Hi I have a question, and I am likely just confused in my head and someone on reddit could help me unwrangle this.
When I check off ‘DNS over TLS’ in pfSense settings. and I Use VPN+PfBlockrNG . I get DNS Leaks on Internet Checks.
If I Uncheck DNS over TLS ; I pass DNS leaks when I am behind a VPN (because their DNS servers are being used?) but now I don’t have TLS encryption correct?
So which one is a better practice for security… to use DNS over TLS ; or to use the VPN … and why can we not use both ?
If you are using a VPN then everything should normally be in that same encrypted vpn tunnel, including dns requests, resulting in no leaks.
When not using a vpn, dns over tls is one method that can be used to encrypt dns going to a third party dns like cloudflare, etc. rather than making these requests in a non-encrypted form.
If you use both vpn and DoT, then your traffic is likely going to the VPN provider via tunnel, but dns requests are sent to the third party provider (resulting in vpn dns leaks).
As to which is better? If you’re trusting your vpn provider in the first place with all your traffic then might as well just disable DoT and use the vpn without leaks or involving a third party. If not using VPN though, then yes you can use DoT to at least encrypt your dns requests.
Depends on the mode Unbound is in. If it’s default and not in forwarding mode, Unbound will attempt to connect to root DNS servers itself. Unless you have told pfSense to use the VPN as it’s default route for DNS lookups, it’ll send it out WAN. If you told pfSense to route all DNS over VPN, you shouldn’t leak.
In General Settings, when you add a DNS, tell it to use VPN as gateway. Only useful if in Forwarding Mode.
Or
On Firewall > NAT > Outbound. Go AOD and add a rule from 127.0.0.1 going to any 53 TCP/UDP and set it to VPN interface; this will force pfSense to send all of it’s DNS lookups out of VPN. This should work either mode.
What TLS option are you talking about?
Your title says privacy, but you ask about security. These are not the same thing. Which are you after?
In any case, if you’re using a VPN that you trust, you should be forwarding to their DNS servers, making sure to set the VPN as the only outgoing interface in Unbound and only have those servers out that interface in General Setup.
ah gotcha ! you know that clarifies a few things for me . but now I have a follow up ; what if I am set up with VLANs and I have 2 VLANs going through VPN and the others I would want DNS over TLS ; is there granular control possible like that?
hmm So I have the General Settings > DNS to use VPN as gateway with Forwarding Mode set up . Is that how you set up your stuff as well?
The Firewall>NAT>Outbound>AOD part doesn’t make sense to me because I followed a bunch of guides to get this set up and everyone was using MANUAL . What do you mean by “this should work either mode?”
I actually only installed pfsense a few weeks ago, so I’m still getting a handle on everything 
I’m not really sure if that’s possible, although I see there are a few options like host/domain overrides and access lists available in the pfsense dns resolver settings… I’m thinking you could look into those, along with selecting or excluding interfaces from the dns resolver, to see if you can get the result you want. Just speculating of course, but that’s where I would look next. Maybe someone else could confirm or clarify.
I’m not really sure if that’s possible, although I see there are a few options like host/domain overrides and access lists available in the pfsense dns resolver settings… I’m thinking you could look into those, along with selecting or excluding interfaces from the dns resolver, to see if you can get the result you want. Just speculating of course, but that’s where I would look next. Maybe someone else could confirm or clarify.