Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Local DNS with pfSense 2.4 - pfSense Hangout April 2018

Slides for the April 2018 pfSense Hangout video

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Local DNS with pfSense 2.4 - pfSense Hangout April 2018

  1. 1. Local DNS with pfSense 2.4 April 2018 Hangout Jim Pingle
  2. 2. About this Hangout ● Project News ● DNS Overview ● When to use the firewall for DNS (and not to) ● DNS Resolver vs DNS Forwarder ● Host Overrides ● Domain Overrides ● DNS and VPNs ● DNS and Multi-WAN ● DHCP and DNS ● How the firewall assigns DNS servers to clients ● DNS over TLS Overview ● DNS over TLS Upstream Forwarders ● Providing DNS over TLS to local clients ● Intercepting DNS at the Firewall ● Miscellaneous additional DNS Resolver/Forwarder tidbits
  3. 3. Project News ● April IPv6 bogons list too large for old default table size of 200,000 – Can lead to filter load errors if bogon lists are in use – Sys > Adv, Firewall & NAT, Increase Firewall Maximum Table Entries to 400000 – Or disable bogon option on all interfaces – 2.4.4 will have a higher default, but setting it now will correct the issue ● TNSR coming to AWS soon ● pfSense 2.4.4 development underway, primary focus is FreeBSD 11.2 and PHP 7.2 ● XG-7100 1U is now shipping ● Sales going on this month: – Single port Minnowboard Turbot Quad Core and all Lures ● 15% discount with code MAKERS at checkout – XG-1541 security gateway ● 10% discount with code NETGATE1541 at checkout ● Valid through the end of May
  4. 4. DNS Overview ● DNS is short for Domain Name System ● Translates host names into IP addresses ● Devices must communicate using IP addresses, not names, so DNS makes it easier for humans to find other devices without having to memorize IP addresses ● For example: to ● There are other types of records as well for various tasks: ● A for IPv4 address, AAAA for IPv6 address, PTR for reverse DNS, MX for mail exchange host for a domain, TXT information records, CNAME aliases, SRV to locate services, etc. ● Hierarchal structure: Clients talk to recursive forwarders or resolvers, forwarders talk to recursive resolvers, resolvers talk to roots and authoritative servers
  5. 5. DNS Overview ● Clients query a DNS server using UDP port 53 and ask it for a record of a specific type. Depending on the size of the result, the connection can switch to TCP on port 53. – DNS over TLS uses only TCP on port 853, but we’ll cover that special case later ● If the forwarder or resolver knows the host locally or has the answer in the cache, it replies back with the result, or it asks upstream to a recursive resolver, or roots ● A resolver will ask the root servers for the source of authority for a domain, and then contact the authoritative servers listed in the response for the answer to the original query. ● The answer is passed back down to the client ● Note: A forwarder must talk to upstream recursive forwarders or recursive resolvers. A resolver can operate independently and can talk to the root DNS servers and other authoritative servers directly.
