ePrivacy and GPDR Cookie Consent by Cookie Consent

pfSense DNS Resolver with DNSSEC for Windows domains

What is DNSSEC?

DNSSEC is simply DNS-Secured that uses DNS over TLS to encrypt your DNS requests. This option will prevent that other parties will able to view the contents of your DNS requests.

Installation steps

Configure your pfSense DNS servers:

  1. Go to System -> General
  2. Under the "DNS Server Settings" enter a DNSSEC compatible DNS Server (e.g. 1.1.1.1 and 9.9.9.9)

Upload an SSL Certifcate:

  1. Go to System -> Cert. Manager
  2. Under Certificates you can upload your own SSL cert (e.g. LetsEncrypt or a paid SSL cert)

Configure the DNS Resolver:

  1. Enable the DNS Resolver if its not yet enabled
  2. Enable the "SSL/TLS Service"
  3. Select your "SSL/TLS" Certificate
  4. The SSL/TLS listen port may be left to default
  5. Enable "DNSSEC" support
  6. Enable the optional "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers"

  7. Important: Set the custom options:

    server:
    private-domain: "mydomain.local"
    log-replies: yes
    forward-zone:
    name: "."
    forward-ssl-upstream: yes
    forward-addr: 1.1.1.1@853
    forward-addr: 9.9.9.9@853
    server:include: /var/unbound/pfb_dnsbl.*conf

     

  8. If needed set your host and domain overrides. e.g. for my setup these are set to my AD/ DNS servers and some other important servers.
  9. Do not forget to save your changes

Windows AD server DNS settings:

  1. Go to DNS -> your AD server-> Properties and go to the forwarders tab
  2. Set your forwarder to your pfSense firewall(s) IP or FQDN address.

Testing:

  • DNS: simple DNS queries will show that you are still using your AD DNS server for your clients, while your AD DNS server forwards the DNS requests to your pfSense firewall(s) and again externally to the public DNS servers (e.g. 1.1.1.1 and 9.9.9.9)
  • DNSSEC: A quick and easy test is the "DNSSEC Resolver Test" from uni-due.de

Gallery


Comments

Loading Comments...