Project

General

Profile

Actions

Todo #12716

closed

Feedback on pfSense Configuration Recipes — Configuring DNS over TLS

Added by Jason Hovak 4 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Diagnostics
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Page: https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html

Feedback: The section labeled "Testing DNS over TLS" should include or reference the note from the "DNS Lookup" diagnostics page that states, "The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above." In addition the note should be updated. From my testing it seems that DNS Resolver in forwarding mode set to "Use local DNS (127.0.0.1), ignore remote DNS Servers" also runs the tests on all DNS servers. In addition, it runs the tests on the upstream servers in clear text on port 53 ignoring the "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting.

Page: https://docs.netgate.com/pfsense/en/latest/diagnostics/dns.html

Someone else should verify my findings, but I believe this is a function of how the test is run from the pfSense appliance. It causes some confusion when you are expecting all the traffic from the firewall to be on port 853 after the change to DoT.

Actions #1

Updated by Jim Pingle 4 months ago

  • Status changed from New to Closed

The section labeled "Testing DNS over TLS" should include or reference the note from the "DNS Lookup" diagnostics page that states, "The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above."

The bullet point already links to the page with the details on on testing via that tool, repeating it again seems unnecessary.

In addition the note should be updated. From my testing it seems that DNS Resolver in forwarding mode set to "Use local DNS (127.0.0.1), ignore remote DNS Servers" also runs the tests on all DNS servers. In addition, it runs the tests on the upstream servers in clear text on port 53 ignoring the "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" setting.

That's exactly what it already states "The DNS Resolver mode does not impact the behavior of this test. Even in resolver mode the individual DNS servers are tested as described above." -- It's doing exactly what you described there. It ignores the DNS Resolver mode and tests each server individually. Since DNS over TLS is configured only in the resolver, the queries to the individual servers go in the clear.

Actions

Also available in: Atom PDF