2. About this Hangout
● Project News
● DNS Overview
● When to use the firewall for DNS (and
not to)
● DNS Resolver vs DNS Forwarder
● Host Overrides
● Domain Overrides
● DNS and VPNs
● DNS and Multi-WAN
● DHCP and DNS
● How the firewall assigns DNS
servers to clients
● DNS over TLS Overview
● DNS over TLS Upstream Forwarders
● Providing DNS over TLS to local
clients
● Intercepting DNS at the Firewall
● Miscellaneous additional DNS
Resolver/Forwarder tidbits
3. Project News
● April IPv6 bogons list too large for old default table size of 200,000
– Can lead to filter load errors if bogon lists are in use
– Sys > Adv, Firewall & NAT, Increase Firewall Maximum Table Entries to 400000
– Or disable bogon option on all interfaces
– 2.4.4 will have a higher default, but setting it now will correct the issue
● TNSR coming to AWS soon
● pfSense 2.4.4 development underway, primary focus is FreeBSD 11.2 and PHP 7.2
● XG-7100 1U is now shipping
●
Sales going on this month:
– Single port Minnowboard Turbot Quad Core and all Lures
● 15% discount with code MAKERS at checkout
– XG-1541 security gateway
●
10% discount with code NETGATE1541 at checkout
● Valid through the end of May
4. DNS Overview
● DNS is short for Domain Name System
● Translates host names into IP addresses
● Devices must communicate using IP addresses, not names, so DNS makes it
easier for humans to find other devices without having to memorize IP addresses
● For example: www.example.com to 203.0.113.65
● There are other types of records as well for various tasks:
● A for IPv4 address, AAAA for IPv6 address, PTR for reverse DNS, MX for mail exchange host for a
domain, TXT information records, CNAME aliases, SRV to locate services, etc.
● Hierarchal structure: Clients talk to recursive forwarders or resolvers, forwarders
talk to recursive resolvers, resolvers talk to roots and authoritative servers
5. DNS Overview
● Clients query a DNS server using UDP port 53 and ask it for a record of a specific type.
Depending on the size of the result, the connection can switch to TCP on port 53.
– DNS over TLS uses only TCP on port 853, but we’ll cover that special case later
● If the forwarder or resolver knows the host locally or has the answer in the cache, it replies
back with the result, or it asks upstream to a recursive resolver, or roots
●
A resolver will ask the root servers for the source of authority for a domain, and then
contact the authoritative servers listed in the response for the answer to the original query.
● The answer is passed back down to the client
●
Note: A forwarder must talk to upstream recursive forwarders or recursive resolvers. A
resolver can operate independently and can talk to the root DNS servers and other
authoritative servers directly.
6. Why use the firewall for DNS?
● Less effort than running a dedicated full-featured DNS server, at the expense of some
features
– It’s on by default and works well, easy to configure via GUI
● The firewall is placed conveniently at the edge to handle DNS for all local clients
● Host and domain overrides allow customization and control over DNS responses given
to clients
● Easy integration with the DHCP server on pfSense for resolution of client hostnames
● Caching DNS responses locally can speed up resolution and save time/resources on
repeated or frequent queries
● More efficient selection of upstream DNS servers, minimizes downtime due to slow or
broken DNS servers
7. Why NOT use the firewall for DNS?
● For complex DNS requirements, such as:
– Multiple sites sharing the same domain name where all hostnames must be visible to all
clients
– Providing different responses to different sets of local clients (“views”)
– Clients that must register hostnames in different domains on the same local segment
● When a local network contains an Active Directory domain
– In these cases, it is best to use the AD structure for DHCP and DNS for proper registration
of clients, proper service location, and client hostname resolution
– You can use the firewall DNS resolver/forwarder as an upstream forwarder for the AD DNS
server, but clients should not use it directly
● For providing authoritative answers to public clients
8. DNS Resolver (unbound)
● Default since pfSense 2.2.x
● Uses Unbound, a secure caching resolver included in FreeBSD
● Can operate independently without manually configured upstream DNS servers
● As a resolver, by default it contacts root DNS and other authoritative DNS servers directly and not the defined
forwarding servers
– Better “out of the box” behavior as it does not require the user to configure DNS in any way before it is completely functional
– May have issues if the ISP filters or rate limits access to other DNS servers
– Multi-WAN can be tricky
● Can also operate in forwarding mode using upstream DNS servers
– Has all defined, but selects a DNS server from System > General Setup, switches if slow/down
– Tracks stats on available servers, does not always query every server, so less predictable than the forwarder
– unbound-control -c /var/unbound/unbound.conf lookup .
