I was procrastinating on researching this, thanks for distilling it in another succinct video! No excuse for me not to use it now ;)
@JoaquínPatiñoCerón Жыл бұрын
Thanks Lawrence, you´r the best!! Regards from Colombia!!
@LAWRENCESYSTEMS Жыл бұрын
I appreciate that!
@billslim92674 жыл бұрын
Dan from Tyler, TX here, Thanks Tom! Just what I needed.
@DarkNightSonata4 жыл бұрын
Hey, please make a video on Redirecting DNS & Blocking external DNS servers for pfSense. Thanks a lot
@robbymoeyaert74824 жыл бұрын
Should note that if you're running a dual stack IPv6 / IPv4 network with pfSense and running unbound, pfSense will advertise itself as DNS server through router advertisements. This means that in case you want to point your clients to a Windows DNS first, they'll still "know" about pfSense being a DNS server through the RA. This can cause issues since Windows prefers IPv6 over IPv4 in its IP stack (as it should) and thus is likely to send queries to pfSense over IPv6 in this scenario. So if you're running dual stack with pfSense, I would actually recommend using it as primary DNS and for AD use appropriate domain forwards in unbound. Yes it's a "workaround" as Tom notes, but it's currently the only way I have found to make it work correctly and consistently.
@towesc4 жыл бұрын
Thanks Tom, as always very informative. Had DOT setup for a while now and had the Cloudflare DNS servers added to the custom options + I'm also using pfBlockerNG, changed it now to the way you're showing in the video (:
@allaboutcomputernetworks2 жыл бұрын
Always best 👍
@fritzchristoph86702 жыл бұрын
Nice one. This was what i im looking for...
@Chaosslord14 жыл бұрын
you're using 1.1.1.2 in this demo, but Cloudflare only specifies 1.1.1.1 to be compatible with the use of TLS in their own documentation. Can someone confirm that if you're setting up 1.1.1.2 over TLS that you're actually using the 1.1.1.1 service without the malware filtering?
@PrestonKutzner4 жыл бұрын
FYI, heads-up that the family filtering servers, .2 and .3 do not actually filter when DoT is used. See community.cloudflare.com/t/1-1-1-3-does-not-filter-content-if-queries-are-made-via-dot-dns-over-tls/167730 They do resolve over TLS, but no DNS filtering takes place. Unfortunately, if you want to use the filtering, for now, you have to use non-TLS. I have confirmed this behavior.
@LAWRENCESYSTEMS4 жыл бұрын
I just tested this on my vlog Thursday live stream #174 and the issues has been resolved.
@PrestonKutzner4 жыл бұрын
@@LAWRENCESYSTEMS That's great news! Gonna try it out today. BTW, thanks for all your great content! I've been in the industry since tha late 90s, and it's folks like you that keep the spirit of the earlier days of knowledge sharing for its own sake alive. Just wanted to say thanks.
@BrewedIt4 жыл бұрын
Nice video. Love your content. I use pihole and a Unifi network. Pihole with dns over https works fine if using the cloudflared method via loop back.
@GurkoKurdo4 жыл бұрын
You’re not hiding anything at all on ISP level: since SNI was introduced the host(name of the website) is added in plaintext on the transport layer of a TLS packet. See RFC 3546 section 3.1. Just wireshark any client hello TLS Packet and you’ll see the hostname
@jackalope90014 жыл бұрын
What are your opinions about this regarding unbound vs encrypting DNS? ""jfb Moderator Apr '19 This depends on your definition of “secure”. With encrypted DNS, the DNS requests to and from the upstream provider are not visible to your ISP or others, and the reply you get is the answer that was sent, as it travels an encrypted path. However, you have to trust the upstream provider with your DNS history, and to not filter or alter any of the DNS replies it sends you. Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing. With unbound, you avoid upstream providers completely and your local resolver (unbound) deals directly with the authoritative name servers (the same ones the upstream providers use). The DNS traffic is not encrypted, but it is authenticated with DNSSEC, so the reply you receive is validated as being the answer that was sent. Unbound uses a few techniques to send as little data to the nameservers as possible and to maximize your privacy - qname minimisation is one method. Since you communicate directly with the authoritative name servers, the replies are not filtered in any way. Unbound also has a very efficient cache, so after it’s been in use for a while it does not have to communicate with the name servers as often. Most users find that unbound is typically faster overall than using an upstream provider, once the cache is populated. For these reasons, I prefer unbound to encrypted DNS: No upstream DNS provider has your DNS history. The results are unfiltered. You have equal assurance that the DNS traffic has not been altered in transit. There is no less privacy from the ISP. Generally faster. I have complete control over my DNS resolver.""