  6. 6. Why use the firewall for DNS? ● Less effort than running a dedicated full-featured DNS server, at the expense of some features – It’s on by default and works well, easy to configure via GUI ● The firewall is placed conveniently at the edge to handle DNS for all local clients ● Host and domain overrides allow customization and control over DNS responses given to clients ● Easy integration with the DHCP server on pfSense for resolution of client hostnames ● Caching DNS responses locally can speed up resolution and save time/resources on repeated or frequent queries ● More efficient selection of upstream DNS servers, minimizes downtime due to slow or broken DNS servers
  7. 7. Why NOT use the firewall for DNS? ● For complex DNS requirements, such as: – Multiple sites sharing the same domain name where all hostnames must be visible to all clients – Providing different responses to different sets of local clients (“views”) – Clients that must register hostnames in different domains on the same local segment ● When a local network contains an Active Directory domain – In these cases, it is best to use the AD structure for DHCP and DNS for proper registration of clients, proper service location, and client hostname resolution – You can use the firewall DNS resolver/forwarder as an upstream forwarder for the AD DNS server, but clients should not use it directly ● For providing authoritative answers to public clients
  8. 8. DNS Resolver (unbound) ● Default since pfSense 2.2.x ● Uses Unbound, a secure caching resolver included in FreeBSD ● Can operate independently without manually configured upstream DNS servers ● As a resolver, by default it contacts root DNS and other authoritative DNS servers directly and not the defined forwarding servers – Better “out of the box” behavior as it does not require the user to configure DNS in any way before it is completely functional – May have issues if the ISP filters or rate limits access to other DNS servers – Multi-WAN can be tricky ● Can also operate in forwarding mode using upstream DNS servers – Has all defined, but selects a DNS server from System > General Setup, switches if slow/down – Tracks stats on available servers, does not always query every server, so less predictable than the forwarder – unbound-control -c /var/unbound/unbound.conf lookup . – unbound-control -c /var/unbound/unbound.conf dump_infra – Status > DNS Resolver on 2.4.4
  9. 9. DNS Resolver (unbound) ● Can easily use Domain Name System Security Extensions (DNSSEC) for secure DNS – Provides authentication and integrity confirmation, preventing forged/spoofed responses, does not provide encryption – Works in resolver mode, and in forwarding mode if forwarders support DNSSEC ● Supports DNS over TLS for DNS query privacy (encryption) – Can act as a client to upstream TLS forwarders and a server to local TLS clients ● Many options for tuning, optimization, and privacy ● Scales better for large numbers of clients ● Better security / access control
  10. 10. DNS Forwarder (dnsmasq) ● Uses dnsmasq, a lightweight caching DNS forwarder ● Requires available upstream DNS servers, either manually configured under System > General Setup or obtained automatically (e.g. DHCP or PPPoE) ● By default, queries all DNS servers in parallel and returns the fastest result – Robust but can counteract intentional preferential ordering of servers – Works well for Multi-WAN
  11. 11. Host Overrides ● Works the same in the DNS Resolver and DNS Forwarder ● Custom DNS A/AAAA records that either return answers for hosts that do not exist in upstream DNS or overrides an upstream response with a custom local response ● Can be used to define local server hostnames, hosts for use with VPNs, testing/development hosts, etc ● Can also be used to override responses for split DNS or mild blocking (e.g. return a bogus result for ● Can have multiple “aliases”, additional hostnames that resolve to the same address
  12. 12. Domain Overrides ● Define a different upstream server for queries on a specific domain ● All queries for hosts under the specified domain will be sent to the given server ● Useful for local domains (e.g. AD) or DNS across a VPN ● DNS Resolver overrides use Forwarding zones, not Stub zones – Stub zones only work if talking directly to an authoritative server ● DNS Resolver can enable DNS over TLS selectively per domain ● DNS Forwarder can set a source address for the queries, which helps with IPsec – DNS Resolver can set the outgoing network interface globally, but not on a selective basis ● DNS Forwarder can also make exceptions for subdomains to pass to normal DNS, or to prevent a domain from being queried on other servers (local only) ● Define a domain multiple times with different server IP addresses for redundancy
  13. 13. VPNs and DNS on the Firewall ● When a VPN or private link connects multiple sites, domain overrides can allow each site to query the others – Each site must be using a different domain or subdomain! ● OpenVPN works well since it is routed – Queries will be sourced from the VPN tunnel network, unless using a manually set outgoing address/interface – May need to account for that in DNS ACLs/Firewall rules on the target DNS server ● When using the DNS Forwarder and IPsec, set the source address of domain overrides to be a LAN IP address or another local IP/interface inside the IPsec P2 ● When using the DNS Resolver and IPsec, set the outgoing query interface to be LAN or other local interface in the IPsec P2 – Alternately, use the gateway+static route trick on the wiki:,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itsel f_over_IPsec_VPN ● If all DNS queries must flow through other side, then: – DNS Resolver: Enable forwarding mode, configure other side’s DNS server under System > General Setup & disable DNS from DHCP/PPPoE – DNS Forwarder: Configure other side’s DNS server under System > General & disable DNS from DHCP/PPPoE, Configure DNS Forwarder to bind only to LAN and use strict interface binding – Make sure VPN doesn’t need DNS to connect!
