Correction #11086
closedFeedback on pfSense Configuration Recipes — Configuring DNS over TLS
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
Feedback:
The recipe says
"The hostname is technically optional but dangerous to omit. The DNS Resolver must have the hostname to validate that the correct server is providing a given response. The response is still encrypted without the hostname, but the DNS Resolver has no way to validate the response to determine if the query was intercepted and answered by a third party server (Man-in-the-Middle attack)."
I tried both cloudflare and google. As soon as I activated SSL forwarding, dns resolution failed on my clients. I tried multiple times.
However, when I leave the hostname blank, it works with both google and cloudflare. After all my testing, I am absolutely certain that this is the one thing which made it work, and as soon as I add a "hostname" it fails. I have reproduced this three times.
For cloudflare, I used the name in the recipe.
For google, I used dns.google
I am using latest stable pfsense
2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE
I have the suggested LAN port forwarding rule, but the problem existed with this on or off, because the two clients I used get the DNS server from pfsense DHCP. The two clients I tested this on: Fedora33, pop!os 20.10
Files