– unbound-control -c /var/unbound/unbound.conf dump_infra
– Status > DNS Resolver on 2.4.4
9. DNS Resolver (unbound)
● Can easily use Domain Name System Security Extensions (DNSSEC) for
secure DNS
– Provides authentication and integrity confirmation, preventing forged/spoofed
responses, does not provide encryption
– Works in resolver mode, and in forwarding mode if forwarders support DNSSEC
● Supports DNS over TLS for DNS query privacy (encryption)
– Can act as a client to upstream TLS forwarders and a server to local TLS clients
● Many options for tuning, optimization, and privacy
● Scales better for large numbers of clients
● Better security / access control
10. DNS Forwarder (dnsmasq)
● Uses dnsmasq, a lightweight caching DNS forwarder
● Requires available upstream DNS servers, either manually
configured under System > General Setup or obtained
automatically (e.g. DHCP or PPPoE)
● By default, queries all DNS servers in parallel and returns the
fastest result
– Robust but can counteract intentional preferential ordering of servers
– Works well for Multi-WAN
11. Host Overrides
● Works the same in the DNS Resolver and DNS Forwarder
● Custom DNS A/AAAA records that either return answers for hosts that do not
exist in upstream DNS or overrides an upstream response with a custom
local response
● Can be used to define local server hostnames, hosts for use with VPNs,
testing/development hosts, etc
● Can also be used to override responses for split DNS or mild blocking (e.g.
return a bogus result for facebook.com)
● Can have multiple “aliases”, additional hostnames that resolve to the same
address
12. Domain Overrides
● Define a different upstream server for queries on a specific domain
● All queries for hosts under the specified domain will be sent to the given server
● Useful for local domains (e.g. AD) or DNS across a VPN
● DNS Resolver overrides use Forwarding zones, not Stub zones
– Stub zones only work if talking directly to an authoritative server
● DNS Resolver can enable DNS over TLS selectively per domain
● DNS Forwarder can set a source address for the queries, which helps with IPsec
– DNS Resolver can set the outgoing network interface globally, but not on a selective basis
● DNS Forwarder can also make exceptions for subdomains to pass to normal DNS, or to prevent
a domain from being queried on other servers (local only)
● Define a domain multiple times with different server IP addresses for redundancy
13. VPNs and DNS on the Firewall
●
When a VPN or private link connects multiple sites, domain overrides can allow each site to query the others
– Each site must be using a different domain or subdomain!
●
OpenVPN works well since it is routed
– Queries will be sourced from the VPN tunnel network, unless using a manually set outgoing address/interface
– May need to account for that in DNS ACLs/Firewall rules on the target DNS server
●
When using the DNS Forwarder and IPsec, set the source address of domain overrides to be a LAN IP address or
another local IP/interface inside the IPsec P2
●
When using the DNS Resolver and IPsec, set the outgoing query interface to be LAN or other local interface in the IPsec
P2
– Alternately, use the gateway+static route trick on the wiki:
https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itsel
f_over_IPsec_VPN
●
If all DNS queries must flow through other side, then:
– DNS Resolver: Enable forwarding mode, configure other side’s DNS server under System > General Setup & disable DNS from
DHCP/PPPoE
– DNS Forwarder: Configure other side’s DNS server under System > General & disable DNS from DHCP/PPPoE, Configure DNS
Forwarder to bind only to LAN and use strict interface binding
– Make sure VPN doesn’t need DNS to connect!
