pfSense DNS Resolver with DNSSEC for Windows domains

pfSense DNS Resolver with DNSSEC for Windows domains

What is DNSSEC?

DNSSEC is simply DNS-Secured that uses DNS over TLS to encrypt your DNS requests. This option will prevent that other parties will able to view the contents of your DNS requests.

Update: Since 2022 I’ve switched over to Opnsense

How To

Configure your pfSense DNS servers:

  1. Go to System -> GeneralUnder the “DNS Server Settings”
  2. Enter a DNSSEC compatible DNS Server (e.g. and

Upload an SSL Certifcate

  1. Go to System -> Cert. Manager
  2. Under Certificates you can upload your own SSL cert (e.g. LetsEncrypt or a paid SSL cert)
  3. You can also use the ACME package for pfSense to create, manage and auto renew L3 certs!

Configure the DNS resolver

  1. Enable the DNS Resolver if its not yet enabled
  2. Enable the “SSL/TLS Service”
  3. Select your “SSL/TLS” certificate
  4. The SSL/TLS listen port may be left to default
  5. Enable “DNSSEC” support
  6. Enable the optional “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers”
  7. Important: Set the custom options
    private-domain: "mydomain.local"
    log-replies: yes
    name: "."
    forward-ssl-upstream: yes
    server:include: /var/unbound/pfb_dnsbl.*conf
  8. If needed set your host and domain overrides. e.g. for my setup these are set to my AD/ DNS servers and some other important servers
  9. Do not forget to save your changes

Windows AD server DNS settings

  1. Go to DNS -> your AD server-> Properties and go to the forwarders tab
  2. Set your forwarder to your pfSense firewall(s) IP or FQDN address

Testing your DNSSEC

  • DNS: simple DNS queries will show that you are still using your AD DNS server for your clients, while your AD DNS server forwards the DNS requests to your pfSense firewall(s) and again externally to the public DNS servers (e.g. and
  • DNSSEC: A quick and easy test is the “DNSSEC Resolver Test” from


No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *