Bug #14624
closedDNS Lookup tool doesn't respect 'DNS Resolution Behavior: Use local, ignore remote' when DoT is configured
0%
Description
When DoT is configured according to https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html, the DNS Lookup tool in pfSense results in port 53 to be used in addition to 853 for anything provided in System > General Setup.
Steps to reproduce:
1. Fresh installation of 23.05.1, set up DoT according to the docs. I used 1.1.1.1 and hostname security.cloudflare-dns.com and 9.9.9.9 with dns.quad9.net. System > General Setup > Timezone is set to my local time zone.
https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-tls/
https://www.quad9.net/service/service-addresses-and-features/
2. Add a quick floating rule on WAN to reject outbound TCP/UDP from any source to any destination, any source port to destination port 53. Enabling logging on the rule.
3. Now resolve some public domains from Diagnostics > DNS lookup. The floating rule on WAN will catch and log those outbound UDP 53 connection attempts. Disabling the floating rule will result in states formed on the WAN (for both dst ports 53 and 853), and traffic visible on a packet capture.
I didn't observe this when using `dig` or `nslookup` from Diagnostics > Command Prompt, nor when resolving anything in a virtual machine behind pfSense, and nothing else generated by pfSense itself seems to do this (loading the package manager, forcing a pfSense update check, ping).