This is an old revision of the document!
Table of Contents
PFSense - Stopping DNS Leaks
Navigate to Services → DNS Resolver
- DNS Query Forwarding: Not Checked.
- Custom Options:
server: ssl-upstream: yes do-tcp: yes forward-zone: name: "." forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 forward-addr: 2606:4700:4700::1111@853 forward-addr: 2606:4700:4700::1001@853
It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.
WARNING: This will increase latency for DNS lookups due to SSL handshakes.
CloudFlare's 1.1.1.1 DNS service supports TLS on port 853.
To prevent this increase in latency, switch to standard port 53, or to an alternative DNS provider that does not use TLS.
Test
Test using an internal DNS:
dig www.google.com @yourrouter.local
You should see a resolve against your router’s local DNS resolver that works.
NOTE: You can use use Diagnostics → Packet Capture, and capture port 853 to verify that requests are being triggered.
Test using an external DNS
Try and dig something against an IP that you know is not internal and is not a DNS server. It should work, since the request will be NATted. Something like;
dig www.google.com @8.8.8.8
Assuming that’s all fine, you should now be able to configure a broad block rule to bar all outbound port 53.
Block all outbound non-encrypted DNS
Navigate to Firewall → Rules
On the WAN interface, define a new rule at the top of the list. This rule should use these settings;
- Action: Block.
- Interface: WAN.
- Address Family: IPv4+IPv6.
- Protocol: TCP/UDP.
- Source: any.
- Destination: any.
- Destination Port: DNS (53).
- Description: Block outbound insecure DNS.
Verify that you can still resolve against the local resolver (your router’s IP), and that you can still resolve against what seems to be external resolver (e.g, 8.8.8.8).
You should also check that when you do so that nothing passes on the WAN interface on port 53.