  14. 14. DNS and Multi-WAN ● Both DNS Resolver and DNS Forwarder can be compatible with Multi-WAN ● DNS Resolver by default queries random root servers and other authoritative servers, but can be adjusted to work with Multi-WAN – Multi-WAN Option 1: Enable Default Gateway Switching (System > Advanced, Misc) – Option 2: Enable Forwarding mode, then visit System > General Setup and configure at least one unique DNS server per WAN and choose a gateway for each one ● DNS Resolver in Forwarding mode may require disabling DNSSEC depending on the upstream forwarding servers ● For DNS Forwarder, same as resolver option 2, configure a DNS server per WAN with different gateways ● Alternately, do not use either the Resolver or the Forwarder: – Set clients to use public IP address DNS servers directly and their DNS requests will policy route like the rest of their traffic
  15. 15. DHCP and DNS ● Both the DNS Resolver and DNS Forwarder support registration of DHCP hostnames for dynamic and static IPv4 leases ● Domain for this feature is assumed to be the domain of the firewall itself, not the domain configured in DHCP options ● The dhcpleases daemon monitors the DHCP leases file and populates the hostnames into the DNS Resolver or Forwarder ● Clients must supply their own hostname for dynamic leases, for static leases the configured hostname on the static mapping is used – Clients which provide an invalid or blank hostname will not resolve ● Be wary of using a domain directly rather than a subdomain, to avoid a troublesome host providing a name such as “www” ● In HA, the hostnames are not exchanged between HA nodes, this is an ISC DHCPD limitation they need to fix upstream
  16. 16. How the firewall assigns DNS servers to clients ● When using pfSense as a DHCP server, clients are automatically assigned DNS servers based on several criteria: – If DNS servers are defined in the DHCP settings, they are always used, otherwise... – If the DNS Resolver or DNS Forwarder are enabled, the IP address of the firewall is given to clients, otherwise... – If DNS servers are defined under System > General Setup, those are given to clients, otherwise… – If none of the above are defined, then DNS servers are not provided to DHCP clients
  17. 17. DNS over TLS Overview ● Allows clients and servers to communicate privately so that the bodies of queries cannot be seen or altered by third parties – Stops DNS MITM or sniffing by ISPs to manipulate or log behavior ● Complements DNSSEC, each solves a different problem (Authenticity vs Privacy) ● Utilizes TLS certificates/PKI, like HTTPS and other similar services ● Queries use TCP port 853 ● Standards-based (RFC 7858, RFC 8310), not a proprietary solution like dnscrypt ● Supported by Unbound (DNS Resolver), and a growing number of other DNS-related software – Android P will support DNS over TLS natively and prefer it when available ● Upstream forwarding servers must support DNS over TLS ● Requires forwarding mode in the DNS Resolver, otherwise all roots and all authoritative DNS servers would need to support DNS over TLS
  18. 18. DNS over TLS Overview ● Still requires you to trust the DNS server(s), they can see your queries and, in the absence of DNSSEC, manipulate responses ● Even if an intermediary can’t see your DNS requests, they can still sniff other info from your traffic (e.g. SNI headers from HTTPS requests), thus not a replacement for all VPN scenarios for privacy ● Due to TLS session setup overhead, can be much slower than traditional DNS – Even though it uses TCP Fast Open there is still a bit of overhead involved and also potentially issues with session management – Effect is minimized for popular queries since they will be answered from the cache ● Limited number of public DNS over TLS providers – Primarily CloudFlare and Quad9 ● Utilities like drill and dig do not all have support for TLS yet, so troubleshooting can be tricky – There are some out there, like kdig from knot-dns
  19. 19. Public DNS over TLS Providers ● CloudFlare – – – – 2606:4700:4700::1111 – 2606:4700:4700::1001 ● Quad9 – – – – 2620:fe::fe ● Roll your own – Setup a DNS over TLS server to use ● Find another provider at ● Note the addresses to use and keep them nearby for the next steps
