There's not much, read no, point in allowing encrypted dns to some certain addresses. You either block it outright and force DNS to internal sources where you can filter it or you don't. QUIC is another thing that is just blocked completely in a secure network.
If you're trying to block out going DNS from everything except PiHole you should be blocking 853 (DoT) as well. You should also block 443 to all known DoH servers. Of course DoH to unknown servers will ignore all that shit and breeze on through. It is my sincere desire that the inventors of DoH...
That's seems strange. We push PAN hard and still sell 3-5X more Fortinet. Of course the price/performance difference is substantial coupled with much better SDWAN integration on the Fortinet side. For the last year almost every deal has some element of sdwan in it.
It isn't mentioned often in...
100/101-F or E series Fortigate or use a 60/61-F or E series with one of these:
https://www.amazon.com/Rackmount-RM-FR-T10-Rack-Mount-FortiGate/dp/B01MXMCODG
Pretty sure those cards are FC HBA and not NICS. Also, I'm afraid to ask but .... All that external cable you describe in #7 is plugged into grounding blocks on both ends of the external pieces before being attached to your gear yes? If you were to switch to 1 run at 400 feet assuming 10G SR you...
I never said they invented it. They are however the biggest cheerleaders as it plays right into their wallet. DoH is horrible for consumers as it allows app vendors to bypass any local DNS requirements and filtering to collect 100% of your dns searches from the app in question and return...
The OP needs to understand that privacy and security are two different things. Quite often you must sacrifice one for the other. If you are interested in security then your doing TLS deep inspection on everything. If you're interested in privacy then you likely think doing so is evil. Very often...
Sadly this is true. You can still play the cat and mouse game of blocking known DoH servers but that's generally a loosing scenario. This is the primary reason I despise DoH. It's an abomination and should be stomped out of existence. DoT solves all the issues with plaintext DNS and does so in...
If you've local DNS resolvers then only those resolvers should be allowed outbound DNS. All other DNS should be blocked on your firewall. There is little point in DNS filtering if all a client has to do is change resolvers.
If someone is doing MITM on your LAN then they have already installed certs on your endpoints. You're already owned and DNS is the absolute least of your worries.
Is this a satellite ISP or a WISP? Are you certain you have a static publicly routable IP? Also, Starlink will not be a solution for this as they use CGNAT so no inbound traffic you. There is a possibility that will change later but as of today ... sorry Charlie.
I'll add that if you have more than one AP you can plug a switch into the new PFSense interface and then plug APs into the switch. Also you said earlier in the thread you needed but didn't have an L3 switch for VLANs. Please note VLAN are layer 2 that require layer 3 routing. You can build a...