@LAWRENCESYSTEMS4 жыл бұрын
True, I should have mention that you should also be using Encrypted SNI blog.cloudflare.com/encrypt-that-sni-firefox-edition/
@metsakoyomakao40733 жыл бұрын
To ensure that even dns queries generated by your computers don't leave the computer non TLS encrypted you can use a tool called Simple DNSCrypt. Run Wireshark and filter DNS traffic and you'll see the magic yourself.
@smiakus4 жыл бұрын
I have enabled this on pfsense and in pftop I see wan ip address is sending dns queries via port 853. But all LAN clients are still using 53 port. I'd like to test with forcing lan clients to use only DNS over TLS. Here it is mentioned that I can use firewall rules for that, but how? When I do telnet pfsensehost 853 the port is not open!
@douglasg14b4 жыл бұрын
It's not clear here if Forwarding mode has alternative side effects? How can we NOT be in forwarding mode, and still have encrypted DNS queries that do get sent to upstream providers? I want Unbound to be a resolver, not a forwarder, but when it does resolve request by querying an upstream provider, I want it to use DNS over TLS. Is this not possible?
@davidnickel39494 жыл бұрын
I think a new setup guide from you would help as things have changed
@1981SPL4 жыл бұрын
great video as usual. I have DNSSEC already configured...would there be any conflict by enabling/using DNS over TLS in addition?
@fedemtz64 жыл бұрын
I think that there might only be a conflict if you are using a dns server that is blocking certain domains like Cloudflare's 1.1.1.2 and 1.1.1.3 but it depends how it gets blocked
@danielrippen4 жыл бұрын
No, DNS over TLS only offers transport encryption and has nothing to do with the actual payload, so it’s 100% compatible :)
@killer26004 жыл бұрын
You don't want DNSSEC enabled because when cloudflare sink holes a lookup it's not able to validly sign the record it sends because cloudflare isn't the authorized name server for all the domains it sink holes/blocks.
@mloiterman4 жыл бұрын
Killer2600 that’s a really insightful answer that a lot of people with problems getting Cloudflare to “validate” via the 1.1.1./help link could benefit from hearing.
@rogerosb2u4 жыл бұрын
1st post! :) Great job, Tom, as always! I love your channel and all the content you make around pfSense and UniFi equipment.
@hoterychannel4 жыл бұрын
What's better for Windows Domain - Clients -> Windows DNS ->PFSense DNS or Clients -> PFSense and forward local domain requests to Windows DNS?
@sicanu19813 жыл бұрын
Hi I have a problem with pfsense configuration , on my server I have ubuntu 20.04 configured with nginx proxy manager , sorting out the ssl certs which works fine, on a second server I have truenas configured with Nextcloud witch works fine . The issue is that when I connect to my Nextcloud, externally via phone works fine , but when I need to connect locally via Wi-Fi with the same domain name and account it will not allow it. What is the configuration that I miss in my case . If you need more info I will try to explain it to you again!
@B1663R2 жыл бұрын
Tom is the shit!
@muhammadaamir566 Жыл бұрын
I have configured OpenDNS Server on LAN with DHCP... I want to by pass an Alias from OpenDNS Server.... I wan to direct that Alias through GoogleDNS? How to do it sir
@jeliuterio4 жыл бұрын
Great info @Lawrence Systems Question how does this affect captive portal???
@BenjaminCronce4 жыл бұрын
Why not use DNSSEC? Is it not compatible with forwarding mode?
@pyramid0114 жыл бұрын
My understanding is it's unnecessary if you are forwarding to a resolver that's already doing DNSSEC. It just generates unnecessary traffic.
@aayendehrsol2 жыл бұрын
Greetings Tom, the set up for dns over tls in pfsense 2.6 seems not to be working unless you use the old custom options settings, could you please confirm why?
@LAWRENCESYSTEMS2 жыл бұрын
Not sure, post in the pfsense forums
@manthing14674 жыл бұрын
I took care of that in AD right before you started talking about it.
@frozeneye100 Жыл бұрын
See this is sort of where I really do not understand. If the traffic after dns still goes over isp or vpn or whatever… they can still track the ip, only time where I really agree with this of thing is when we have peer to peer communication between company branches and some settings of vpn May cause dns leaks which a hacker may track. Then sure but for the average joe… since isp has ip you connect to, they will still see exactly what site you visit regardless of your dns. Simple put on who is query for all incoming connections and they get the domain names anyway.
@atephoto4 жыл бұрын
Finally, this solved my problems. I was using that custom thing with all the stuff I found on forums. This worked a lot better. It even show how to secure with floating rules which I appreciate a lot. Please read whole comment below. I do have plans for egress filtering, can you please make videos about that? I have a particular network setup with ISP modem (192.168.1.1 lan IP), pfSense base network (wan 192.168.1.5, lan 10.0.0.0/24. And then I use a shared (switched) LAN1 from pfsense base net down to my office where I have yet another pfsense with stricter rules (wan 10.0.0.5, lan 10.0.5.0/24). I'm trying to do egress filtering on my base network to make all of the networks a bit safer, but it seems like I'm breaking the router at my office. I wonder if there are some IPs/ports that I need to allow on 10.0.0.0/24 to not break router at my office.
@atephoto4 жыл бұрын
Is it enough to set up this on my base network then use dnsmasq forwarder to push subnet in to SSL/TLS DNS?
@G0nz0uk3 жыл бұрын
I wish you would do some OPNsense videos.
@bobcarpenter15514 жыл бұрын
Does the "DNS Server Override" setting at 3:47, that's enabled, do any bypassing of DoT?
Have you made a video comparing DNS over HTPPS vs DNS over TLS ?? Thanks 😊
@saywhat91584 жыл бұрын
Any idea how to setup a laptop to exclusively use the pfsense DoH DNS for filtering at home and also use DoH in the browser/computer when on a remote network? I’m guessing the only way is to set pfsense as the DoH custom provider and VPN into it since you can’t set primary and fallback DoH providers in your browser when it can’t be reached. The only other option is to turn off all computer level DoH and let pfsense provide it when you are at home but it is then off when roaming and potentially unreliable when an update could reset to non-pfsense default. In short, using pfBlocker & pfsense DoH with DoH settings in both the browser and soon to be additional DoH settings in Windows also is going to be a pain to configure and maintain especially mobile devices. If any of those DoH setting to pfsense gets switched to an outside non-filtering DNS provider by an update, you won’t likely know or have any warning and Microsoft will likely do that [oops] to get around blocking attempts of their integrated spyware. Privacy for the user is also privacy from the user for app makers when using third party DoH.
@maxd72284 жыл бұрын
Tom at 3:54 "DNS Server Override" is checked, does this affect the DNS over TLS functionality?
Ugh I just did this today! I should have waited 2 hours! 😂
@infotechsavvy49814 жыл бұрын
Hi Lawrence, I would like to ask about the TLS 1.2 on pfsense. Is it possible to create a certificate using the TLS 1.2?
@LAWRENCESYSTEMS4 жыл бұрын
Don't know
@2373114 жыл бұрын
I have DNS forwarder enabled on my pfsense pointing to a private DNS running on my network. Is this good or bad?
@killer26004 жыл бұрын
Neither, it just adds delay. Devices on your network should be using the main dns server directly unless there's a reason the extra hop is necessary.
@jackalope90014 жыл бұрын
What are your opinions about this regarding unbound vs encrypting DNS? ""jfb Moderator Apr '19 This depends on your definition of “secure”. With encrypted DNS, the DNS requests to and from the upstream provider are not visible to your ISP or others, and the reply you get is the answer that was sent, as it travels an encrypted path. However, you have to trust the upstream provider with your DNS history, and to not filter or alter any of the DNS replies it sends you. Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing. With unbound, you avoid upstream providers completely and your local resolver (unbound) deals directly with the authoritative name servers (the same ones the upstream providers use). The DNS traffic is not encrypted, but it is authenticated with DNSSEC, so the reply you receive is validated as being the answer that was sent. Unbound uses a few techniques to send as little data to the nameservers as possible and to maximize your privacy - qname minimisation is one method. Since you communicate directly with the authoritative name servers, the replies are not filtered in any way. Unbound also has a very efficient cache, so after it’s been in use for a while it does not have to communicate with the name servers as often. Most users find that unbound is typically faster overall than using an upstream provider, once the cache is populated. For these reasons, I prefer unbound to encrypted DNS: No upstream DNS provider has your DNS history. The results are unfiltered. You have equal assurance that the DNS traffic has not been altered in transit. There is no less privacy from the ISP. Generally faster. I have complete control over my DNS resolver.""
@killer26004 жыл бұрын
You have to explain "There is no less privacy from the ISP"...if DNS lookups are encrypted between the home network and cloudflare, it's easily arguable that this offers more privacy than clear text lookups traversing the ISP's network.
@samharry74744 жыл бұрын
@@killer2600 "Additionally, even though your ISP cannot see the DNS requests, you will immediately follow the DNS reply with an unencrypted request for that IP address, and your ISP can quickly determine where you are browsing." Unless, I suppose, there are multiple domain names with the same IP address.
@PigMan90804 жыл бұрын
Is this a global setting or can it be set so IoT on a separate vlan uses 53 while the main network uses TLS? Maybe through DHCP?
@jasonmicron2 жыл бұрын
Just set upstream DNS for the IoT VLAN to use non-DoT DNS servers via DHCP for that VLAN subnet in pfSense.
@ryanslab3023 жыл бұрын
Why not enable DNSSEC?
@antaishizuku4 жыл бұрын
Can you please do the video for redirecting DNS.
@Spacemanwho14 жыл бұрын
Hey Tom can you get hold of the new unify viewport and give it a good run in and review. Have always respected your point of view and your insights are highly valuable 👍
@LAWRENCESYSTEMS4 жыл бұрын
that is what is running behind me..lol
@Spacemanwho14 жыл бұрын
Lawrence Systems / PC Pickup just made me grin ear to ear 😁 Thanks dude.
@AndrewJamison794 жыл бұрын
I use a VPN like that (or did) when i was at my previous job to bypass their social media filters on my lunch breaks they had free internet but blocked all social networking even KZbin was grouped in this, using an VPN like this allowed me to bypass it which i guess was kind of not best practice but since i am no longer employed there feel safe saying that.
@RobertoAnile4 жыл бұрын
why not using unbound without forwarding + dnssec and direct query root servers?
@killer26004 жыл бұрын
Because you want the dns filtering offered by cloudflare and/or you want DNS lookups leaving your machine to be encrypted so your ISP can't tell what you're looking up.
@LIVETANKREN4 жыл бұрын
it's too slow
@rafalkolodziej84374 жыл бұрын
Alternatively you can hit publicly available pi-holes as opposed to G or C.
@newdeathscope4 жыл бұрын
That opens you up for a bunch of malicious dns attacks
@mloiterman4 жыл бұрын
Do not use random DNS servers from untrusted sources. That’s a really, really bad idea.
@garshct19784 жыл бұрын
Sir do i need to check the DNS server overrride?
@nbctcp34504 жыл бұрын
Please make pfsense video for 1. DNS Over HTTPS 2. port knocking
@mac90464 жыл бұрын
Will you make a video on UNifi custom widgets for us udmp users
2 жыл бұрын
Next dns and rethink dns on android is the bomb. You can see the junk that’s being sucked up.
@augurseer4 жыл бұрын
Dnssec or DNS over TLS?
@clausdk62994 жыл бұрын
He deleted his old video cause he though it had something to do with DNSSEC...😁 so he made a new video
@mloiterman4 жыл бұрын
They’re two different things. One authenticates domains (DNSEC) and they other encrypts DNS lookups (DNS over TLS)
@berndeckenfels4 жыл бұрын
Can you make pfsende serve a DOH resolver?
@LIVETANKREN4 жыл бұрын
not supported
@tomferrin11484 жыл бұрын
Tom, absolutely love your videos but please take a breath of air every now and then and slow down just a bit, especially when whipping through pfSense configuration options. Thanks!
@killer26004 жыл бұрын
You can adjust playback speed in the youtube player.
@DenzaDJNLD4 жыл бұрын
👍
@corstian_4 жыл бұрын
Reupload?
@jisagi4 жыл бұрын
Looks like it
@LAWRENCESYSTEMS4 жыл бұрын
sort of, I had conflated words and made some mistakes. Accuracy matters, re-did the video.
@corstian_4 жыл бұрын
@@LAWRENCESYSTEMS thanks for carrying about the content.