Feature #14558
open
Feature Request: GUI options to Unbound Resolver's new DoH abilities
0%
Description
Hello fellow PfSense Redmine community members,
I was wondering if the DNS resolver could have GUI abilities to configure DoH with unbound resolver as unbound is now able to do resolve DoH. This would be an amazing addition to the PfSense software.
Please see url:
https://unbound.docs.nlnetlabs.nl/en/latest/topics/privacy/dns-over-https.html
Files
| Screenshot 2023-07-06 at 11.29.40 PM.png (655 KB) Screenshot 2023-07-06 at 11.29.40 PM.png | DoH with Unbound |
Updated by Sergei Shablovsky over 1 year ago
+ upvote for this!
Using DoT/DoH already are the standard nowadays (at the first because most used browsers Safari, Chrome and Firefox PUSHING users to use DoT/DoH by default as a result of rapidly growing numbers of hacker attacks on the DNS services exactly!).
pfSense as one of the leaderships in industry MUST implementing flawlessly using DoH/DoT also for INTERNAL LANS.
Updated by Jonathan Lee 13 days ago
Updated by Jonathan Lee 13 days ago
“NSA recommends that an enterprise network’s DNS traffic, encrypted or not, be sent only to the designated enterprise DNS resolver.”
Building on that guidance, there should ideally be an RFC or standardized mechanism for locking down browsers and operating systems so they can use only approved DoH servers. With such controls in place, clients could be configured to direct all DNS queries to a local resolver (such as pfSense Unbound), while the firewall enforces that any DNS-over-HTTPS traffic is forwarded exclusively to an authorized upstream resolver. This would re-establish enterprise DNS security controls, especially given prior incidents where attackers have abused DoH for command-and-control purposes.