Wiki

User Tools

Site Tools

Trace:
pfsense:dns:force_dns_over_tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:dns:force_dns_over_tls [2021/01/06 10:18] peterpfsense:dns:force_dns_over_tls [2022/10/08 09:13] (current) – [Another Example] peter
Line 3: Line 3:
 DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change. DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change.
  
-Running DNS over TLS prevents that, by encrypting your DNS traffic so that it can’t be manipulated or collected.+Running DNS over TLS prevents that, by encrypting your DNS traffic so that it cannot be manipulated or collected. 
 + 
 +<WRAP important> 
 +**WARNING:**  DNS over TLS will increase latency for DNS lookups due to SSL handshakes. 
 + 
 +However this is only for the first query.  After that the session is reused due to caching. 
 + 
 +Reason for this is that TLS takes longer. 
 + 
 +To prevent this increase in latency, switch to standard port 53. 
 +</WRAP>
  
 ---- ----
Line 42: Line 52:
  
   * to specify **tls-cert-bundle** option that points to the local system's root certificate authority bundle.   * to specify **tls-cert-bundle** option that points to the local system's root certificate authority bundle.
-  * allow unbound to forward TLS requests +  * allow unbound to forward TLS requests; **forward-tls-upstream: yes**. 
-  * specify any number of servers that allow DNS of TLS. +  * specify any number of servers that allow DNS over TLS.
  
 For each server you will need to specify that the connection port using **@**, and you will also need to indicate which is its domain name with **#**. For each server you will need to specify that the connection port using **@**, and you will also need to indicate which is its domain name with **#**.
Line 80: Line 90:
 </code> </code>
  
-See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for info on these options.+<WRAP info> 
 +**NOTE:**  See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for info on these options.
  
-It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.+It is OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway. 
 + 
 +</WRAP>
  
 <WRAP important> <WRAP important>
Line 89: Line 102:
 However this is only for the first query.  After that the session is reused due to caching. However this is only for the first query.  After that the session is reused due to caching.
  
-Reason for this is that CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.  TLS takes longer.  Sames goes for Quad9's 9.9.9.9 DNS service.+Reason for this is that CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.  TLS takes longer.  Same goes for Quad9's 9.9.9.9 DNS service.
  
 To prevent this increase in latency, switch to standard port 53, or to an alternative DNS provider that does not use TLS for example: To prevent this increase in latency, switch to standard port 53, or to an alternative DNS provider that does not use TLS for example:
pfsense/dns/force_dns_over_tls.1609928317.txt.gz · Last modified: 2021/01/06 10:18 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki