 Tom here for more systems. We're going to talk about using custom DNS settings with PFSense and making sure that you have TLS enabled with those custom DNS settings. Now the reason for doing this, the use case for doing this, is because you want your PFSense to send traffic not over port 53 but over an encrypted port or TLS DNS. So transports in between can't see it as in your ISP. So you don't want your ISP to be able to look at port 53, which is the default for DNS traffic, which passes over UDP and clear text. Now, this gives you added privacy from the ISP. They still are going to be able to see whichever IP addresses you're going to, but losing that information about what DNS queries went over there gives them a little bit less insight into your particular data streams. And maybe that's a concern. This is not a replacement, but it is a further somewhat of a mitigation for the amount of data that they can get. Obviously, if you did something like a whole home VPN because you wanted to pay another company, so you can hide your data from the ISP, which you can tell by my inflection of voice, maybe I'm not the biggest fan of. There's use cases for it, but everyone seems to think they need one. And because they're easy to sell, every YouTuber seems to have an offer code. But by the way, if you do insist on it, I do have an offer code down below. I'm just not paid by them. I'm paid if you click on the link to PIA. If you want to do a whole home VPN, I have a video on that as well. If that's what keeps you happy. But then again, you can encrypt your DNS over that as well. If that's what also makes you happy. But before we go any further, let's get into the details. And first, if you'd like to learn more about me or my company, head over to LawrenceSystems.com. If you'd like to hire short projectors, a hires button right at the top. If you want to support this channel in other ways, there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel, including a link to our Patreon if you'd like to become a Patreon supporter. We also have a swag store where you can get shirts and other items that are for sale and that changes from time to time, what's available and what's not. So go ahead and check that out frequently. And finally, our forums. If you'd like to have a more in-depth discussion about this video, suggestions for new videos or just reach out and say hi and talk tech. Our forums are a great place for that. All right, now back to the content. And the first thing I want to start with is set up DNS over TLS on PF Sense 244 and the long discussion underneath that ensues. I'm just going to cover the basics, but I want to leave this with you so you can see lots of discussion by the devs over at PF Sense, lots of back and forth and banter about different scenarios and things like that. It goes out of scope to cover every potential thing that needs to be set in here, but you can kind of get the idea from this forum post and maybe read further into why some things are like they are. I'm not going to read it to you, you can just read it, but it would make the video a lot longer if I went and dove into that. Love them or hate them. There seems to be lots of opinions. I like Cloudflare. You may not like Cloudflare. I'm choosing them as the option because they have a nice system for their new Cloudflare for families, they call it. And it's their 1112 and 1002 options. Now, these are the ones that fight malware. If you also want to block content, it's 1003 and 1113 for primary and secondary DNS. By the way, this is for setting up PF Sense in terms of all DNS and PF Sense, not for individual systems. I've commented before, you could always do like a DHCP reservation and have certain computers. You want to block certain things on and push those settings. And as long as you don't have someone using that particular host that's clever enough to override DNS settings, well, it works. It will filter the extra things, but not to get too far off topic. Now, what we're going to go over here is start with the manual and talk about what we got to do. So this is right from the PF Sense documentation and unbound is the default since version 2.2 of PF Sense default DNS resolver. And we want to enable forwarding mode. And what forwarding mode does is we're going to go over here. Forwarding mode means don't just pull from root servers, which is the default action. Take the DNS servers that are set here and pull from these. So we've got 112 and 1002. These are the ones that fight malware and have some extra entries to essentially sinkhole that information. Then we're going to go over here. DNS resolver enabled by default. And you want to leave this off. That's part of the discussion of as to why you don't need the DNS support here. Enable forwarding mode. Use SSL TLS for outgoing DNS servers queries. Now, what this is going to do is push things out over SSL TLS port 853 to be encrypted. Pretty simple. Other note, down here, PF Blocker. A lot of you run it. I run it too. You want to not change this into custom options. Now, when I covered DNS over TLS in 2018 in April, you had to put those custom options here. Now, what's really simple is to do this here, you know, version changes. They've made it a little bit more streamlined. But don't mess with those custom options down here if this is what you have for PF Blocker. Now, PF Blocker is still going to sync all DNS. So first, the servers from Cloudflare are going to have their own sync holes for malware in them. And then on top of that, after that parsing is done, we also have the parsing we're going to get from the DNS cell blacklist from PF Blocker. So what does that look like in action? Well, first thing we want to start with is this is already enabled obviously. So we can go over here. And we said this is PF Top. I've covered this before and like how to filter out connections with PF Top. Let's look at what connections I have to Cloudflare servers. So I say host 111.2 or host 1002. And what this does is say, look at all the connections and filter for this specific two hosts. Now, we can see, and I've got my public IP address blurred out, but you can see all these connections to a combination of 112 and 1002 going to 853. All the traffic has been