SlideShare ist ein Scribd-Unternehmen logo

Local DNS with pfSense 2.4 - pfSense Hangout April 2018

Netgate
Netgate

Slides for the April 2018 pfSense Hangout video

Technologie
1 von 28
Downloaden Sie, um offline zu lesen
Local DNS with pfSense 2.4 April 2018 Hangout Jim Pingle
About this Hangout ● Project News ● DNS Overview ● When to use the firewall for DNS (and not to) ● DNS Resolver vs DNS Forwarder ● Host Overrides ● Domain Overrides ● DNS and VPNs ● DNS and Multi-WAN ● DHCP and DNS ● How the firewall assigns DNS servers to clients ● DNS over TLS Overview ● DNS over TLS Upstream Forwarders ● Providing DNS over TLS to local clients ● Intercepting DNS at the Firewall ● Miscellaneous additional DNS Resolver/Forwarder tidbits
Project News ● April IPv6 bogons list too large for old default table size of 200,000 – Can lead to filter load errors if bogon lists are in use – Sys > Adv, Firewall & NAT, Increase Firewall Maximum Table Entries to 400000 – Or disable bogon option on all interfaces – 2.4.4 will have a higher default, but setting it now will correct the issue ● TNSR coming to AWS soon ● pfSense 2.4.4 development underway, primary focus is FreeBSD 11.2 and PHP 7.2 ● XG-7100 1U is now shipping ● Sales going on this month: – Single port Minnowboard Turbot Quad Core and all Lures ● 15% discount with code MAKERS at checkout – XG-1541 security gateway ● 10% discount with code NETGATE1541 at checkout ● Valid through the end of May
DNS Overview ● DNS is short for Domain Name System ● Translates host names into IP addresses ● Devices must communicate using IP addresses, not names, so DNS makes it easier for humans to find other devices without having to memorize IP addresses ● For example: www.example.com to 203.0.113.65 ● There are other types of records as well for various tasks: ● A for IPv4 address, AAAA for IPv6 address, PTR for reverse DNS, MX for mail exchange host for a domain, TXT information records, CNAME aliases, SRV to locate services, etc. ● Hierarchal structure: Clients talk to recursive forwarders or resolvers, forwarders talk to recursive resolvers, resolvers talk to roots and authoritative servers
DNS Overview ● Clients query a DNS server using UDP port 53 and ask it for a record of a specific type. Depending on the size of the result, the connection can switch to TCP on port 53. – DNS over TLS uses only TCP on port 853, but we’ll cover that special case later ● If the forwarder or resolver knows the host locally or has the answer in the cache, it replies back with the result, or it asks upstream to a recursive resolver, or roots ● A resolver will ask the root servers for the source of authority for a domain, and then contact the authoritative servers listed in the response for the answer to the original query. ● The answer is passed back down to the client ● Note: A forwarder must talk to upstream recursive forwarders or recursive resolvers. A resolver can operate independently and can talk to the root DNS servers and other authoritative servers directly.
Why use the firewall for DNS? ● Less effort than running a dedicated full-featured DNS server, at the expense of some features – It’s on by default and works well, easy to configure via GUI ● The firewall is placed conveniently at the edge to handle DNS for all local clients ● Host and domain overrides allow customization and control over DNS responses given to clients ● Easy integration with the DHCP server on pfSense for resolution of client hostnames ● Caching DNS responses locally can speed up resolution and save time/resources on repeated or frequent queries ● More efficient selection of upstream DNS servers, minimizes downtime due to slow or broken DNS servers
Why NOT use the firewall for DNS? ● For complex DNS requirements, such as: – Multiple sites sharing the same domain name where all hostnames must be visible to all clients – Providing different responses to different sets of local clients (“views”) – Clients that must register hostnames in different domains on the same local segment ● When a local network contains an Active Directory domain – In these cases, it is best to use the AD structure for DHCP and DNS for proper registration of clients, proper service location, and client hostname resolution – You can use the firewall DNS resolver/forwarder as an upstream forwarder for the AD DNS server, but clients should not use it directly ● For providing authoritative answers to public clients
DNS Resolver (unbound) ● Default since pfSense 2.2.x ● Uses Unbound, a secure caching resolver included in FreeBSD ● Can operate independently without manually configured upstream DNS servers ● As a resolver, by default it contacts root DNS and other authoritative DNS servers directly and not the defined forwarding servers – Better “out of the box” behavior as it does not require the user to configure DNS in any way before it is completely functional – May have issues if the ISP filters or rate limits access to other DNS servers – Multi-WAN can be tricky ● Can also operate in forwarding mode using upstream DNS servers – Has all defined, but selects a DNS server from System > General Setup, switches if slow/down – Tracks stats on available servers, does not always query every server, so less predictable than the forwarder – unbound-control -c /var/unbound/unbound.conf lookup . – unbound-control -c /var/unbound/unbound.conf dump_infra – Status > DNS Resolver on 2.4.4
DNS Resolver (unbound) ● Can easily use Domain Name System Security Extensions (DNSSEC) for secure DNS – Provides authentication and integrity confirmation, preventing forged/spoofed responses, does not provide encryption – Works in resolver mode, and in forwarding mode if forwarders support DNSSEC ● Supports DNS over TLS for DNS query privacy (encryption) – Can act as a client to upstream TLS forwarders and a server to local TLS clients ● Many options for tuning, optimization, and privacy ● Scales better for large numbers of clients ● Better security / access control
DNS Forwarder (dnsmasq) ● Uses dnsmasq, a lightweight caching DNS forwarder ● Requires available upstream DNS servers, either manually configured under System > General Setup or obtained automatically (e.g. DHCP or PPPoE) ● By default, queries all DNS servers in parallel and returns the fastest result – Robust but can counteract intentional preferential ordering of servers – Works well for Multi-WAN
Host Overrides ● Works the same in the DNS Resolver and DNS Forwarder ● Custom DNS A/AAAA records that either return answers for hosts that do not exist in upstream DNS or overrides an upstream response with a custom local response ● Can be used to define local server hostnames, hosts for use with VPNs, testing/development hosts, etc ● Can also be used to override responses for split DNS or mild blocking (e.g. return a bogus result for facebook.com) ● Can have multiple “aliases”, additional hostnames that resolve to the same address
Domain Overrides ● Define a different upstream server for queries on a specific domain ● All queries for hosts under the specified domain will be sent to the given server ● Useful for local domains (e.g. AD) or DNS across a VPN ● DNS Resolver overrides use Forwarding zones, not Stub zones – Stub zones only work if talking directly to an authoritative server ● DNS Resolver can enable DNS over TLS selectively per domain ● DNS Forwarder can set a source address for the queries, which helps with IPsec – DNS Resolver can set the outgoing network interface globally, but not on a selective basis ● DNS Forwarder can also make exceptions for subdomains to pass to normal DNS, or to prevent a domain from being queried on other servers (local only) ● Define a domain multiple times with different server IP addresses for redundancy
VPNs and DNS on the Firewall ● When a VPN or private link connects multiple sites, domain overrides can allow each site to query the others – Each site must be using a different domain or subdomain! ● OpenVPN works well since it is routed – Queries will be sourced from the VPN tunnel network, unless using a manually set outgoing address/interface – May need to account for that in DNS ACLs/Firewall rules on the target DNS server ● When using the DNS Forwarder and IPsec, set the source address of domain overrides to be a LAN IP address or another local IP/interface inside the IPsec P2 ● When using the DNS Resolver and IPsec, set the outgoing query interface to be LAN or other local interface in the IPsec P2 – Alternately, use the gateway+static route trick on the wiki: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itsel f_over_IPsec_VPN ● If all DNS queries must flow through other side, then: – DNS Resolver: Enable forwarding mode, configure other side’s DNS server under System > General Setup & disable DNS from DHCP/PPPoE – DNS Forwarder: Configure other side’s DNS server under System > General & disable DNS from DHCP/PPPoE, Configure DNS Forwarder to bind only to LAN and use strict interface binding – Make sure VPN doesn’t need DNS to connect!
DNS and Multi-WAN ● Both DNS Resolver and DNS Forwarder can be compatible with Multi-WAN ● DNS Resolver by default queries random root servers and other authoritative servers, but can be adjusted to work with Multi-WAN – Multi-WAN Option 1: Enable Default Gateway Switching (System > Advanced, Misc) – Option 2: Enable Forwarding mode, then visit System > General Setup and configure at least one unique DNS server per WAN and choose a gateway for each one ● DNS Resolver in Forwarding mode may require disabling DNSSEC depending on the upstream forwarding servers ● For DNS Forwarder, same as resolver option 2, configure a DNS server per WAN with different gateways ● Alternately, do not use either the Resolver or the Forwarder: – Set clients to use public IP address DNS servers directly and their DNS requests will policy route like the rest of their traffic
DHCP and DNS ● Both the DNS Resolver and DNS Forwarder support registration of DHCP hostnames for dynamic and static IPv4 leases ● Domain for this feature is assumed to be the domain of the firewall itself, not the domain configured in DHCP options ● The dhcpleases daemon monitors the DHCP leases file and populates the hostnames into the DNS Resolver or Forwarder ● Clients must supply their own hostname for dynamic leases, for static leases the configured hostname on the static mapping is used – Clients which provide an invalid or blank hostname will not resolve ● Be wary of using a domain directly rather than a subdomain, to avoid a troublesome host providing a name such as “www” ● In HA, the hostnames are not exchanged between HA nodes, this is an ISC DHCPD limitation they need to fix upstream
How the firewall assigns DNS servers to clients ● When using pfSense as a DHCP server, clients are automatically assigned DNS servers based on several criteria: – If DNS servers are defined in the DHCP settings, they are always used, otherwise... – If the DNS Resolver or DNS Forwarder are enabled, the IP address of the firewall is given to clients, otherwise... – If DNS servers are defined under System > General Setup, those are given to clients, otherwise… – If none of the above are defined, then DNS servers are not provided to DHCP clients
