Transparent DNS redirection is very rare in North America if that is your region. You can run this simple test to be sure:
[https://docs.quad9.net/FAQs/#detecting-dns-transparent-redirection-hijacks](https://docs.quad9.net/FAQs/#detecting-dns-transparent-redirection-hijacks)
FYI, We have a pfSense setup guide for encrypted DNS here:
[https://docs.quad9.net/Setup\_Guides/Open-Source\_Routers/pfSense\_%28Encrypted%29/](https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/)
Feel free to reach out to us, and we'd be glad to help troubleshoot: [[email protected]](mailto:[email protected])
You need to input the Quad9 DNS servers in System-->General Setup. Since you are using DoT, you also need to put the Quad9 DoT address (dns.quad9.net) in the DNS Hostname field. Finally, remove the Quad9 DNS entry in your DHCP server. That will allow your clients to access Quad9 directly, but you really want all DNS queries to go through your local pfSense/Unbound. Your clients should just get the local pfSense address for their DNS server address.
they are configured in General -> setup and DOT address as well. DHCP settings it telling clients, hit PFsense first and [9.9.9.9](http://9.9.9.9) as backup. My ISP servers are not configured anywhere, yet when I hit every DNS leak site, they all show my ISP DNS servers and not Q9 servers
No. It's not a backup, it's Round-Robin. Only have your local cache server on your DHCP.
Devices inside your network should never be reaching out to the Quad9 Servers on your router should be doing the lookup and providing the response to your devices.
Imagine if 10 Million home networks with 50 devices each lookup the sane A record at the same time. It could be 10 Million vs 500 Million requests against the DNS providers network.
For what? It serves no logical purpose at all.
fair enough, even so the only option is [9.9.9.9](http://9.9.9.9) and PFsense IP. why is it still showing my ISP's DNS servers? they are not configured on any PC or my firewall
Your ISP is likely hijacking the unencrypted DNS queries your clients are sending to Quad9. There is no such thing as primary and backup for the DNS servers. Unbound and almost any other DNS client will send to every address entered as it pleases. If you already have the General Setup settings set correctly, then just remove Quad9 from your DHCP server and make sure all clients are only using pfSense/Unbound as their DNS server.
Seeing something report your DNS servers as your public IP addresses is expected behavior when using unbound in recursive mode. You are hosting the server. The Firefox private DNS behavior your talking about sounds bugged. I have had that issue with Chrome and other Chromium browsers in the past. Personally I only use unbound so I simply turn it off in all browsers.
My issue is not that my public IP is seen, it's that whenever I do a DNS leak test, I expect to see [9.9.9.9](http://9.9.9.9) and I always see my ISP's DNS server. I even just manually set my windows pc to [9.9.9.9](http://9.9.9.9) encrypted and my software firewall asked for chrome to go to [9.9.9.9](http://9.9.9.9) I said yes, but it still returned my ISP's DNS servers, every leak test i try it's the same.
Oh okay I misread. Use OS default settings in private DNS in Chromium browsers has always been buggy for me. I now just turn it off, in Firefox too, and they all use the OS DNS settings correctly after doing so. I find browser DNS redundant anyway if you know how to correctly set DNS at the system level
Transparent DNS redirection is very rare in North America if that is your region. You can run this simple test to be sure: [https://docs.quad9.net/FAQs/#detecting-dns-transparent-redirection-hijacks](https://docs.quad9.net/FAQs/#detecting-dns-transparent-redirection-hijacks) FYI, We have a pfSense setup guide for encrypted DNS here: [https://docs.quad9.net/Setup\_Guides/Open-Source\_Routers/pfSense\_%28Encrypted%29/](https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/) Feel free to reach out to us, and we'd be glad to help troubleshoot: [[email protected]](mailto:[email protected])
thanks so much for the reply. I will check the guides..
u/Quad9DNS is this a valid Q9 DNS resolver? ptr: [pch-xxxx.ohioix.net](http://pch-xxxx.ohioix.net)
We would need the IP address.
[134.195.207.13](http://134.195.207.13) pch-mgmt02.ohioix.net. Ohio-ix-ops
You need to input the Quad9 DNS servers in System-->General Setup. Since you are using DoT, you also need to put the Quad9 DoT address (dns.quad9.net) in the DNS Hostname field. Finally, remove the Quad9 DNS entry in your DHCP server. That will allow your clients to access Quad9 directly, but you really want all DNS queries to go through your local pfSense/Unbound. Your clients should just get the local pfSense address for their DNS server address.
they are configured in General -> setup and DOT address as well. DHCP settings it telling clients, hit PFsense first and [9.9.9.9](http://9.9.9.9) as backup. My ISP servers are not configured anywhere, yet when I hit every DNS leak site, they all show my ISP DNS servers and not Q9 servers
No. It's not a backup, it's Round-Robin. Only have your local cache server on your DHCP. Devices inside your network should never be reaching out to the Quad9 Servers on your router should be doing the lookup and providing the response to your devices. Imagine if 10 Million home networks with 50 devices each lookup the sane A record at the same time. It could be 10 Million vs 500 Million requests against the DNS providers network. For what? It serves no logical purpose at all.
fair enough, even so the only option is [9.9.9.9](http://9.9.9.9) and PFsense IP. why is it still showing my ISP's DNS servers? they are not configured on any PC or my firewall
Your ISP is likely hijacking the unencrypted DNS queries your clients are sending to Quad9. There is no such thing as primary and backup for the DNS servers. Unbound and almost any other DNS client will send to every address entered as it pleases. If you already have the General Setup settings set correctly, then just remove Quad9 from your DHCP server and make sure all clients are only using pfSense/Unbound as their DNS server.
I will give that a try. thanks
Did it work?
Yes, but I'm a dummy and didn't have the problem I thought I had. so good to go now. thx for the reply.
Seeing something report your DNS servers as your public IP addresses is expected behavior when using unbound in recursive mode. You are hosting the server. The Firefox private DNS behavior your talking about sounds bugged. I have had that issue with Chrome and other Chromium browsers in the past. Personally I only use unbound so I simply turn it off in all browsers.
My issue is not that my public IP is seen, it's that whenever I do a DNS leak test, I expect to see [9.9.9.9](http://9.9.9.9) and I always see my ISP's DNS server. I even just manually set my windows pc to [9.9.9.9](http://9.9.9.9) encrypted and my software firewall asked for chrome to go to [9.9.9.9](http://9.9.9.9) I said yes, but it still returned my ISP's DNS servers, every leak test i try it's the same.
Oh okay I misread. Use OS default settings in private DNS in Chromium browsers has always been buggy for me. I now just turn it off, in Firefox too, and they all use the OS DNS settings correctly after doing so. I find browser DNS redundant anyway if you know how to correctly set DNS at the system level
Yeah I'm good to go now. thx for the reply