encrypted and ported over that port. So it's kind of a verification that it's working, which of course is important. We want to make sure that it works and this is a simple way to do this. Now, I know if I were to filter for port 53, there are still some things going out port 53 on my network. And the reason why is because I do not have a firewall rule that forces the use of PF Sense as my DNS server. You can do this. It goes out of scope of the project, but you can force any traffic coming through on any interface that tries to go out port 53 to be redirected and go out of PF Sense, the good and bad. If you do that, you may find some IoT devices or some things you're testing break. Also, we frequently do queries to different servers when we're testing things and I don't want those queries being redirected because sometimes we have to see how DNS responds at different clients when we're doing moves or MX records. I need to see a series of different queries to see where things have been propagated. So we don't take the time to actually block them internally for us, but if for some reason you're worried about other devices on your network, DNS callouts, you can put rules into block that. Maybe I'll do a separate video on that topic and talk about redirecting type things, but out of scope for that, just something to keep of note when you're looking at connections and queries. And as I said before, I chose Cloudflare who does support DNS over TLS. You could have also chose someone like Quad9 or Google. Pick the company that you want to use. There's probably a handful out there. I have no exhaustive list of them. Last thing I want to show is what does it look like with PF Blocker running and how does those queries look? Well, let's go real quick. So we're going to go over here to PF Blocker and it's all set up configured. I went through videos on this too and this is the ones we're using. So we get the malicious and the easy list set up and we're going to go here and edit this list. And then once we edit it, we have this one here. I'm just grabbing one out of the middle. So mailwaredomainlist.com. Host list slash host.txt. So we're going to go ahead and copy that and we're going to go over here and just W get and drop that in. So let's grab that file. All right. Cat. Host. There. And now let's do a quick dig on any of these. So we'll grab this one. It looks like a really ugly domain. Whoops. We go dig. And it's sinkhole to 10.10.10.1, which is what I have the sinkhole set up to be. Now, what does it look like from the web interface right here? So it says unknown. It shows my IP address and says, yep, you're trying to get to this particular server. Now, of note. And I'm not going to go too deep into this, but I know more people have been asking and I've done videos about this where we talk about DOH. So DNS over HTTPS. Now that's a great service and it's becoming more and more popular. It's being embedded in more browsers, Firefox, most notably leading that. Now, if you're using that, it bypasses the DNS of PF Sense. And it's tricky to block because unless you know, because it's going over standard port 443, the DNS queries are, unless you know where those DNS queries are going, it can be a little bit tricky to block. So for those of you wondering about that, but I've had people who say PF Blocker doesn't work or they're not using a DNS or having a DNS problem with PF Sense. And we're finding some people because DOH is popular and they're stringing it on a Firefox. You're now bypassing using your local PF Sense system for your DNS. Therefore, it will not work in that scenario. So I just want to bring it up in case you're trying to test this inside of Firefox. Yeah, if you go around PF Sense as DNS, all these steps we just put in place completely are moot point because you're not using them for DNS. Secondary, if you're running a Windows network and a domain network specifically, you want to look at having Windows point at PF Sense, not the Windows workstations, but maybe the main Windows server to pull this to add the extra filtering because ideally each host on a Windows domain network should have the Windows server be the primary DNS. If you want Active Directory not to have a bunch of headaches and problems. Yes, I know there's probably someone going to mash the keyboard and tell me all the workarounds they did. But the default answer is if I have a Windows domain server, Server 2019 for example, and I have Active Directory configured and each one of those local workstations should be using the DNS of that server. Now you can then further take that server and redirect it over to PF Sense and then provide all the filtering to it as opposed to letting it choose some other upstream DNS provider. Not a scope of this talk, but that question seems to come up anytime I talk about DNS because people want to implement this in their office, but their default DNS is the Windows server. And obviously that is something that comes up. And that's how you work around that right there is just well, if that's what the DNS server is Windows or some other box for whatever reasons, then that box can upstream to the PF Sense and still benefit from all the other features that we talked about here. So if you have any questions, comments, concerns, leave them below or head over to the forums and thanks. And thank you for making it to the end of the video. If you like this video, please give it a thumbs up. If you'd like to see more content from the channel, hit the subscribe button and hit the bell icon. If you'd like YouTube to notify you when new videos come out. If you'd like to hire us, head over to laurancesystems.com, fill out our contact page and let us know what we can help you with and what projects you'd like us to work together on. If you want to carry on the discussion, head over to forums.laurancesystems.com where we can carry on the discussion about this video, other videos, or other tech topics in general. Even suggestions for new videos, they're accepted right there on our forums, which are free. Also, if you'd like to help the channel in other ways, head over to our affiliate page. We have a lot of great tech offers for you. And once again, thanks for watching and see you next time.