Setup Encrypted DNS for External Name Resolution using pFSense


#1

Sharing with this group and wondering what people think about usefulness of this


#2

Thats a very in depth video.
Did Tom not do this with this video?
Setting up DNS Over TLS & DNSSEC With pfsense


#3

I did see that too.
At that time I did not understand some details.
So now it makes more sense.


#4

I wonder if you know an alternative to tshark (having some troubles with it) way to test that DNS quires encrypted ?


#5

I have checked this out before in … The name of the app escapes me but it showed tls traffic on port 853 and no visible dns data. Just a tls packet headed to cloudflare

Ntopng is the app that was escaping me


#6

I wish I knew how to use it, but trying…


#7

Here are a couple of videos to help you out if you have a specific question on how to use it I can certainly try to help you out.

This video is for an older version of pfsense but the process remains identical


#8

I had a hard time watching the OP video. Too much red, and a lot of muttering to himself. Tom is more interesting to listen to, he doesn’t mind going off on a tangent while explaining how to do something.


#9

On 5:27 min @LTS_Tom shows something like this =>

WAN tcp XX.YY.ZZ.VV:41126 149.112.112.112:853 TIME_WAIT:TIME_WAIT 13 / 18 1 KiB / 4 KiB

Is it enough to conclude that SSL/TLS is actually working?

Does anyone have a query example either fro Wireshark or tcpdump to confirm this ?

Also do I need to have a FW rule forcing all DNS calls to go thru 127.0.0.1?

Like:

Thxstrong text


#10

I am trying to filter traffic with wireshark as
tcp.port == 853
and getting no traffic :frowning:

???


#11

Will enabling DNS over TLS only encrypt DNS queries going out to the WAN, leaving my LAN DNS unencrypted on port 53?


#12

It will encrypt going from WAN to DNS server (Quad9 in my case) on port 853.

Port 53 is used by local queries


#13

Cloudflare will also accept them on 1.1.1.1 or 1.0.0.1


#14

I actually have seem some errors using Cloudflare and switched to Quad9

Just FYI test that it works as you expect


#15

It seems to work for me but interesting to know and knowing is half the battle, thanks for the info!


#16

There is some information on the following Netgate video. Some good info on DNSSEC and DNS over TLS and the differences setting it up on 2.4.3 and 2.4.4.
Local DNS with pfSense 2.4