Not trying to make this a personal story. I'm looking for another way to confirm TLS is working like it should, but no luck yet. It requires Java, so I don't know if I should be too concerned. Browsing is actually a bit snappier (faster DNS servers probably). I decided to give TLS another shot.Īt this point, it seems like it's working. Drop one of the VPN services (PIA or NordVPN) -or- give DNS over TLS another shot. After a bit, I wouldn't be able to connect to Amazon, my bank, etc., w/o rebooting pfSense or 'resetting' something. I've realized there is no (theoretical) way to configure two separate VPN services and keep DNS encrypted as you would have to ensure every DNS request passes to the correct/corresponding DNS server for either VPN (Not something I even want to consider attempting).Īlso, I admit, i was having issues getting both VPN services working well together. I've decided to come at this DNS delema another way. In that manner, I might as well go back to Chrome and use all their 'services'.Īnyway. They might get together in their super-secret squirrel cabal meetings in the Louisiana swamps and aggregate all the data. So, that would mean you would have to send all DNS requests OUTSIDE your VPN tunnel, which seems. (I think I read somewhere that DNS over TLS doesn't work over OpenVPN. I'm mostly trying to find out what anyone / everyone else is doing in this situation? Has anyone got DNS over TLS to validate successfully while also integrating a VPN service with all pfSense outgoing traffic? I still haven't got DNS over TLS to validate completely with my VPN services integrated into pfSense, so this question may be mute. (I think the other side of that argument is that you are trusting several more DNS hosts than just one or two. I've seen an argument that if you set up several TLS supporting DNS servers, your requests will be spread across several servers, so none of them will have a full map of your browsing history. In the same manner, either the VPN service will know your requests, or the DNS servers which support TLS know your requests. When I referred to DNSSEC, I was mostly thinking of the the pfSense DNS resolver settings.įrom my research, whatever way you go, the DNS queries are hidden from the ISP. Okay, sorry, I was off a bit on the terminology. Some people have some luck setting the source interface in the DNS Resolver to the OpenVPN interface but it's pretty hacky and doesn't scale well (for instance you'd have to switch it between PIA and NordVPN. The best answer, though nobody wants to hear it, is to run a caching resolver (or two) inside the network (off the firewall) so, when it makes queries to resolve an unknown record, those queries can be policy routed along with everything else. It is not possible to policy route traffic originating from the firewall itself so if you are policy routing to the VPN provider it gets trickier. If you accept a default gateway from the VPN provider you should be able to put the resolver in resolver mode, enable DNSSEC, and configure your inside clients to use pfSense as their DNS server. DNSSEC is a signing scheme, not an encryption scheme. It is about validating that the answer you got was signed by the key published for the zone from the roots on down. I could look up or screenshot my settings if it will help.DNSSEC is not about and has nothing to do with hiding queries from anyone. Could I have set this up wrong?įrankly I'm amazed that I actually got this working(sort of)with the technical knowledge I have (or lack,lol). When i google whats my IP im getting a location in the middle of nowhere when I'm using a NYC server.įurthermore I cant get on certain local websites like my electric company unless i use google name servers on my laptop (which bypasses the vpn). I'm running PFsense 2.4.4 and using PIA as a client in OpenVPN. It was after that I was having trouble with local sites. This may have been where the problem started. I set this up using a combination of this YouTube video() anf the info on the PIA website(). I'm relatively new to this and I will explain as best as I can.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |