DNS Over TLS On pfSense 2.4.5

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

tamir foreign systems we're going to talk about using custom DNS settings with PF sense and making sure that you have TLS enabled with those custom dns settings now the reason for doing this the use case for doing this is because you want your PF sense to send traffic not over port 53 but over an encrypted port or TLS DNS so transports in between can't see it as in your ISP so you don't want your ISP to be able to look at port 53 which is the default for DNS traffic which passes over UDP and clear text now this gives you added privacy from the ISP they still we're going to be able to see whichever IP addresses you're going to but losing that information about what DNS queries went over there gives them a little bit less insight into your particular data streams and maybe that's a concern this is not a replacement but it is a further somewhat of a mitigation for the amount of data that they can get obviously if you did something like a whole home VPN because you wanted to pay another company so you can hide your data from the ISP which you can tell by my inflection or voice maybe I'm not the biggest fan of theirs use cases for it but everyone seems to think they need one and because they're easy to sell every youtuber seems to have an offer code but by the way if you do insist on it I do have an offer code down below I'm just not paid by them I'm paid if you click on the link to PIAA if you want to do a home home VPN I have a video on that as well if that's what keeps you happy but then again you can encrypt your DNS over that as well if that's what also makes you happy but before we go any further let's get into the details and first if you like to learn more about me or my company head over to lawrence systems comm if you'd like to hire short project there's a higher button right at the top if you want to support this channel in other ways there's the philly eight links down below to get your deals and discounts on products and services we talked about on this channel including a link to our patreon if you like become a patreon supporter we also have a swag store where you can get shirts and other items that are for sale and that changes from time to time what's available and what's not so go ahead and check that out frequently and finally our forums if you'd like to have a more in-depth discussion about this video suggestions for new videos or just reach out say hi and talk tech our forums are a great place for that alright now back to the content and the first thing I want to start with is setup DNS or TLS on pfSense 244 and the long discussion underneath that ensues I'm just going to cover the basics but I want to leave this with you so you can see lots of discussion by the devs over at PS sense lots of back-and-forth and banter about different scenarios and things like that it goes out of scope to cover every potential thing that needs to be set in here but you can get to get the idea from this forum post and maybe read further into why some things are like they are and it would be I'm not gonna read the two you can just read it but it'd make the video a lot longer if I went and ov into that love armor hate on there seems to be lots of opinions I like CloudFlare you may not like cloud fair I'm choosing them as the option because they have a nice system for their new cloud fair for families they call it and it's their one one one two and one zero zero two options now these are the ones that fight malware if you also want to block content it's one zero zero three and one one one three four primary and secondary DNS by the way this is for setting up PF sense in terms of all DNS pfSense not for individual systems I've commented before you could always do like a DHCP reservation and have certain computers you want to block certain things on and push those settings and as long as you don't have someone using that particular host that's clever enough to override DNS settings well it works it'll filter the extra things but not to get too far off topic now what we're going to go over here is start with the manual and talk about what we got to do so this is right from the PF sense documentation and unbound is the default since version 2.2 of pfsense default DNS resolver and we want to enable forwarding mode and what 40 mode does is we're going to go over here forwarding mode means don't just pull from root servers which is the default action take the DNS servers that are set here and pull from these so we've got 1 1 1 2 and 1 0 0 2 these are the ones that fight malware and have some extra entries to essentially sinkhole that information then we're gonna go over here do you know she's Oliver enabled by default and you want to leave this off that's part of the discussion that as to why you don't need the DNS sex support here enable forwarding mode use SSL TLS for outgoing DNS servers in queries now what this is going to do is push things out over SSL TLS port 8 v 3 to be encrypted pretty simple other note down here PF blocker a lot of you run it I run to you want to not change this into custom options now when I cover DNS over TLS and 2018 in April you had to put those custom options here now it's really simple is to do this here you know version changes they've made it a little bit more streamlined but don't mess with those custom options down here if this is what you have for PF blocker now PF blocker is still going to sync all DNS so first the server's from CloudFlare are going to have their own sinkholes from malware in them and then on top of that after that parsing is done we also have the parsing we're going to get from the DNS cell blacklist from PF blocker so what does that look like in action well first thing I'm going to start with is this is already enabled obviously so we can go over here and we said this is PF top would I've covered this before and like how to filter out connections with PF top let's look at what connections I have to CloudFlare servers so I say host 1 1 1 dot 2 or host 1 0 0 2 and what this does is say look at all the connections and filter for this specific two hosts now we can see and I've got my public IP address blurred out but you can see all these connections to a combination of 1 1 2 and 1 1 0 1 0 0 to going to 8 5 3 all the traffic has been encrypted and ported over that part so it's kind of a verification that it's working which of course is important we want to make sure that works and this is a simple way to do this now I know if I were to filter for port 53 there are still some things going out port 53 on my network and the reason why is because I do not have a firewall rule that forces the use of PF sense as my DNS server you can do this it goes out of scope of the project but you can force any traffic coming through and any interface that tries to go out port 53 to be redirected and go out of PF sense the good and bad if you do that you may find some IOT devices or some things you testing break also we frequently do queries to different servers when we're testing things and I don't want those queries being redirected because sometimes we have to see how DNS responds at different clients when we're doing moves or MX records I need to see a series of different queries to see where things have been propagated so we don't take the time to actually Lock them internally for us but if for some reason you're worried about other devices on your network DNS call outs you can't put rules in to block that maybe I'll do a separate video on that topic and talk about you know redirecting type things but how to scope for that just something to keep up note when you're looking at connections and queries and as I said before I chose CloudFlare who does support DNS or TLS you could have also chose someone like quad 9 or Google you know pick the company that you want to use there's probably a handful out there I have no exhaustive list of them last thing I want to show is what is it like when PF with PF blocker running and how does those queries look well let's go real quick so we're gonna go over here to PF blocker and it's all setup configured I've went through videos on this too and this is the ones we're using so we get the malicious and the easy list set up and we're gonna go here and edit this list and then once we edit it we have this one here I'm just grabbing one out of the middle so malware domain list com slash host list slash host text so we're gonna go ahead and copy that and we're gonna go over here and just W get and drop that in so let's grab that file alright catch host dot there and now let's do a quick dig on any of these so we'll grab this one looks like a really ugly domain whoops go dig and it's sinkhole two 10.10 dot one which is that what I have the sinkholes set up to be now what does it look like from the web interface right here so it says unknown it shows my IP address and says yep you're trying to get to this particular server now of note you know I'm not going to go too deep into this but I know more people have been asking and I've done videos about this where we talk about do H so DNS over HTTP now that's a great service and it's becoming more and more popular it's being embedded in more browsers Firefox most notably leading that now if you're using that it bypasses the DNS since and it's tricky to block because unless you know because it's going over standard port 443 the DNS queries are unless you know where those DNS queries are going and be a little tricky to block so for those of you wondering about that but I've had people who say PF blocker doesn't work or they're not using a DNS we're having a DNS problem with PF sense and we're finding some people because do H is popular and assuring it on Firefox you're now bypassing using your local pfSense system for your DNS therefore it will not work in that scenario so I just want to bring it up in case you're trying to test this inside of Firefox yeah if you go around PF senses dns all these steps we just put in place completely are moot point because you're not using them for dns secondary if you're running a Windows network and a domain network specifically you want to look at having windows point FPF sense not the windows workstations but maybe the way main windows server to pull this to add the extra filtering because ideally each host on a Windows domain network should have the Windows Server be the primary DNS if you want Active Directory not to have a bunch of headaches and problems yes I know there's probably someone gonna mash the keyboard tell me how all the workarounds they did but the default answer is if I have a Windows domain server server 2019 for example and I have Active Directory configured and each one of those local workstations should be using the DNS of that server now you can then further take that server and redirect it over to PF sense and then provide all the filtering to it as opposed to letting it choose some other upstream DNS provider out of scope of this talk but that question seems to come up anytime I talk about DNS because people want to implement this in their office but their default DNS is the Windows Server and obviously that is something that comes up and that's this how you work around that right there is just well if that's what the DNS server is Windows or some other box for whatever reasons then that box can upstream to the PF sense and still benefit from all the other features that we talked about here so if you have any questions comments concerns leave them below or head over to the forums and thanks and thank you for making it to the end of the video if you like this video please give it a thumbs up if you like to see more content from the channel hit the subscribe button and hit the bell icon if you like youtube to notify you when new videos come out if you like to hire us head over to Laurens systems comm fill out our contact page and let us know what we can help you with and what projects you like us to work together on if you want to carry on the discussion hetero to forum style or insistence calm or we can carry on the discussion about this video other videos or other tech topics in general even suggestions for new videos they're accepted right there on our forums which are free also if you like to help the channel on other ways head over to our affiliate page we have a lot of great tech offers for you and once again thanks for watching and see you next time

Info

Channel: Lawrence Systems

Views: 31,301

Rating: undefined out of 5

Keywords: lawrencesystems, dns over tls, pfsense dns over tls, dns, pfsense, dns over https, doh, cloudflare, tls, security, tutorial, router, https, pfblocker, pfsense pfblockerng, pfblockerng, firewall

Id: 5mygS-TiT9c

Channel Id: undefined

Length: 11min 42sec (702 seconds)

Published: Wed May 20 2020