14. DNS and Multi-WAN
● Both DNS Resolver and DNS Forwarder can be compatible with Multi-WAN
● DNS Resolver by default queries random root servers and other authoritative servers, but can
be adjusted to work with Multi-WAN
– Multi-WAN Option 1: Enable Default Gateway Switching (System > Advanced, Misc)
– Option 2: Enable Forwarding mode, then visit System > General Setup and configure at least one
unique DNS server per WAN and choose a gateway for each one
● DNS Resolver in Forwarding mode may require disabling DNSSEC depending on the upstream forwarding servers
● For DNS Forwarder, same as resolver option 2, configure a DNS server per WAN with
different gateways
● Alternately, do not use either the Resolver or the Forwarder:
– Set clients to use public IP address DNS servers directly and their DNS requests will policy route like
the rest of their traffic
15. DHCP and DNS
● Both the DNS Resolver and DNS Forwarder support registration of DHCP hostnames for dynamic and
static IPv4 leases
● Domain for this feature is assumed to be the domain of the firewall itself, not the domain configured in
DHCP options
● The dhcpleases daemon monitors the DHCP leases file and populates the hostnames into the DNS
Resolver or Forwarder
● Clients must supply their own hostname for dynamic leases, for static leases the configured hostname
on the static mapping is used
– Clients which provide an invalid or blank hostname will not resolve
● Be wary of using a domain directly rather than a subdomain, to avoid a troublesome host providing a
name such as “www”
● In HA, the hostnames are not exchanged between HA nodes, this is an ISC DHCPD limitation they
need to fix upstream
16. How the firewall assigns DNS servers to clients
● When using pfSense as a DHCP server, clients are automatically
assigned DNS servers based on several criteria:
– If DNS servers are defined in the DHCP settings, they are always used,
otherwise...
– If the DNS Resolver or DNS Forwarder are enabled, the IP address of the
firewall is given to clients, otherwise...
– If DNS servers are defined under System > General Setup, those are given
to clients, otherwise…
– If none of the above are defined, then DNS servers are not provided to
DHCP clients
17. DNS over TLS Overview
● Allows clients and servers to communicate privately so that the bodies of queries cannot be seen or
altered by third parties
– Stops DNS MITM or sniffing by ISPs to manipulate or log behavior
● Complements DNSSEC, each solves a different problem (Authenticity vs Privacy)
● Utilizes TLS certificates/PKI, like HTTPS and other similar services
● Queries use TCP port 853
● Standards-based (RFC 7858, RFC 8310), not a proprietary solution like dnscrypt
● Supported by Unbound (DNS Resolver), and a growing number of other DNS-related software
– Android P will support DNS over TLS natively and prefer it when available
● Upstream forwarding servers must support DNS over TLS
● Requires forwarding mode in the DNS Resolver, otherwise all roots and all authoritative DNS servers
would need to support DNS over TLS
18. DNS over TLS Overview
● Still requires you to trust the DNS server(s), they can see your queries and, in the absence of
DNSSEC, manipulate responses
● Even if an intermediary can’t see your DNS requests, they can still sniff other info from your traffic
(e.g. SNI headers from HTTPS requests), thus not a replacement for all VPN scenarios for privacy
● Due to TLS session setup overhead, can be much slower than traditional DNS
– Even though it uses TCP Fast Open there is still a bit of overhead involved and also potentially issues with
session management
– Effect is minimized for popular queries since they will be answered from the cache
● Limited number of public DNS over TLS providers
– Primarily CloudFlare and Quad9
● Utilities like drill and dig do not all have support for TLS yet, so troubleshooting can be tricky
– There are some out there, like kdig from knot-dns
19. Public DNS over TLS Providers
● CloudFlare – https://blog.cloudflare.com/announcing-1111/
– 1.1.1.1
– 1.0.0.1
– 2606:4700:4700::1111
– 2606:4700:4700::1001
● Quad9 – https://www.quad9.net/
– 9.9.9.9
– 149.112.112.112
– 2620:fe::fe
●
Roll your own
