Setup Encrypted DNS for External Name Resolution using pFSense

chudak · January 27, 2019, 6:19pm

Sharing with this group and wondering what people think about usefulness of this

Barrow · January 27, 2019, 9:11pm

Thats a very in depth video.
Did Tom not do this with this video?
Setting up DNS Over TLS & DNSSEC With pfsense

chudak · January 27, 2019, 9:42pm

I did see that too.
At that time I did not understand some details.
So now it makes more sense.

chudak · January 27, 2019, 11:20pm

I wonder if you know an alternative to tshark (having some troubles with it) way to test that DNS quires encrypted ?

Night_Rider0 · January 28, 2019, 2:36am

I have checked this out before in … The name of the app escapes me but it showed tls traffic on port 853 and no visible dns data. Just a tls packet headed to cloudflare

Ntopng is the app that was escaping me

chudak · January 28, 2019, 3:01am

I wish I knew how to use it, but trying…

Night_Rider0 · January 28, 2019, 6:31am

Here are a couple of videos to help you out if you have a specific question on how to use it I can certainly try to help you out.

This video is for an older version of pfsense but the process remains identical

drowsy · January 29, 2019, 4:38pm

I had a hard time watching the OP video. Too much red, and a lot of muttering to himself. Tom is more interesting to listen to, he doesn’t mind going off on a tangent while explaining how to do something.

chudak · February 2, 2019, 1:55am

On 5:27 min @LTS_Tom shows something like this =>

WAN tcp XX.YY.ZZ.VV:41126 149.112.112.112:853 TIME_WAIT:TIME_WAIT 13 / 18 1 KiB / 4 KiB

Is it enough to conclude that SSL/TLS is actually working?

Does anyone have a query example either fro Wireshark or tcpdump to confirm this ?

Also do I need to have a FW rule forcing all DNS calls to go thru 127.0.0.1?

Like:

Thxstrong text

chudak · February 2, 2019, 3:32pm

I am trying to filter traffic with wireshark as
tcp.port == 853
and getting no traffic

???

drowsy · February 3, 2019, 2:31pm

Will enabling DNS over TLS only encrypt DNS queries going out to the WAN, leaving my LAN DNS unencrypted on port 53?

chudak · February 3, 2019, 4:26pm

It will encrypt going from WAN to DNS server (Quad9 in my case) on port 853.

Port 53 is used by local queries

Night_Rider0 · February 4, 2019, 9:16pm

Cloudflare will also accept them on 1.1.1.1 or 1.0.0.1

chudak · February 4, 2019, 9:37pm

I actually have seem some errors using Cloudflare and switched to Quad9

Just FYI test that it works as you expect

Night_Rider0 · February 4, 2019, 11:58pm

It seems to work for me but interesting to know and knowing is half the battle, thanks for the info!

gseidler · February 19, 2019, 9:11pm

There is some information on the following Netgate video. Some good info on DNSSEC and DNS over TLS and the differences setting it up on 2.4.3 and 2.4.4.
Local DNS with pfSense 2.4