I still haven't got DNS over TLS to validate completely with my VPN services integrated into pfSense, so this question may be mute. (I think the other side of that argument is that you are trusting several more DNS hosts than just one or two.
DCBASED EXPRESSVPN NORDVPN SURFSHARK RCECIMPANU FULL
I've seen an argument that if you set up several TLS supporting DNS servers, your requests will be spread across several servers, so none of them will have a full map of your browsing history. In the same manner, either the VPN service will know your requests, or the DNS servers which support TLS know your requests. When I referred to DNSSEC, I was mostly thinking of the the pfSense DNS resolver settings.įrom my research, whatever way you go, the DNS queries are hidden from the ISP. Okay, sorry, I was off a bit on the terminology. Some people have some luck setting the source interface in the DNS Resolver to the OpenVPN interface but it's pretty hacky and doesn't scale well (for instance you'd have to switch it between PIA and NordVPN. The best answer, though nobody wants to hear it, is to run a caching resolver (or two) inside the network (off the firewall) so, when it makes queries to resolve an unknown record, those queries can be policy routed along with everything else. It is not possible to policy route traffic originating from the firewall itself so if you are policy routing to the VPN provider it gets trickier. If you accept a default gateway from the VPN provider you should be able to put the resolver in resolver mode, enable DNSSEC, and configure your inside clients to use pfSense as their DNS server.
DNSSEC is a signing scheme, not an encryption scheme. It is about validating that the answer you got was signed by the key published for the zone from the roots on down. DNSSEC is not about and has nothing to do with hiding queries from anyone.
0 kommentar(er)