– Setup a DNS over TLS server to use
●
Find another provider at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
●
Note the addresses to use and keep them nearby for the next steps
20. DNS over TLS Upstream Forwarders
● If using the DNS Forwarder, switch to the DNS Resolver instead
● Add the DNS servers to pfSense
– Navigate to System > General Settings
– Under DNS servers add the DNS server IP addresses noted
previously
– Pick appropriate gateways for each if using Multi-WAN, otherwise
leave the gateway selection at ‘none’
21. DNS over TLS Upstream Forwarders
● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.3)
– Navigate to Services > DNS Resolver, Click Display Custom Options
– Enter the following:
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: <server ip address>@853
– Repeat the forward-addr: line once for each upstream forwarder, for example:
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853
– The server: line is required, omitting it may break depending on other selected options
● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.4)
– Navigate to Services > DNS Resolver
– Check Enable Forwarding Mode
– Check Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
22. DNS over TLS Upstream Forwarders
● Confirm unbound is using port 853
– unbound-control -c /var/unbound/unbound.conf
dump_infra
● Test by making DNS queries
– Check states for entries going to port 853 on the forwarding servers
– Take packet captures of traffic to confirm that queries are using port
853 and that they are encrypted
23. Providing DNS over TLS to local clients
● The DNS Resolver can also be used to provide DNS over TLS service to local clients
● GUI controls added to pfSense 2.4.4
● Create a TLS certificate for use by the DNS Resolver (ACME/LE certs work well!)
● Setup the DNS Resolver
– Services > DNS Resolver
– Check Enable SSL/TLS Service
– Pick the SSL/TLS Certificate
– The SSL/TLS Port can be left at the default 853
● Can be done manually in 2.4.3 but more involved, see
https://redmine.pfsense.org/issues/8030
24. Intercepting DNS at the Firewall
● To prevent clients from reaching undesirable external DNS servers, capture the DNS requests at the
firewall
● Probably not a great idea for a public access network without consent from the users or notice
● Alternately, block access to all DNS except for the firewall itself.
● Port forward contents:
– Interface: LAN
– Protocol: TCP/UDP
– Destination: Invert Match checked, LAN Address or This Firewall (self)
– Destination Port Range: 53 (DNS)
– Redirect Target IP: 127.0.0.1
– Redirect Target Port: 53 (DNS)
● Any client request for a different DNS server will instead be redirected to the DNS Resolver or Forwarder
25. Misc – Query Name Minimzation
● The DNS Resolver supports query name minimization to further
enhance privacy (RFC 7816)
– Sends as little information as possible with each query, to avoid giving
intermediate DNS servers too much information about the full target
– On 2.4.4, under Advanced Settings tab, check “Query Name Minimization”
– On 2.4.3 and before, in custom options add to custom options:
server:
qname-minimisation: yes
– There is also a strict mode, but we do not recommend using that in most
cases as some domains will fail to resolve
26. Misc – DNS Rebinding
● Both the DNS Resolver and DNS Forwarder provide DNS Rebinding Protection
– This protection prevents an upstream DNS server from providing a private IP address
response, to help protect against attacks redirecting you unknowingly to a local device
– Sometimes private responses from servers can be desirable in certain exception cases
– Can be selectively disabled or globally disabled
– DNS Resolver:
server:
private-domain: "example.com"
– DNS Forwarder, use custom options:
rebind-domain-ok=/example.com/
27. Misc – Controlling Unbound
● Use unbound-control -c /var/unbound/unbound.conf
<command> to make manual adjustments to Unbound while
running
– View the infrastructure cache (which DNS servers Unbound is talking to):
dump_infra
– Show the cache contents: dump_cache
– Flush a zone from the cache: flush_zone <name>
● Dump everything: flush_zone .
– View stats and performance data: stats_noreset