PFSENSE Use SSL/TLS for outgoing DNS Queries to Forwarding Servers


#1

Hi Everyone,
I have a network with the following:
A PFSENSE box, running version 2.4.4 Release P2.
Some windows 10 machines, a Proxmox box running a Windows AD domain.
The domain controller is set as the DNS for the client machines. I have a Windows 2016 File and Print server, running the DHCP role for the network. On another box, I have a PIHOLE.
So the Windows DNS forwards queries to the PIHOLE and the PIHOLE is set to forward the queries to the PFSENSE box.

I have the DNS resolver enabled.
On the network interfaces I have the local host and LAN highlighted.
On the outgoing network interfaces, I have WAN and Local Host highlighted.
System Domain Local Zone Type is set to Transparent
Enable DNSSEC Support is checked
Enable forwarding mode is checked.
Use SSL/TLS for outgoing DNS Queries to Forwarding Servers is checked.

In PFsense - System - General - DNS Servers I have:
1.1.1.1
1.0.0.1
Both gateways for these servers are set to the WAN.
Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked.
Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall is not checked.

Does anybody know why under the system logs for the DNS resolver / Unbound, I am getting these entries:
|Feb 3 19:12:49|unbound|77251:7|info: Verified that unsigned response is INSECURE|
|Feb 3 19:12:49|unbound|77251:7|info: NSEC3s for the referral proved no DS.|
|Feb 3 19:12:49|unbound|77251:7|info: resolving akamaiedge.NET. DS IN|
|Feb 3 19:12:49|unbound|77251:7|info: Verified that unsigned response is INSECURE|
|Feb 3 19:12:49|unbound|77251:7|info: NSEC3s for the referral proved no DS.|
|Feb 3 19:12:49|unbound|77251:7|info: resolving edgekey.NET. DS IN|
|Feb 3 19:12:49|unbound|77251:7|info: Verified that unsigned response is INSECURE|
|Feb 3 19:12:49|unbound|77251:7|info: NSEC3s for the referral proved no DS.|
|Feb 3 19:12:49|unbound|77251:7|info: resolving akadns6.NET. DS IN|
|Feb 3 19:12:49|unbound|77251:7|info: query response was ANSWER|
|Feb 3 19:12:49|unbound|77251:7|info: reply from <.> 1.1.1.1#853|

Does this mean that DNS queries are not working over SSL/TLS since I see INSECURE there?
Or I shouldn’t worry about these ones at all?
If you need additional info, please let me know.
Thanks!


#2

I believe that’s related to whether or not the domains are DNSSEC signed. None of those domains there are DNSSEC signed so you’ll see it as INSECURE.

Try going to cloudflare.com and look to see if it says SECURE for the domain. Since the domain is dnssec-signed, it should.


#3

Thanks very much Judge for your reply.
You are right - I went to cloudfare.com and it does say validate(positive): sec_status_secure|
|unbound|77251:7|info: response for cloudflarestream.com. DS IN|
|unbound|77251:7|info: resolving cloudflarestream.com. DS IN|
|unbound|77251:7|info: query response was ANSWER|
|unbound|77251:7|info: reply from <.> 1.1.1.1#853|
|unbound|77251:7|info: response for embed.cloudflarestream.com. A IN|
||unbound|77251:7|info: resolving embed.cloudflarestream.com. A IN|
|unbound|77251:7|info: validation success www.cloudflare.com. A IN|
|unbound|77251:7|info: validate(positive): sec_status_secure|
|unbound|77251:7|info: validated DNSKEY cloudflare.com. DNSKEY IN|
|unbound|77251:7|info: query response was ANSWER|
|unbound|77251:7|info: reply from <.> 1.1.1.1#853|
|unbound|77251:7|info: response for cloudflare.com. DNSKEY IN|
|unbound|77251:7|info: resolving cloudflare.com. DNSKEY IN|
|unbound|77251:7|info: validated DS cloudflare.com. DS IN|
|unbound|77251:7|info: query response was ANSWER|
|unbound|77251:7|info: reply from <.> 1.0.0.1#853|
|unbound|77251:7|info: response for cloudflare.com. DS IN|
|unbound|77251:7|info: resolving cloudflare.com. DS IN|
|unbound|77251:7|info: query response was ANSWER|
|unbound|77251:7|info: reply from <.> 1.0.0.1#853|
|unbound|77251:7|info: response for www.cloudflare.com. A IN|
|unbound|77251:7|info: resolving www.cloudflare.com. A IN|

Unbound is working as it should and I don’t have to worry about the insecure entries.
Thanks again.