Re: [pfSense] DNS over TLS config for pfSense 2.2.6
On 2018-04-06 00:09, Bryan D. wrote: On 2018-Apr-05, at 10:47 PM, Dave Warrenwrote: Cloudflare has pushed an update, and things seem to be working from here. For those having issues, try again now? Thanks for the "heads up." Works for me, also (i.e., on pfSense 2.2.6 configured as stated in previous posting). How's the speed? I'm seeing moderately slower results for queries that go out to 1.1.1.1, whereas queries from the cache or stub zones (to servers hosted out on the 'net) are very fast. If I switch TLS off and go back to @53 it's faster, but ultimately not as fast as just running recursion myself. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
On 2018-Apr-05, at 10:47 PM, Dave Warrenwrote: > Cloudflare has pushed an update, and things seem to be working from here. For > those having issues, try again now? Thanks for the "heads up." Works for me, also (i.e., on pfSense 2.2.6 configured as stated in previous posting). ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
On 2018-04-05 01:25, Bryan D. wrote: On 2018-Apr-04, at 10:05 PM, Dave Warrenwrote: I can also confirm that 9.9.9.9@853 does work here which re-enforces that this is a Cloudflare specific issue. - So it looks like the following config works on pfSense 2.2.6's unbound/DNS Resolver (so should work with 1.1.1.1 when Cloudflare gets things fixed): server: ssl-upstream: yes ssl-port: 853 forward-zone: name: "." forward-addr: 9.9.9.9@853 Cloudflare has pushed an update, and things seem to be working from here. For those having issues, try again now? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
On 2018-Apr-04, at 10:05 PM, Dave Warrenwrote: > I can also confirm that 9.9.9.9@853 does work here which re-enforces that > this is a Cloudflare specific issue. - So it looks like the following config works on pfSense 2.2.6's unbound/DNS Resolver (so should work with 1.1.1.1 when Cloudflare gets things fixed): server: ssl-upstream: yes ssl-port: 853 forward-zone: name: "." forward-addr: 9.9.9.9@853 Thanks! ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
I'm running 2.4.3-RELEASE (amd64). I can't get it working here either after a couple hours of poking at it on and off, it now looks like this is actually a Cloudflare issue: https://community.cloudflare.com/t/1-1-1-1-was-working-but-not-anymore/15136/4 "Thanks for the report! This is going to be fixed in the next upgrade that’s being rolled out. There was an interop issue in the last upgrade with Unbound as it sends the frame size and the actual DNS message in two separate packets instead of both at once." So it looks like the immediate solution is to revert to port 53 and wait for Cloudflare. I can also confirm that 9.9.9.9@853 does work here which re-enforces that this is a Cloudflare specific issue. On 2018-04-04 19:23, James wrote: Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any queries returned no records. On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote: Wild guess, but did you try it in 2.4.x? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D. Sent: Wednesday, April 4, 2018 8:01 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] DNS over TLS config for pfSense 2.2.6 Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html --- Applying the suggested "Custom Options" to the Unbound/DNS Resolver configuration in pfSense 2.2.6 does not work, with logs indicating that "forward-ssl-upstream" is invalid. I tried various incantations using "server:ssl-upstream: yes" with and without "ssl-port: 853" and, although the unbound service would then run, a DNS/host query always indicated that no hosts were found. Does anyone know a configuration that will work with pfSense 2.2.6? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
Sorry, mine was indeed on 2.4.X. The daemon appeared to start up but any queries returned no records. On Thu, 5 Apr 2018, at 11:20 AM, Steve Yates wrote: > Wild guess, but did you try it in 2.4.x? > > -- > > Steve Yates > ITS, Inc. > > -Original Message- > From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D. > Sent: Wednesday, April 4, 2018 8:01 PM > To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> > Subject: [pfSense] DNS over TLS config for pfSense 2.2.6 > > Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html > --- > Applying the suggested "Custom Options" to the Unbound/DNS Resolver > configuration in pfSense 2.2.6 does not work, with logs indicating that > "forward-ssl-upstream" is invalid. > > I tried various incantations using "server:ssl-upstream: yes" > with and without "ssl-port: 853" and, although the unbound service would > then run, a DNS/host query always indicated that no hosts were found. > > Does anyone know a configuration that will work with pfSense 2.2.6? > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
Wild guess, but did you try it in 2.4.x? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Bryan D. Sent: Wednesday, April 4, 2018 8:01 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] DNS over TLS config for pfSense 2.2.6 Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html --- Applying the suggested "Custom Options" to the Unbound/DNS Resolver configuration in pfSense 2.2.6 does not work, with logs indicating that "forward-ssl-upstream" is invalid. I tried various incantations using "server:ssl-upstream: yes" with and without "ssl-port: 853" and, although the unbound service would then run, a DNS/host query always indicated that no hosts were found. Does anyone know a configuration that will work with pfSense 2.2.6? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS over TLS config for pfSense 2.2.6
Yeah, I ran into this as well. It just caused my to not be able to resolve anything :( On Thu, 5 Apr 2018, at 11:01 AM, Bryan D. wrote: > Re: https://www.netgate.com/blog/dns-over-tls-with-pfsense.html > --- > Applying the suggested "Custom Options" to the Unbound/DNS Resolver > configuration in pfSense 2.2.6 does not work, with logs indicating that > "forward-ssl-upstream" is invalid. > > I tried various incantations using "server:ssl-upstream: yes" > with and without "ssl-port: 853" and, although the unbound service would > then run, a DNS/host query always indicated that no hosts were found. > > Does anyone know a configuration that will work with pfSense 2.2.6? > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold