DNS over TLS Certificate Validation Hostname
I am configuring my router (pfsense) to use DNS over TLS and one of the settings it asks for is the hostname for TLS verification i.e. the Fully Qualified Domain Name of the DNS server, used to validate DNS server certificates when using DNS over TLS. Note this is not the same as the DNS over TLS endpoint which is provided in the nextDNS setup instructions.
For example, if configuring cloudflare the DNS Server would be 126.96.36.199 and the corresponding TLS validation hostname would be: cloudflare-dns.com.
Does anyone know what I should hostname use for nextDNS? I am guessing it could be: dns.nextdns.io is this correct?
Hi Olivier, actually that one does not work - I dont need the hostname to perform the TLS query - I need the hostname for TLS certificate validation.
So for pfsense, the DNS resolver service (unbound) has the hostname you mention but the router itself when defining DNS servers (under General settings) needs and IP address for the DNS server and a hostname if using TLS to validate the certificate. It does accept dns.next.io as valid but does NOT accept CONFIG_ID.dns.next.io.
Clearly the fundamental DNS server must use an IP address, since without DNS it can'r resolve a hostname.
Olivier Poitrey Thanks for the reply. I think everything is configured fine and working.
The DNS resolver does have the CONFIG_ID hostname in the custom properties and is picking up my configuration- I can see this on NextDNS logs where it tags traffic from the router. I have also linked the External IP address of the router.
I notice that there is a very small amount (0.2%) of DNS that is not TLS and so was wondering if that was the router doing its own DNS queries (i.e. not the DNS resolver service) unecrypted.
For anyone using pfsense based upon the discussion with Olivier and some experimenting the following works well (assuming you are not using the router CLI app).
Set up DNS Resolver using custom options as stated in the router section of the Setup tab - in my case it looks a little like this:
where "Router" is the label you want to give your router so when you can differentiate the traffic coming from that and other devices.
Also in the DNS Resolver check that "DNS Query Forwarding" is unticked (not enabled)
Next go to System/General in pfsense and delete the list of configured DNS Servers. This makes pfsense then use the ones configured in the DNS Resolver service and thus encrypts the traffic. If you left a list of DNS server IPs here, the queries coming from pfsense itself would not be encrypted, whereas the ones from the DNS Resolver would be.
With this setup I am now showing 100% encrypted!