Hi Everyone,
I have a network with the following:
A PFSENSE box, running version 2.4.4 Release P2.
Some windows 10 machines, a Proxmox box running a Windows AD domain.
The domain controller is set as the DNS for the client machines. I have a Windows 2016 File and Print server, running the DHCP role for the network. On another box, I have a PIHOLE.
So the Windows DNS forwards queries to the PIHOLE and the PIHOLE is set to forward the queries to the PFSENSE box.
I have the DNS resolver enabled.
On the network interfaces I have the local host and LAN highlighted.
On the outgoing network interfaces, I have WAN and Local Host highlighted.
System Domain Local Zone Type is set to Transparent
Enable DNSSEC Support is checked
Enable forwarding mode is checked.
Use SSL/TLS for outgoing DNS Queries to Forwarding Servers is checked.
In PFsense - System - General - DNS Servers I have:
1.1.1.1
1.0.0.1
Both gateways for these servers are set to the WAN.
Allow DNS server list to be overridden by DHCP/PPP on WAN is not checked.
Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall is not checked.
Does anybody know why under the system logs for the DNS resolver / Unbound, I am getting these entries:
|Feb 3 19:12:49|unbound|77251:7|info: Verified that unsigned response is INSECURE|
|Feb 3 19:12:49|unbound|77251:7|info: NSEC3s for the referral proved no DS.|
|Feb 3 19:12:49|unbound|77251:7|info: resolving akamaiedge.NET. DS IN|
|Feb 3 19:12:49|unbound|77251:7|info: Verified that unsigned response is INSECURE|
|Feb 3 19:12:49|unbound|77251:7|info: NSEC3s for the referral proved no DS.|
|Feb 3 19:12:49|unbound|77251:7|info: resolving edgekey.NET. DS IN|
|Feb 3 19:12:49|unbound|77251:7|info: Verified that unsigned response is INSECURE|
|Feb 3 19:12:49|unbound|77251:7|info: NSEC3s for the referral proved no DS.|
|Feb 3 19:12:49|unbound|77251:7|info: resolving akadns6.NET. DS IN|
|Feb 3 19:12:49|unbound|77251:7|info: query response was ANSWER|
|Feb 3 19:12:49|unbound|77251:7|info: reply from <.> 1.1.1.1#853|
Does this mean that DNS queries are not working over SSL/TLS since I see INSECURE there?
Or I shouldn’t worry about these ones at all?
If you need additional info, please let me know.
Thanks!