The best answer, though nobody wants to hear it, is to run a caching resolver (or two) inside the network (off the firewall) so, when it makes queries to resolve an unknown record, those queries can be policy routed along with everything else. It is not possible to policy route traffic originating from the firewall itself so if you are policy routing to the VPN provider it gets trickier. If you accept a default gateway from the VPN provider you should be able to put the resolver in resolver mode, enable DNSSEC, and configure your inside clients to use pfSense as their DNS server. DNSSEC is a signing scheme, not an encryption scheme. It is about validating that the answer you got was signed by the key published for the zone from the roots on down. DNSSEC is not about and has nothing to do with hiding queries from anyone.
0 kommentar(er)
