more browsing and you will see lots of DNS activity.

#6

that’s what I did but it uses my isp’s DNS server

#7

Here is a photo of how I set the settings like this everything but sni work on the cloudflare test

#8

but when I remove the custom option everything still works fine but dnsleaktest shows that I am not using cloudflare

#9

I just checked the ip that dnsleaktest show when I don’t have the custom options and it is my external ip

#10

Then the forwarder is not working. You must have the forwarder checked/on to send the DNS requests to the identified servers. Take out the custom options then save, update settings. Then under Status, services, restart the resolver (unbound).

BTW, if you want the cloudflare DOT test to pass, uncheck DNSSEC under resolver…Cloudflare does not support DNSSEC and this causes the DOT test to fail.

#11

In this screenshot you do not have “DNS Query Forwarding” enabled.

1 Like
#12

Here is a good link on setting Pfsense 2.4.4-p2 for DOT. Good tip on reviewing states to verify change to DOT…unencrypted DNS over port 53 is UDP; DOT over port 853 is TCP. The link also reinforces that DNSSEC shouldn’t be checked. I have made this change as well and verified DOT is working well.

1 Like