 Something I haven't set up before, but I thought was really clever and Neckate had a blog post about it So I figured I'd talk about it Neckate being the PF sense people in case you didn't know but DNS over TLS with PF sense and this is pretty cool It shows you really in basic and cloudflare being excited right now because they're 1111 and I still use the quad 9 4 9s service, but it doesn't really matter as long as that service supports this feature So let's talk a little bit of what DNS over TLS is So here is the DNS privacy project. I can leave a link to this here But they talk about in general and I've mentioned as many times and I'm gonna say it again. The internet was not by design Made as privacy first the internet was designed to pass traffic along and discover things But not necessarily to hide all of your information DNS being the domain name service lookup service Means whenever you need to go to a website a lookup is required and having a fast lookup means faster speed That is true, but it also from a privacy standpoint if they want to know what website you're going to DNS is the method by which you're gonna find that out. So DNS is the Kind of the best spying method used as things go towards security It is the best way these companies can grab your data now some of them are claiming cloud Like cloudflare and they call it privacy first But as anyone knows if they can see the queries they could potentially do something with that knowledge But what you may not want is people in between Seeing all the things in the queries and we're gonna add something else to this You may not want any of those queries being tampered with when you encapsulate DNS over TLS or transport layers security You now lock it in and I can't see inside of it So Comcast being my ISP using DNS over TLS they are only able to see that there's an encrypted piece of traffic going across the network But not the contents of that traffic. So that being said, maybe it's something you want to enable All's it really does though by the way for those of you wondering It just pushes the level of trust for example to quad 9 not to collect my data Or if you're using cloudflare for cloudflare to click your data or whoever your DNS provider is So that being said I'll leave a link to here So if you want to read about DNS privacy Here is the link for the DNS over TLS now. Let's talk about how it works So pretty straightforward. This is the same from them The only thing that's different from my configuration versus the one that they showed at On the neck eight thing is for ours. We have the server We have an extra include here and what you do in case you're wondering do I put server twice? No, so you have this if you're running PF PF blocker, which I am and then when you look at the way they have it set up here, let me scroll down here And zoom in so they have it as server colon upstream thing I already had the word server in there because I have this include file If you're not sure or not familiar with how Linux works or free BSD is well when you have files For configuration you can include other files for that configuration So you're kind of just merging those files together and say hey pull in the config file this then after that These are the extra options that you need to put in to get it to work So you're adding features that these checkboxes don't so when you do all these checkboxes to set up your network All this really doing is writing the config file and adding those things Something I love about the way PF sense is designed pretty much every function inside of PF sense also has a custom options at the bottom So you can if you know extra parameters that they didn't create something for the web interface for you can simply add them here This is way better than having to go to edit the file because that doesn't work right because if you edit the file and then you change A setting in here, it'll overwrite it So these custom options that you find at the bottom of most all the services are to add extra parameters They maybe have not yet created a button for or may not create a button for due to you know Not as many people wanting them so that being said you just add these couple extra lines SSL upstream to yes Do TCP yes forward zone you leave that blank name? Just the dot right here, and you can just copy and paste this from their website. It's pretty straightforward The only thing I also changed here their forwarding address is one at one Which is the cloud flare and the backup address is one one zero I'm just using quad nine singular there But if you wanted to use more you can and if you're wondering what other places support I believe we go here They have a list of all the places that support and what port they have DNS on for the DNS over TLS So there's not just quad nine that does it quad nine as they call it. They're secure versus insecure. They have it 99.10 is their other backup server if you wanted to put two of them in because they're using the Anycast slash point of presence? System I haven't had any problems and it hasn't gone down for me But if you're worried about that you can put more than one DNS in So all you do is you put that and forward address is 9.9.9 at 853 because that's the port that they use for the Security OS you just hit save and I already hit save so that it doesn't do anything But then you're like does it work? Well sure easy enough to tell I went over here You go over to your states all filter and you can see that the connections are TCP now instead of UDP Which is normal for DNS? So there I'm sorry. I got to blur out my public IP address But you can see it's going to nine dot nine dot eight five three. So that is the secure DNS port So you can see that's where the packets are going now one more thing I have checked here just so you know if you're not familiar with DNS sec DNS sec is a verification method some websites and DNS servers support in order to Secure the DNS and make sure that the packets were tampered with and this goes beyond just Knowing that quad 9 didn't mess with them It's making sure that maybe somewhere upstream that the information they have wasn't tampered with versus the website now Not every website supports this. It's an extra layer of Tampering to make sure the DNS is correct So even though it came over securely if they got bad information at whoever your DNS provider is that bad information then gets passed On to you So this is something that you know It's an extra layer of security to make sure no mess with it and it's Easily supported here in PF sense by enabling the DNS sec and if you're curious if your DNS provider supports it I'll leave a link to this site. They have a DNS sec resolver test and I love the little guy's face and let me show you what he does here we hit start and Takes a second to run Alright thumbs up I get DNS sec Enabled it does work now. You're like, well, does it just say it works? Let's go ahead and do this go ahead and Disable the support we're gonna hit save Apply we're gonna reset it and we're gonna turn off DNS sec support All right, the changes have been successfully applied and we'll start the test again Well, it's cached one second. All right, so it turns out you also have to take out the Other DNS sec things I added at the bottom in order for it actually enables DNS sec once you do DNS over TLS I didn't realize that so yep, once you go to this resolver test now We can see that I'm not when all's I did was take out the Extra settings that we get included in here and that fix it. So I'm gonna put them back in Hit save Actually, we'll go ahead and enable that and hit save apply changes Reload the page and now we get a thumbs up again because the DNS resolver it had a cache page So I had to like open up an incognito when we get that work. But anyways, that's the simple of adding DNS over TLS so you can encapsulate it in TCP which of course also enables DNS sec apparently So that's pretty great too to make sure your package were not tampered with somewhere along the way All right, thanks for watching you like to content here like and subscribe you got questions comments Leave them below if you need any information you can check out our website lordsystems.ion lordsystems.com and Thank you for watching