  20. 20. DNS over TLS Upstream Forwarders ● If using the DNS Forwarder, switch to the DNS Resolver instead ● Add the DNS servers to pfSense – Navigate to System > General Settings – Under DNS servers add the DNS server IP addresses noted previously – Pick appropriate gateways for each if using Multi-WAN, otherwise leave the gateway selection at ‘none’
  21. 21. DNS over TLS Upstream Forwarders ● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.3) – Navigate to Services > DNS Resolver, Click Display Custom Options – Enter the following: server: forward-zone: name: "." forward-ssl-upstream: yes forward-addr: <server ip address>@853 – Repeat the forward-addr: line once for each upstream forwarder, for example: forward-addr: forward-addr: forward-addr: forward-addr: – The server: line is required, omitting it may break depending on other selected options ● Set the DNS Resolver to use DNS over TLS (pfSense 2.4.4) – Navigate to Services > DNS Resolver – Check Enable Forwarding Mode – Check Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
  22. 22. DNS over TLS Upstream Forwarders ● Confirm unbound is using port 853 – unbound-control -c /var/unbound/unbound.conf dump_infra ● Test by making DNS queries – Check states for entries going to port 853 on the forwarding servers – Take packet captures of traffic to confirm that queries are using port 853 and that they are encrypted
  23. 23. Providing DNS over TLS to local clients ● The DNS Resolver can also be used to provide DNS over TLS service to local clients ● GUI controls added to pfSense 2.4.4 ● Create a TLS certificate for use by the DNS Resolver (ACME/LE certs work well!) ● Setup the DNS Resolver – Services > DNS Resolver – Check Enable SSL/TLS Service – Pick the SSL/TLS Certificate – The SSL/TLS Port can be left at the default 853 ● Can be done manually in 2.4.3 but more involved, see
  24. 24. Intercepting DNS at the Firewall ● To prevent clients from reaching undesirable external DNS servers, capture the DNS requests at the firewall ● Probably not a great idea for a public access network without consent from the users or notice ● Alternately, block access to all DNS except for the firewall itself. ● Port forward contents: – Interface: LAN – Protocol: TCP/UDP – Destination: Invert Match checked, LAN Address or This Firewall (self) – Destination Port Range: 53 (DNS) – Redirect Target IP: – Redirect Target Port: 53 (DNS) ● Any client request for a different DNS server will instead be redirected to the DNS Resolver or Forwarder
  25. 25. Misc – Query Name Minimzation ● The DNS Resolver supports query name minimization to further enhance privacy (RFC 7816) – Sends as little information as possible with each query, to avoid giving intermediate DNS servers too much information about the full target – On 2.4.4, under Advanced Settings tab, check “Query Name Minimization” – On 2.4.3 and before, in custom options add to custom options: server: qname-minimisation: yes – There is also a strict mode, but we do not recommend using that in most cases as some domains will fail to resolve
  26. 26. Misc – DNS Rebinding ● Both the DNS Resolver and DNS Forwarder provide DNS Rebinding Protection – This protection prevents an upstream DNS server from providing a private IP address response, to help protect against attacks redirecting you unknowingly to a local device – Sometimes private responses from servers can be desirable in certain exception cases – Can be selectively disabled or globally disabled – DNS Resolver: server: private-domain: "" – DNS Forwarder, use custom options: rebind-domain-ok=/
  27. 27. Misc – Controlling Unbound ● Use unbound-control -c /var/unbound/unbound.conf <command> to make manual adjustments to Unbound while running – View the infrastructure cache (which DNS servers Unbound is talking to): dump_infra – Show the cache contents: dump_cache – Flush a zone from the cache: flush_zone <name> ● Dump everything: flush_zone . – View stats and performance data: stats_noreset
  28. 28. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc