Skip to content

HOWTO pfSense DNS TLS

Jump to bottom
Mikaël ANDRE edited this page Sep 25, 2018 · 4 revisions

HOWTO+pfSense+DNS+TLS

This how-to aims to configure DNS over TLS

1. General setup

First of all, you need to configure CloudFare DNS to forward DNS queries from pfSense

  • To do it, go to System > General Setup
  • In DNS Server Settings section, fill the following fields:
    • DNS Servers
      • Address: 1.0.0.1: Click on + Add DNS Server to add the first CloudFare DNS server
      • Gateway: Select the correct gateway if you have multiple WAN connection
    • Add DNS Server: Click on + Add DNS Server to add the second CloudFare DNS server
      • Address: 1.1.1.1
      • Gateway: Select the correct gateway if you have multiple WAN connection
    • DNS Servers: Click on + Add DNS Server to add the first Quad9 DNS servers
      • Address: 9.9.9.9
      • Gateway: Select the correct gateway if you have multiple WAN connection
    • Add DNS Server: Click on + Add DNS Server to add the second Quad9 DNS servers
      • Address: 149.112.112.112
      • Gateway: Select the correct gateway if you have multiple WAN connection
  • Click on the Save button once all field are filling

2. DNS Resolver setup

Once Quad9 and CloudFare DNS are set up in General Setup, you need to configure unbound also known as DNS Resolver on the pfSense Appliance

  • To do it, go to Services > DNS Resolver > General Settings
  • In General DNS Resolver Options section, fill the following fields:
    • Enable: Checked
    • Listen Port: Let default value 53
    • **Network Interfaces:
      • Select Localhost
      • Select another interface accessible from our LAN
    • Outgoing Network Interfaces:
      • Select WAN interface
      • If you have an internal DNS server and have some alias object with internal FQDN, you have to define another outgoing network interface in order to join your internal DNS server.
    • System Domain Local Zone Type: Select Transparent
    • DNSSEC: Checked
    • DNS Query Forwarding: Checked
    • Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Checked
    • DHCP Registration: Not checked (because I don't use internal DHCP service)
    • Static DHCP: Not checked (because I don't use internal DHCP service)
    • OpenVPN Clients: Not checked
    • Display Custom Options: Click on the Gear
    • Custom option:
      • If you used my previous tutorial, you can remove the following custom options:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
  • To validate, click on Save button
  • In Host Overrides section, I don't configure it
  • In Domain Overrides section, if you configure another outgoing network interface to join your internal DNS server, add direct and reverse lookup zone and specify IP address of your internal DNS server. To achieve it, just click on + Add button. Once all fields are filled, click on Save button.
  • Now go to Service > DNS Resolver > Advanced Settings
  • In Advanced Resolver Options, fill the following fields:
    • Hide Identity: Checked
    • Hide Version: Checked
    • Prefetch Support: Not checked
    • Prefetch DNS Key Support: Not checked
    • Harden DNSSEC Data: Checked
    • Serve Expired: Checked
    • Message Cache Size: Select 4 MB
    • Outgoing TCP Buffers: Select 10
    • Incoming TCP Buffers: Select 10
    • EDNS Buffer Size: Select 4096
    • Number of Queries per Thread: Select 512
    • Jostle Timeout: Select 200
    • Maximum TTL for RRsets and Messages: Enter 86400
    • Minimum TTL for RRsets and Messages: Enter 0
    • TTL for Host Cache Entries: Select 15 minutes
    • Number of Hosts to Cache: Select 10000
    • Unwanted Reply Threshold: Select Disabled
    • Log Level: Select Level 1: Basic operational information
    • Disabled Auto-added Access Control: Not checked
    • Disabled Auto-added Host Entries: Not checked
    • Experimental Bit 0x20 Support: Not checked
  • To validate, click on Save button
  • I don't configure Access Lists because I don't check the following parameter Disable Auto-added Access Control. If you checked this, you have to manually configure access list to prevent unsolicited clients to request your DNS Resolver service

3. Verifications / Troubleshooting

You can perform some verifications to confirm all DNS requests are sent by TLS protocol. The best way to do it is Packet Capture

  • To do it, go to Diagnostics > Packet Capture
  • In Packet Capture Options section, fill the following fields:
    • Interface: Select WAN
    • Promiscuous: Not checked
    • Address Family: Select Any
    • Protocol: Select Any
    • Host Address: Leave empty
    • Port: Leave empty
    • Packet Length: Let the default value to 0
    • Count: Enter 0
    • Level of detail: Let the default value to 0
    • Reverse DNS Lookup: Not checked Once all parameters are set, click on Start button
  • From a client laptop:
    • Open your favorite web browser and navigate on few sites.
  • Back to the pfSense:
    • Click on Stop button.
    • To view the packet capture from Wireshark, download it via Download button.
  • In Wireshark, go to Statistics > Conversation
    • Normally, you don't have anymore UDP flow on port 53 (UDP tab)
    • In TCP tab, you can see
      • Your WAN IP address as source
      • CloudFare or Quad9 DNS servers as destination
      • 853 as TCP destination port.
Clone this wiki locally