====== PFSense - DNS - Custom WAN DNS Servers (Secure) (Forced) ======

Navigate to **System -> General Setup**.

In **DNS Server Settings**:

  * DNS Server: **9.9.9.9** / DNS Hostname: **dns.quad9.net** (Primary DNS)
  * <del>DNS Server: **149.112.112.112** / DNS Hostname: **dns.quad9.net** (Secondary DNS) (optional)</del>

<WRAP info>
**NOTE:** A suggestion is to not add a Secondary DNS.

  * Doing so, will make it harder to diagnose DNS issues and security later.
  * The performance increase is negligible.

</WRAP>

  * DNS Server Override: **Not checked**.

Navigate to **Services -> DNS Resolver -> General Settings**.

In **General DNS Resolver Options**:

  * Network Interfaces: **All**.
    * **ALL** is easier to configure, but on a high load system you might want to specify these.
  * Outgoing Network Interfaces: **WAN**.
  * Strict Outgoing Network Interface Binding: **Checked**.
  * DNSSEC: **Not checked**.
    * Quad9 does all of this upstream so this is not needed here as well.
    * DNSSEC needs to be turned off because it just causes extra traffic. 
    * It is suggested to check this by running a test with DNSSEC turned off in pfSense.
  * Enable Forwarding Mode: **Checked**.
    * DNS Resolver uses unbound and the old way of doing things was with DNS Forwarder powered by dnsmasq which could only forward DNS requests.
    * Controls whether unbound uses resolver mode (unchecked) or forwarding mode (checked). See [[https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html|DNS Resolver Mode]] for an explanation of the modes.
    * To utilize Quad9 blocking capabilities, the DNS Resolver needs to be put into forwarder mode.
  * Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: **Checked**.

----