Todo #12716
closedFeedback on pfSense Configuration Recipes — Configuring DNS over TLS
0%
Description
Page: https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html
Feedback: The section labeled "Testing DNS over TLS" should include or reference the note from the "DNS Lookup" diagnostics page that states, "The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above." In addition the note should be updated. From my testing it seems that DNS Resolver in forwarding mode set to "Use local DNS (127.0.0.1), ignore remote DNS Servers" also runs the tests on all DNS servers. In addition, it runs the tests on the upstream servers in clear text on port 53 ignoring the "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting.
Page: https://docs.netgate.com/pfsense/en/latest/diagnostics/dns.html
Someone else should verify my findings, but I believe this is a function of how the test is run from the pfSense appliance. It causes some confusion when you are expecting all the traffic from the firewall to be on port 853 after the change to DoT.
Updated by Jim Pingle about 2 years ago
- Status changed from New to Closed
The section labeled "Testing DNS over TLS" should include or reference the note from the "DNS Lookup" diagnostics page that states, "The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above."
The bullet point already links to the page with the details on on testing via that tool, repeating it again seems unnecessary.
In addition the note should be updated. From my testing it seems that DNS Resolver in forwarding mode set to "Use local DNS (127.0.0.1), ignore remote DNS Servers" also runs the tests on all DNS servers. In addition, it runs the tests on the upstream servers in clear text on port 53 ignoring the "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting.
That's exactly what it already states "The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above." -- It's doing exactly what you described there. It ignores the DNS Resolver mode and tests each server individually. Since DNS over TLS is configured only in the resolver, the queries to the individual servers go in the clear.