DNS over TLS Overview ● Allows clients and servers to communicate privately so that the bodies of queries cannot be seen or altered by third parties – Stops DNS MITM or sniffing by ISPs to manipulate or log behavior ● Complements DNSSEC, each solves a different problem (Authenticity vs Privacy) ● Utilizes TLS certificates/PKI, like HTTPS and other similar services ● Queries use TCP port 853 ● Standards-based (RFC 7858, RFC 8310), not a proprietary solution like dnscrypt ● Supported by Unbound (DNS Resolver), and a growing number of other DNS-related software – Android P will support DNS over TLS natively and prefer it when available ● Upstream forwarding servers must support DNS over TLS ● Requires forwarding mode in the DNS Resolver, otherwise all roots and all authoritative DNS servers would need to support DNS over TLS
DNS over TLS Overview ● Still requires you to trust the DNS server(s), they can see your queries and, in the absence of DNSSEC, manipulate responses ● Even if an intermediary can’t see your DNS requests, they can still sniff other info from your traffic (e.g. SNI headers from HTTPS requests), thus not a replacement for all VPN scenarios for privacy ● Due to TLS session setup overhead, can be much slower than traditional DNS – Even though it uses TCP Fast Open there is still a bit of overhead involved and also potentially issues with session management – Effect is minimized for popular queries since they will be answered from the cache ● Limited number of public DNS over TLS providers – Primarily CloudFlare and Quad9 ● Utilities like drill and dig do not all have support for TLS yet, so troubleshooting can be tricky – There are some out there, like kdig from knot-dns
Public DNS over TLS Providers ● CloudFlare – https://blog.cloudflare.com/announcing-1111/ – 1.1.1.1 – 1.0.0.1 – 2606:4700:4700::1111 – 2606:4700:4700::1001 ● Quad9 – https://www.quad9.net/ – 9.9.9.9 – 149.112.112.112 – 2620:fe::fe ● Roll your own – Setup a DNS over TLS server to use ● Find another provider at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ● Note the addresses to use and keep them nearby for the next steps
DNS over TLS Upstream Forwarders ● If using the DNS Forwarder, switch to the DNS Resolver instead ● Add the DNS servers to pfSense – Navigate to System > General Settings – Under DNS servers add the DNS server IP addresses noted previously – Pick appropriate gateways for each if using Multi-WAN, otherwise leave the gateway selection at ‘none’
DNS over TLS Upstream Forwarders ● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.3) – Navigate to Services > DNS Resolver, Click Display Custom Options – Enter the following: server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: <server ip address>@853 – Repeat the forward-addr: line once for each upstream forwarder, for example: forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 forward-addr: 9.9.9.9@853 forward-addr: 149.112.112.112@853 – The server: line is required, omitting it may break depending on other selected options ● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.4) – Navigate to Services > DNS Resolver – Check Enable Forwarding Mode – Check Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
DNS over TLS Upstream Forwarders ● Confirm unbound is using port 853 – unbound-control -c /var/unbound/unbound.conf dump_infra ● Test by making DNS queries – Check states for entries going to port 853 on the forwarding servers – Take packet captures of traffic to confirm that queries are using port 853 and that they are encrypted
Providing DNS over TLS to local clients ● The DNS Resolver can also be used to provide DNS over TLS service to local clients ● GUI controls added to pfSense 2.4.4 ● Create a TLS certificate for use by the DNS Resolver (ACME/LE certs work well!) ● Setup the DNS Resolver – Services > DNS Resolver – Check Enable SSL/TLS Service – Pick the SSL/TLS Certificate – The SSL/TLS Port can be left at the default 853 ● Can be done manually in 2.4.3 but more involved, see https://redmine.pfsense.org/issues/8030
Intercepting DNS at the Firewall ● To prevent clients from reaching undesirable external DNS servers, capture the DNS requests at the firewall ● Probably not a great idea for a public access network without consent from the users or notice ● Alternately, block access to all DNS except for the firewall itself. ● Port forward contents: – Interface: LAN – Protocol: TCP/UDP – Destination: Invert Match checked, LAN Address or This Firewall (self) – Destination Port Range: 53 (DNS) – Redirect Target IP: 127.0.0.1 – Redirect Target Port: 53 (DNS) ● Any client request for a different DNS server will instead be redirected to the DNS Resolver or Forwarder
Misc – Query Name Minimzation ● The DNS Resolver supports query name minimization to further enhance privacy (RFC 7816) – Sends as little information as possible with each query, to avoid giving intermediate DNS servers too much information about the full target – On 2.4.4, under Advanced Settings tab, check “Query Name Minimization” – On 2.4.3 and before, in custom options add to custom options: server: qname-minimisation: yes – There is also a strict mode, but we do not recommend using that in most cases as some domains will fail to resolve
Misc – DNS Rebinding ● Both the DNS Resolver and DNS Forwarder provide DNS Rebinding Protection – This protection prevents an upstream DNS server from providing a private IP address response, to help protect against attacks redirecting you unknowingly to a local device – Sometimes private responses from servers can be desirable in certain exception cases – Can be selectively disabled or globally disabled – DNS Resolver: server: private-domain: "example.com" – DNS Forwarder, use custom options: rebind-domain-ok=/example.com/
Misc – Controlling Unbound ● Use unbound-control -c /var/unbound/unbound.conf <command> to make manual adjustments to Unbound while running – View the infrastructure cache (which DNS servers Unbound is talking to): dump_infra – Show the cache contents: dump_cache – Flush a zone from the cache: flush_zone <name> ● Dump everything: flush_zone . – View stats and performance data: stats_noreset
Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc

Empfohlen

Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
Netgate
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
Netgate
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
Netgate
 
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Netgate
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
Netgate
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 

Empfohlen

Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
Netgate
 
Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016Creating a DMZ - pfSense Hangout January 2016
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
Netgate
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
Netgate
 
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Squid, SquidGuard, and Lightsquid - pfSense Hangout March 2014
Netgate
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
Netgate
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Netgate
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Netgate
 
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
Netgate
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015
Netgate
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Netgate
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
Netgate
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Netgate
 
Galera Cluster - Node Recovery - Webinar slides
Galera Cluster - Node Recovery - Webinar slidesGalera Cluster - Node Recovery - Webinar slides
Galera Cluster - Node Recovery - Webinar slides
Severalnines
 
VPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOMEVPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOME
networkershome
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
Netgate
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
Netgate
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Thomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
Netgate
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
SUSE Labs Taipei
 
pfSense Installation Slide
pfSense Installation SlidepfSense Installation Slide
pfSense Installation Slide
Sopon Tumchota
 
A New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & ConnectivityA New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & Connectivity
NATS
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
ShapeBlue
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfCCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
poojaswami31
 
Lisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-onLisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-on
Gluster.org
 
Google Cloud DNS
Google Cloud DNSGoogle Cloud DNS
Google Cloud DNS
Zdenko Hrček
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
Daniel Toomey
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
Daniel Toomey
 

Weitere ähnliche Inhalte

Was ist angesagt?

Galera Cluster - Node Recovery - Webinar slides
Galera Cluster - Node Recovery - Webinar slidesGalera Cluster - Node Recovery - Webinar slides
Galera Cluster - Node Recovery - Webinar slides
Severalnines
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Thomas Graf
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
Kernel TLV
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfCCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
poojaswami31
 

Was ist angesagt? (20)

Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014Advanced OpenVPN Concepts - pfSense Hangout September 2014
Advanced OpenVPN Concepts - pfSense Hangout September 2014
 
IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015IPv6 Basics - pfSense Hangout July 2015
IPv6 Basics - pfSense Hangout July 2015
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016Console Menu - pfSense Hangout December 2016
Console Menu - pfSense Hangout December 2016
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
 
Galera Cluster - Node Recovery - Webinar slides
Galera Cluster - Node Recovery - Webinar slidesGalera Cluster - Node Recovery - Webinar slides
Galera Cluster - Node Recovery - Webinar slides
 
VPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOMEVPC PPT @NETWORKERSHOME
VPC PPT @NETWORKERSHOME
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015Site-to-Site VPNs - pfSense Hangout November 2015
Site-to-Site VPNs - pfSense Hangout November 2015
 
netfilter and iptables
netfilter and iptablesnetfilter and iptables
netfilter and iptables
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
 
pfSense Installation Slide
pfSense Installation SlidepfSense Installation Slide
pfSense Installation Slide
 
A New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & ConnectivityA New Way of Thinking | NATS 2.0 & Connectivity
A New Way of Thinking | NATS 2.0 & Connectivity
 
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
Deploying CloudStack and Ceph with flexible VXLAN and BGP networking
 
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdfCCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
CCNA-LAB-GUIDE-V3_LAST-ADDITION (4).pdf
 
Lisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-onLisa 2015-gluster fs-hands-on
Lisa 2015-gluster fs-hands-on
 
Google Cloud DNS
Google Cloud DNSGoogle Cloud DNS
Google Cloud DNS
 

Ähnlich wie Local DNS with pfSense 2.4 - pfSense Hangout April 2018

Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
Luis Garay
 

Ähnlich wie Local DNS with pfSense 2.4 - pfSense Hangout April 2018 (20)

Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
DNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdfDNS Fundamentals Presentation_PANDI-2022.pdf
DNS Fundamentals Presentation_PANDI-2022.pdf
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
Cse -306
Cse -306Cse -306
Cse -306
 
Dns
DnsDns
Dns
 
08Mapping.ppt
08Mapping.ppt08Mapping.ppt
08Mapping.ppt
 
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
 
What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)What You Need to Know - Domain Name System (DNS)
What You Need to Know - Domain Name System (DNS)
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
bdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a timebdNOG 7 - Re-engineering the DNS - one resolver at a time
bdNOG 7 - Re-engineering the DNS - one resolver at a time
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff HustonPresentation on 'The Path to Resolverless DNS' by Geoff Huston
Presentation on 'The Path to Resolverless DNS' by Geoff Huston
 
c5c1db8d-8375-4f17-bf6a-56ea5342e58d.pptx
c5c1db8d-8375-4f17-bf6a-56ea5342e58d.pptxc5c1db8d-8375-4f17-bf6a-56ea5342e58d.pptx
c5c1db8d-8375-4f17-bf6a-56ea5342e58d.pptx
 
Dns security
Dns securityDns security
Dns security
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Domain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptxDomain Name System and Dynamic Host Configuration Protocol.pptx
Domain Name System and Dynamic Host Configuration Protocol.pptx
 

Mehr von Netgate

Mehr von Netgate (16)

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
 
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
Traffic Shaping Basics with PRIQ - pfSense Hangout February 2016
 
pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015pfSense 2.3 Preview - pfSense Hangout December 2015
pfSense 2.3 Preview - pfSense Hangout December 2015
 
Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015Remote Access VPNs Part 2 - pfSense Hangout October 2015
Remote Access VPNs Part 2 - pfSense Hangout October 2015
 

Kürzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Local DNS with pfSense 2.4 - pfSense Hangout April 2018

