Learn how to configure DNS over HTTPS TLS blocking pfSense. Our pfSense Support team is here to help you with your questions and concerns.

Configure DNS over HTTPS TLS blocking pfSense

In the world of secure online communication, configuring encrypted DNS services using DNS over TLS has become popular. This protects the content of DNS queries and also makes sure that DNS is delivered via the expected servers. Furthermore, pfSense 2.4.4p3 supports DNS over TLS through its built-in resolver Unbound.

Today, we are going to take a quick look at how to set up DNS over TLS on our pfSense firewall.

Before we begin, we have to select DNS servers that support DNS over TLS on port 853. Some of the popular choices include Google and Cloudflare servers with the following IP addresses:

• Google: 8.8.8.8, 8.8.4.4
• Cloudflare: 1.1.1.1, 1.0.0.1

Then, we have to make sure that these servers allow connections on port 853 with the Nmap command:
nmap -Pn -sT -p 853 1.2.3.4

Remember to replace 1.2.3.4 with the server’s IP address.

Setting Up the DNS Resolver Service

1. pfSense offers both DNS Forwarder (dnsmasq) and DNS Resolver (Unbound). We have to use the DNS Resolver and make sure that DNS Forwarder is disabled.
2. Then, head to DNS Resolver under Service and set the following:
   • Network Interfaces: Select specific interfaces.
   • Outgoing Network Interfaces: Set to “WAN” or our designated ISP interface(s).
   • Enable DNS Query Forwarding, DNSSEC, and “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers.”
   • Furthermore, enable enable Prefetch Support, Prefetch DNS Key Support, and Harden DNSSEC Data. on the Advanced tab.
3. Next, we have to make sure DNS services work on our LAN clients after enabling the DNS Resolver.

DNS over HTTPS/TLS Blocking

At this point, we can find the DNS over HTTPS/TLS Blocking option at:

Firewall > pfBlockerNG > DNSBL > DNSBL SafeSearch

We can remove this option and only Feed lists used for blocking DoH for the following reasons:

• The current SafeSearch list remains static. So we cannot add and remove DoH servers frequently.
• Feeds promote allow faster deployment of DoH server changes.
• There is already a dedicated DoH section in the feeds.
• Having two locations for DoH blocking can lead to confusion in the configuration process.
• Most instructions prefer using a block list for DoH blocking, overlooking the benefits of using feeds.
• The ‘SafeSearch/DNS over HTTPS/TLS Blocking’ feature relies on the whitelist system to prevent duplicate entries, which might be confusing without proper explanation.

[Need assistance with a different issue? Our team is available 24/7.]

Conclusion

In brief, our Support Experts demonstrated how to configure DNS over HTTPS TLS blocking pfSense.