PFSense - DNS - Custom WAN DNS Servers (Secure) (Forced)

Navigate to System → General Setup.

In DNS Server Settings:

• DNS Server: 9.9.9.9 / DNS Hostname: dns.quad9.net (Primary DNS)
• DNS Server: 149.112.112.112 / DNS Hostname: dns.quad9.net (Secondary DNS) (optional)

• DNS Server Override: Not checked.

Navigate to Services → DNS Resolver → General Settings.

In General DNS Resolver Options:

• Network Interfaces: All.
  • ALL is easier to configure, but on a high load system you might want to specify these.
• Outgoing Network Interfaces: WAN.
• Strict Outgoing Network Interface Binding: Checked.
• DNSSEC: Not checked.
  • Quad9 does all of this upstream so this is not needed here as well.
  • DNSSEC needs to be turned off because it just causes extra traffic.
  • It is suggested to check this by running a test with DNSSEC turned off in pfSense.
• Enable Forwarding Mode: Checked.
  • DNS Resolver uses unbound and the old way of doing things was with DNS Forwarder powered by dnsmasq which could only forward DNS requests.
  • Controls whether unbound uses resolver mode (unchecked) or forwarding mode (checked). See DNS Resolver Mode for an explanation of the modes.
  • To utilize Quad9 blocking capabilities, the DNS Resolver needs to be put into forwarder mode.
• Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Checked.