  • 1. Local DNS with pfSense 2.4 April 2018 Hangout Jim Pingle
  • 2. About this Hangout ● Project News ● DNS Overview ● When to use the firewall for DNS (and not to) ● DNS Resolver vs DNS Forwarder ● Host Overrides ● Domain Overrides ● DNS and VPNs ● DNS and Multi-WAN ● DHCP and DNS ● How the firewall assigns DNS servers to clients ● DNS over TLS Overview ● DNS over TLS Upstream Forwarders ● Providing DNS over TLS to local clients ● Intercepting DNS at the Firewall ● Miscellaneous additional DNS Resolver/Forwarder tidbits
  • 3. Project News ● April IPv6 bogons list too large for old default table size of 200,000 – Can lead to filter load errors if bogon lists are in use – Sys > Adv, Firewall & NAT, Increase Firewall Maximum Table Entries to 400000 – Or disable bogon option on all interfaces – 2.4.4 will have a higher default, but setting it now will correct the issue ● TNSR coming to AWS soon ● pfSense 2.4.4 development underway, primary focus is FreeBSD 11.2 and PHP 7.2 ● XG-7100 1U is now shipping ● Sales going on this month: – Single port Minnowboard Turbot Quad Core and all Lures ● 15% discount with code MAKERS at checkout – XG-1541 security gateway ● 10% discount with code NETGATE1541 at checkout ● Valid through the end of May
  • 4. DNS Overview ● DNS is short for Domain Name System ● Translates host names into IP addresses ● Devices must communicate using IP addresses, not names, so DNS makes it easier for humans to find other devices without having to memorize IP addresses ● For example: www.example.com to 203.0.113.65 ● There are other types of records as well for various tasks: ● A for IPv4 address, AAAA for IPv6 address, PTR for reverse DNS, MX for mail exchange host for a domain, TXT information records, CNAME aliases, SRV to locate services, etc. ● Hierarchal structure: Clients talk to recursive forwarders or resolvers, forwarders talk to recursive resolvers, resolvers talk to roots and authoritative servers
  • 5. DNS Overview ● Clients query a DNS server using UDP port 53 and ask it for a record of a specific type. Depending on the size of the result, the connection can switch to TCP on port 53. – DNS over TLS uses only TCP on port 853, but we’ll cover that special case later ● If the forwarder or resolver knows the host locally or has the answer in the cache, it replies back with the result, or it asks upstream to a recursive resolver, or roots ● A resolver will ask the root servers for the source of authority for a domain, and then contact the authoritative servers listed in the response for the answer to the original query. ● The answer is passed back down to the client ● Note: A forwarder must talk to upstream recursive forwarders or recursive resolvers. A resolver can operate independently and can talk to the root DNS servers and other authoritative servers directly.
  • 6. Why use the firewall for DNS? ● Less effort than running a dedicated full-featured DNS server, at the expense of some features – It’s on by default and works well, easy to configure via GUI ● The firewall is placed conveniently at the edge to handle DNS for all local clients ● Host and domain overrides allow customization and control over DNS responses given to clients ● Easy integration with the DHCP server on pfSense for resolution of client hostnames ● Caching DNS responses locally can speed up resolution and save time/resources on repeated or frequent queries ● More efficient selection of upstream DNS servers, minimizes downtime due to slow or broken DNS servers
  • 7. Why NOT use the firewall for DNS? ● For complex DNS requirements, such as: – Multiple sites sharing the same domain name where all hostnames must be visible to all clients – Providing different responses to different sets of local clients (“views”) – Clients that must register hostnames in different domains on the same local segment ● When a local network contains an Active Directory domain – In these cases, it is best to use the AD structure for DHCP and DNS for proper registration of clients, proper service location, and client hostname resolution – You can use the firewall DNS resolver/forwarder as an upstream forwarder for the AD DNS server, but clients should not use it directly ● For providing authoritative answers to public clients
  • 8. DNS Resolver (unbound) ● Default since pfSense 2.2.x ● Uses Unbound, a secure caching resolver included in FreeBSD ● Can operate independently without manually configured upstream DNS servers ● As a resolver, by default it contacts root DNS and other authoritative DNS servers directly and not the defined forwarding servers – Better “out of the box” behavior as it does not require the user to configure DNS in any way before it is completely functional – May have issues if the ISP filters or rate limits access to other DNS servers – Multi-WAN can be tricky ● Can also operate in forwarding mode using upstream DNS servers – Has all defined, but selects a DNS server from System > General Setup, switches if slow/down – Tracks stats on available servers, does not always query every server, so less predictable than the forwarder – unbound-control -c /var/unbound/unbound.conf lookup . – unbound-control -c /var/unbound/unbound.conf dump_infra – Status > DNS Resolver on 2.4.4
  • 9. DNS Resolver (unbound) ● Can easily use Domain Name System Security Extensions (DNSSEC) for secure DNS – Provides authentication and integrity confirmation, preventing forged/spoofed responses, does not provide encryption – Works in resolver mode, and in forwarding mode if forwarders support DNSSEC ● Supports DNS over TLS for DNS query privacy (encryption) – Can act as a client to upstream TLS forwarders and a server to local TLS clients ● Many options for tuning, optimization, and privacy ● Scales better for large numbers of clients ● Better security / access control
  • 10. DNS Forwarder (dnsmasq) ● Uses dnsmasq, a lightweight caching DNS forwarder ● Requires available upstream DNS servers, either manually configured under System > General Setup or obtained automatically (e.g. DHCP or PPPoE) ● By default, queries all DNS servers in parallel and returns the fastest result – Robust but can counteract intentional preferential ordering of servers – Works well for Multi-WAN
  • 11. Host Overrides ● Works the same in the DNS Resolver and DNS Forwarder ● Custom DNS A/AAAA records that either return answers for hosts that do not exist in upstream DNS or overrides an upstream response with a custom local response ● Can be used to define local server hostnames, hosts for use with VPNs, testing/development hosts, etc ● Can also be used to override responses for split DNS or mild blocking (e.g. return a bogus result for facebook.com) ● Can have multiple “aliases”, additional hostnames that resolve to the same address
  • 12. Domain Overrides ● Define a different upstream server for queries on a specific domain ● All queries for hosts under the specified domain will be sent to the given server ● Useful for local domains (e.g. AD) or DNS across a VPN ● DNS Resolver overrides use Forwarding zones, not Stub zones – Stub zones only work if talking directly to an authoritative server ● DNS Resolver can enable DNS over TLS selectively per domain ● DNS Forwarder can set a source address for the queries, which helps with IPsec – DNS Resolver can set the outgoing network interface globally, but not on a selective basis ● DNS Forwarder can also make exceptions for subdomains to pass to normal DNS, or to prevent a domain from being queried on other servers (local only) ● Define a domain multiple times with different server IP addresses for redundancy
  • 13. VPNs and DNS on the Firewall ● When a VPN or private link connects multiple sites, domain overrides can allow each site to query the others – Each site must be using a different domain or subdomain! ● OpenVPN works well since it is routed – Queries will be sourced from the VPN tunnel network, unless using a manually set outgoing address/interface – May need to account for that in DNS ACLs/Firewall rules on the target DNS server ● When using the DNS Forwarder and IPsec, set the source address of domain overrides to be a LAN IP address or another local IP/interface inside the IPsec P2 ● When using the DNS Resolver and IPsec, set the outgoing query interface to be LAN or other local interface in the IPsec P2 – Alternately, use the gateway+static route trick on the wiki: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itsel f_over_IPsec_VPN ● If all DNS queries must flow through other side, then: – DNS Resolver: Enable forwarding mode, configure other side’s DNS server under System > General Setup & disable DNS from DHCP/PPPoE – DNS Forwarder: Configure other side’s DNS server under System > General & disable DNS from DHCP/PPPoE, Configure DNS Forwarder to bind only to LAN and use strict interface binding – Make sure VPN doesn’t need DNS to connect!
  • 14. DNS and Multi-WAN ● Both DNS Resolver and DNS Forwarder can be compatible with Multi-WAN ● DNS Resolver by default queries random root servers and other authoritative servers, but can be adjusted to work with Multi-WAN – Multi-WAN Option 1: Enable Default Gateway Switching (System > Advanced, Misc) – Option 2: Enable Forwarding mode, then visit System > General Setup and configure at least one unique DNS server per WAN and choose a gateway for each one ● DNS Resolver in Forwarding mode may require disabling DNSSEC depending on the upstream forwarding servers ● For DNS Forwarder, same as resolver option 2, configure a DNS server per WAN with different gateways ● Alternately, do not use either the Resolver or the Forwarder: – Set clients to use public IP address DNS servers directly and their DNS requests will policy route like the rest of their traffic
  • 15. DHCP and DNS ● Both the DNS Resolver and DNS Forwarder support registration of DHCP hostnames for dynamic and static IPv4 leases ● Domain for this feature is assumed to be the domain of the firewall itself, not the domain configured in DHCP options ● The dhcpleases daemon monitors the DHCP leases file and populates the hostnames into the DNS Resolver or Forwarder ● Clients must supply their own hostname for dynamic leases, for static leases the configured hostname on the static mapping is used – Clients which provide an invalid or blank hostname will not resolve ● Be wary of using a domain directly rather than a subdomain, to avoid a troublesome host providing a name such as “www” ● In HA, the hostnames are not exchanged between HA nodes, this is an ISC DHCPD limitation they need to fix upstream
  • 16. How the firewall assigns DNS servers to clients ● When using pfSense as a DHCP server, clients are automatically assigned DNS servers based on several criteria: – If DNS servers are defined in the DHCP settings, they are always used, otherwise... – If the DNS Resolver or DNS Forwarder are enabled, the IP address of the firewall is given to clients, otherwise... – If DNS servers are defined under System > General Setup, those are given to clients, otherwise… – If none of the above are defined, then DNS servers are not provided to DHCP clients
  • 17. DNS over TLS Overview ● Allows clients and servers to communicate privately so that the bodies of queries cannot be seen or altered by third parties – Stops DNS MITM or sniffing by ISPs to manipulate or log behavior ● Complements DNSSEC, each solves a different problem (Authenticity vs Privacy) ● Utilizes TLS certificates/PKI, like HTTPS and other similar services ● Queries use TCP port 853 ● Standards-based (RFC 7858, RFC 8310), not a proprietary solution like dnscrypt ● Supported by Unbound (DNS Resolver), and a growing number of other DNS-related software – Android P will support DNS over TLS natively and prefer it when available ● Upstream forwarding servers must support DNS over TLS ● Requires forwarding mode in the DNS Resolver, otherwise all roots and all authoritative DNS servers would need to support DNS over TLS
  • 18. DNS over TLS Overview ● Still requires you to trust the DNS server(s), they can see your queries and, in the absence of DNSSEC, manipulate responses ● Even if an intermediary can’t see your DNS requests, they can still sniff other info from your traffic (e.g. SNI headers from HTTPS requests), thus not a replacement for all VPN scenarios for privacy ● Due to TLS session setup overhead, can be much slower than traditional DNS – Even though it uses TCP Fast Open there is still a bit of overhead involved and also potentially issues with session management – Effect is minimized for popular queries since they will be answered from the cache ● Limited number of public DNS over TLS providers – Primarily CloudFlare and Quad9 ● Utilities like drill and dig do not all have support for TLS yet, so troubleshooting can be tricky – There are some out there, like kdig from knot-dns
  • 19. Public DNS over TLS Providers ● CloudFlare – https://blog.cloudflare.com/announcing-1111/ – 1.1.1.1 – 1.0.0.1 – 2606:4700:4700::1111 – 2606:4700:4700::1001 ● Quad9 – https://www.quad9.net/ – 9.9.9.9 – 149.112.112.112 – 2620:fe::fe ● Roll your own – Setup a DNS over TLS server to use ● Find another provider at https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers ● Note the addresses to use and keep them nearby for the next steps
  • 20. DNS over TLS Upstream Forwarders ● If using the DNS Forwarder, switch to the DNS Resolver instead ● Add the DNS servers to pfSense – Navigate to System > General Settings – Under DNS servers add the DNS server IP addresses noted previously – Pick appropriate gateways for each if using Multi-WAN, otherwise leave the gateway selection at ‘none’
  • 21. DNS over TLS Upstream Forwarders ● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.3) – Navigate to Services > DNS Resolver, Click Display Custom Options – Enter the following: server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: <server ip address>@853 – Repeat the forward-addr: line once for each upstream forwarder, for example: forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 forward-addr: 9.9.9.9@853 forward-addr: 149.112.112.112@853 – The server: line is required, omitting it may break depending on other selected options ● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.4) – Navigate to Services > DNS Resolver – Check Enable Forwarding Mode – Check Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
  • 22. DNS over TLS Upstream Forwarders ● Confirm unbound is using port 853 – unbound-control -c /var/unbound/unbound.conf dump_infra ● Test by making DNS queries – Check states for entries going to port 853 on the forwarding servers – Take packet captures of traffic to confirm that queries are using port 853 and that they are encrypted
  • 23. Providing DNS over TLS to local clients ● The DNS Resolver can also be used to provide DNS over TLS service to local clients ● GUI controls added to pfSense 2.4.4 ● Create a TLS certificate for use by the DNS Resolver (ACME/LE certs work well!) ● Setup the DNS Resolver – Services > DNS Resolver – Check Enable SSL/TLS Service – Pick the SSL/TLS Certificate – The SSL/TLS Port can be left at the default 853 ● Can be done manually in 2.4.3 but more involved, see https://redmine.pfsense.org/issues/8030
  • 24. Intercepting DNS at the Firewall ● To prevent clients from reaching undesirable external DNS servers, capture the DNS requests at the firewall ● Probably not a great idea for a public access network without consent from the users or notice ● Alternately, block access to all DNS except for the firewall itself. ● Port forward contents: – Interface: LAN – Protocol: TCP/UDP – Destination: Invert Match checked, LAN Address or This Firewall (self) – Destination Port Range: 53 (DNS) – Redirect Target IP: 127.0.0.1 – Redirect Target Port: 53 (DNS) ● Any client request for a different DNS server will instead be redirected to the DNS Resolver or Forwarder
  • 25. Misc – Query Name Minimzation ● The DNS Resolver supports query name minimization to further enhance privacy (RFC 7816) – Sends as little information as possible with each query, to avoid giving intermediate DNS servers too much information about the full target – On 2.4.4, under Advanced Settings tab, check “Query Name Minimization” – On 2.4.3 and before, in custom options add to custom options: server: qname-minimisation: yes – There is also a strict mode, but we do not recommend using that in most cases as some domains will fail to resolve
  • 26. Misc – DNS Rebinding ● Both the DNS Resolver and DNS Forwarder provide DNS Rebinding Protection – This protection prevents an upstream DNS server from providing a private IP address response, to help protect against attacks redirecting you unknowingly to a local device – Sometimes private responses from servers can be desirable in certain exception cases – Can be selectively disabled or globally disabled – DNS Resolver: server: private-domain: "example.com" – DNS Forwarder, use custom options: rebind-domain-ok=/example.com/
  • 27. Misc – Controlling Unbound ● Use unbound-control -c /var/unbound/unbound.conf <command> to make manual adjustments to Unbound while running – View the infrastructure cache (which DNS servers Unbound is talking to): dump_infra – Show the cache contents: dump_cache – Flush a zone from the cache: flush_zone <name> ● Dump everything: flush_zone . – View stats and performance data: stats_noreset
  • 28. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc