Wiki

User Tools

Site Tools

Trace:
pfsense:dns:force_dns_over_tls

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
pfsense:dns:force_dns_over_tls [2021/01/06 10:21] – [PFSense - DNS - Force DNS over TLS] peterpfsense:dns:force_dns_over_tls [2022/10/08 09:13] (current) – [Another Example] peter
Line 3: Line 3:
 DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change. DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change.
  
-Running DNS over TLS prevents that, by encrypting your DNS traffic so that it can’t be manipulated or collected.+Running DNS over TLS prevents that, by encrypting your DNS traffic so that it cannot be manipulated or collected. 
 + 
 +<WRAP important> 
 +**WARNING:**  DNS over TLS will increase latency for DNS lookups due to SSL handshakes. 
 + 
 +However this is only for the first query.  After that the session is reused due to caching. 
 + 
 +Reason for this is that TLS takes longer. 
 + 
 +To prevent this increase in latency, switch to standard port 53. 
 +</WRAP>
  
 ---- ----
Line 80: Line 90:
 </code> </code>
  
-See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for info on these options.+<WRAP info> 
 +**NOTE:**  See https://nlnetlabs.nl/documentation/unbound/unbound.conf/ for info on these options.
  
-It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.+It is OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway. 
 + 
 +</WRAP>
  
 <WRAP important> <WRAP important>
Line 89: Line 102:
 However this is only for the first query.  After that the session is reused due to caching. However this is only for the first query.  After that the session is reused due to caching.
  
-Reason for this is that CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.  TLS takes longer.  Sames goes for Quad9's 9.9.9.9 DNS service.+Reason for this is that CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.  TLS takes longer.  Same goes for Quad9's 9.9.9.9 DNS service.
  
 To prevent this increase in latency, switch to standard port 53, or to an alternative DNS provider that does not use TLS for example: To prevent this increase in latency, switch to standard port 53, or to an alternative DNS provider that does not use TLS for example:
pfsense/dns/force_dns_over_tls.1609928491.txt.gz · Last modified: 2021/01/06 10:21 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki