Skip to content

How to Setup DNS over TLS

Summary

This will be a step-by-step guide on how to setup DNS over TLS for the WAN interface. Since the WAN interface does not utilize the VPN, the following DNS addresses are used from CleanBrowsing:

  • Domain:: security-filter-dns.cleanbrowsing.org
  • IPv4 address: 185.228.168.9:853 and 185.228.169.9:853

General Settings

  • Navigate to System --> General Settings
  • Under DNS Servers, add the aforementioned IP addresses and make sure to select the WAN gateway.

Important

Make sure the_DNS Server Override_is unchecked so that the DNS servers are never changed to the ISP DNS servers.

DNS Resolver

  • Navigate to Services --> DNS Resolver
  • Make sure the DNS resolver is enabled and that all LAN/VLAN interfaces are selected.
  • Check the boxes for the following:
  • Enable DNSSEC Support
  • DNS Query Forwarding
  • Use SSL/TLS for outgoing DNS Queries to Forwarding Servers

Info

The following is listed on a pfSense guide from 2018 as being necessary for this to work, although it's unclear at the time if it's still necessary. That being said, the following should be entered in the Custom Options text box:

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 185.228.168.9@853
forward-addr: 185.228.169.9@853

Additional Considerations

States

At this point, all DNS queries for the WAN interface should be using port 853, although it should be tested. In order to test, use the following steps:

  • Navigate to Diagnostics --> States
  • Use the filter and enter one of the DNS servers from earlier.
  • The results should show something like the following example:
Interface Protocol Source (Original Source) -> Destination (Original Destination) State Packets Bytes
WAN tcp 108.6.62.149:43100 -> 185.228.168.9:853 TIME_WAIT:TIME_WAIT 14/10 1 KiB / 7KiB
  • The DNS protocol is now TCP (whereas default DNS on port 53 is UDP) and the port is 853.

Packet Capture

  • Go to Diagnostics --> Packet Capture
  • Select the WAN interface
  • Enter 853 for the port
  • Press "start" and browse to a website
  • Hit the "stop" button and inspect the packet capture. The DNS queries should be using the proper DNS servers over port 853.
  • The same steps using port 53 should show up empty, indicating everything working as it should.

Firewall Rules

Although not absolutely necessary, this will ensure that no outgoing connections for the WAN interface use port 53. To do this, use the following steps:

  • Navigate to Firewall --> Rules --> Floating and click Add.
  • Use the following settings:
    • Action: Reject (or Block)
    • Quick: enabled
    • Interface: WAN
    • Direction: out
    • Address Family: IPv4 + IPv6
    • Protocol: TCP/UDP
    • Source: invert match, This Firewall (NOTE: previous directions here said “any,” however that prevented the DNS Resolver service from restarting correctly)
    • Destination: any
    • Destination Port: 53
  • Navigate to Firewall --> NAT --> Port Forward and click Add.
  • Use the following settings:
  • Interface: LAN (you’ll need to make duplicate rules for each LAN/VLAN interface)
  • Protocol: TCP/UDP
  • Destination: invert match, This Firewall
  • Destination port range: DNS
  • Redirect target IP: 127.0.0.1
  • Redirect target port: DNS
  • NAT reflection: Disable

Verification

Finally, DNSSEC support should be tested.

  • Navigate tohttps://dnssec.vs.uni-due.de/ and click "Start Test"
  • When the test finishes, a drawing with a thumbs up should be displayed, along with "Yes, your DNS resolver validates DNSSEC signatures.

Resources