https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/ Trying to learn just a bit! Tue, 16 Aug 2022 15:05:09 +0000 hourly 1 https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/#comment-232 Sun, 14 Aug 2022 14:27:36 +0000 http://crepaldi.us/?p=210#comment-232 […] you followed my previous protecting your network DNS using pfSense post, you also need to duplicate the firewall rules from the main LAN which involves port 53 and […]

]]> https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/#comment-89 Fri, 19 Feb 2021 05:25:22 +0000 http://crepaldi.us/?p=210#comment-89 In forwarding mode you loose the end to end validation, since you do not independently talk to each NS server in the chain down from roots to get to the authoritative server. Instead you are trusting the DNS forwarding server to get this information for you and provide the validated response back. In your example all someone would need to do is not send back the DNSSEC info and pfSense/unbound would interpret that as DNSSEC isn’t enabled for the domain and pass the record on to the client as valid. DNSSEC enabled in pfSense/unbound wouldn’t prevent this scenario from happening in forwarding mode as all DNSSEC is doing is validation that the a record in a domain has been signed by the owner of the domain, which is done from the information in the DNS reply it receives back.

]]> https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/#comment-84 Mon, 15 Feb 2021 21:24:00 +0000 http://crepaldi.us/?p=210#comment-84 Hey there, thanks for the discussion. If DNSSEC is not enforced, isn’t there a chance someone could alter the content of the response and corrupt whatever content the forwarding servers returned? It is not a matter of not trusting the forwarding server, but not trusting the media in which servers communicate through

]]> https://geekistheway.com/2020/06/21/protect-your-dns-requests-using-your-pfsense/#comment-83 Sun, 14 Feb 2021 07:54:44 +0000 http://crepaldi.us/?p=210#comment-83 You mention enabling DNSSEC support under Services >> DNS Resolver, but that won’t do much good if you are in forwarding mode. You should be relying on the forwarding server to perform the DNSSEC validation, so there is no need to do this check (again) in Unbound/PFsense. You could, but I don’t see a point unless you don’t trust the forwarding server (in which case, why use it?) That also means you won’t need to harden DNSSEC data under Services >> DNS Resolver >> Advanced Settings.

]]>