Project

General

Profile

Actions

Bug #13454

closed

Enabling DoT (DNS over TLS) breaks IPSec VPN DNS

Added by Sean McBride about 2 years ago. Updated about 2 years ago.

Status:
Not a Bug
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

Using pfsense plus 22.05 (current newest). Among other services, we run DNS and 'road warrior' IPSec VPN. Setup has worked well for years.

Recently, we turned on DoT for local clients. i.e. enabled the "Respond to incoming SSL/TLS queries from local clients" checkbox. Inside the LAN, it works great! TCP port 853 is opened, and DoT works according to tests with `kdig`. Plain old DNS still works too.

Alas, for those connected from home by IPSec VPN, plain old DNS is totally broken, UDP port 53 appears closed according to both an `nmap` scan and tests with `kdig`.

If we disable the DoT checkbox, DNS works again. We redo the port scan and UDP port 53 is back open.

There are two related (and unanswered) forum posts:

https://forum.netgate.com/topic/174247/enabling-dot-dns-over-tls-breaks-ipsec-vpn-dns

https://forum.netgate.com/topic/174342/forced-to-use-tcp-853-over-vpn-connections-after-enabling-dot-dns-over-tls

Actions

Also available in: Atom PDF