Differences

This shows you the differences between two versions of the page.

--- pfsense:dns:force_dns_over_tls [2021/01/04 19:39] – peter
+++ pfsense:dns:force_dns_over_tls [2022/10/08 09:13] (current) – [Another Example] peter
@@ Line 1: / Line 1: @@
 ====== PFSense - DNS - Force DNS over TLS ======
+DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change.
+Running DNS over TLS prevents that, by encrypting your DNS traffic so that it cannot be manipulated or collected.
+<WRAP important>
+**WARNING:**  DNS over TLS will increase latency for DNS lookups due to SSL handshakes.
+However this is only for the first query.  After that the session is reused due to caching.
+Reason for this is that TLS takes longer.
+To prevent this increase in latency, switch to standard port 53.
+</WRAP>
+----
+Navigate to **Services -> DNS Resolver**.
+Add the following to the **Custom Options**.
+<code bash>
+server:
+    access-control-view: 192.168.10.0/24 bypass
+    access-control-view: 192.168.20.0/24 dnsbl
+    access-control-view: 192.168.30.0/24 forward
+    access-control-view: 192.168.40.0/24 tls
+view:
+    name: "bypass"
+    view-first: yes
+view:
+    name: "dnsbl"
+    view-first: yes
+    include: /var/unbound/pfb_dnsbl.*conf
+view:
+    name: "forward"
+    view-first: yes
+    forward-addr: 1.1.1.1
+    forward-addr: 8.8.8.8
+view:
+    name: "tls"
+    view-first: yes
+    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+    forward-tls-upstream: yes
+    forward-addr: 1.1.1.1@853#cloudflare-dns.com
+    forward-addr: 1.1.1.1
+</code>
+<WRAP info>
+**NOTE:**  To use **DNS over TLS**, you will need:
+  * to specify **tls-cert-bundle** option that points to the local system's root certificate authority bundle.
+  * allow unbound to forward TLS requests; **forward-tls-upstream: yes**.
+  * specify any number of servers that allow DNS over TLS.
+For each server you will need to specify that the connection port using **@**, and you will also need to indicate which is its domain name with **#**.
+  * Even though it looks like an comment the hashtag name allows for the TLS authentication name to be set for stub-zones and with unbound-control forward control command.
+  * There should not be any spaces between the @ and # markups.
+</WRAP>
+----
+===== Another Example =====
 Navigate to **Services -> DNS Resolver**
@@ Line 17: / Line 84: @@
     forward-addr: 2606:4700:4700::1111@853
     forward-addr: 2606:4700:4700::1001@853
-     # Below 3 addresses are Quad9 DNS.
+    # Below 3 addresses are Quad9 DNS.
     forward-addr: 9.9.9.9@853
     forward-addr: 149.112.112.112@853
@@ Line 23: / Line 90: @@
 </code>
-See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for info on these options.
+<WRAP info>
+**NOTE:**  See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for info on these options.
+It is OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.
-It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.
+</WRAP>
 <WRAP important>
@@ Line 32: / Line 102: @@
 However this is only for the first query.  After that the session is reused due to caching.
-Reason for this is that CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.  TLS takes longer.  Sames goes for Quad9's 9.9.9.9 DNS service.
+Reason for this is that CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.  TLS takes longer.  Same goes for Quad9's 9.9.9.9 DNS service.
 To prevent this increase in latency, switch to standard port 53, or to an alternative DNS provider that does not use TLS for example: