pfSense DNS Resolver with DNSSEC for Windows domains
What is DNSSEC?
DNSSEC is simply DNS-Secured that uses DNS over TLS to encrypt your DNS requests. This option will prevent that other parties will able to view the contents of your DNS requests.
Configure your pfSense DNS servers:
- Go to System -> General
- Under the "DNS Server Settings" enter a DNSSEC compatible DNS Server (e.g. 220.127.116.11 and 18.104.22.168)
Upload an SSL Certifcate:
- Go to System -> Cert. Manager
- Under Certificates you can upload your own SSL cert (e.g. LetsEncrypt or a paid SSL cert)
Configure the DNS Resolver:
- Enable the DNS Resolver if its not yet enabled
- Enable the "SSL/TLS Service"
- Select your "SSL/TLS" Certificate
- The SSL/TLS listen port may be left to default
- Enable "DNSSEC" support
- Enable the optional "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers"
- Important: Set the custom options:
- If needed set your host and domain overrides. e.g. for my setup these are set to my AD/ DNS servers and some other important servers.
- Do not forget to save your changes
Windows AD server DNS settings:
- Go to DNS -> your AD server-> Properties and go to the forwarders tab
- Set your forwarder to your pfSense firewall(s) IP or FQDN address.
- DNS: simple DNS queries will show that you are still using your AD DNS server for your clients, while your AD DNS server forwards the DNS requests to your pfSense firewall(s) and again externally to the public DNS servers (e.g. 22.214.171.124 and 126.96.36.199)
- DNSSEC: A quick and easy test is the "DNSSEC Resolver Test" from uni-due.de