quarta-feira, fevereiro 27, 2019

curl IPv6 + https test


https://forum.netgate.com/topic/134243/http-test-ipv6-com-works-but-https-test-ipv6-com-doesn-t-tls-handshake-stuck-with-ipv6

If somehow you get error using IPv6 and https, this curl example might help

curl -XGET -I -vvvv https://wiki.archlinux.org/index.php/Table_of_contents



terça-feira, fevereiro 26, 2019

Archlinux my install procedure

https://wiki.archlinux.org/index.php/installation_guide
timedatectl set-ntp true
fdisk -l ...


#OR https://wiki.archlinux.org/index.php/RAID
mdadm --create /dev/md0 --level=6 --raid-devices=4 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm --create /dev/md1 --level=6 --raid-devices=4 /dev/sdb2 /dev/sdc2 /dev/sdd2 /dev/sde2
mkfs.ext4 /dev/md1
mkswap /dev/md0
swapon /dev/md0
mount /dev/md1 /mnt
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc/fstab
mdadm --detail --scan >> /mnt/etc/mdadm.conf

arch-chroot /mnt
---
passwd
ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
hwclock --systohc
locale-gen
vi /etc/hostname
vi /etc/hosts
pacman -S grub
cat /etc/mdadm.conf
vi /etc/mkinitcpio.conf
BINARIES=(mdmon)
HOOKS=(base udev autodetect modconf block mdadm lvm2 mdadm_udev filesystems keyboard fsck)
mkinitcpio -p linux
vi default/grub
GRUB_PRELOAD_MODULES="... mdraid09 mdraid1x"
cd /boot/
grub-install /dev/vda
grub-mkconfig -o /boot/grub/grub.cfg
cp /etc/netctl/examples/ethernet-static /etc/netctl/enp0s3
(edit file as needed...) https://www.ostechnix.com/configure-static-dynamic-ip-address-arch-linux/
netctl start ens3
netctl enable ens3
netctl list # (check interfaces)

sábado, fevereiro 23, 2019

archlinux with RAID install error Failed to connect to lvmetad. Falling back to device scanning.

to install grub with raid you need to trick some files before boot...

if using intel platform follow as said in guide

$ edit /etc/mkinitcpio.conf
 change:
BINARIES=(mdmon)
add
HOOKS=(base udev block mdadm filesystems)

save file and run:

$ mkinitcpio -p linux
make sure mdadm in hooks was added, when generating should see output (line above)

run grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)

If get error warning: failed to connect to lvmetad. falling back to device scanning. raid
instructions
leave chroot /mnt

$ mkdir /mnt/hostlvm
$ mount --bind /run/lvm /mnt/hostlvm
$ arch-chroot /mnt
$ ln -s /hostlvm /run/lvm

-- alternativa --
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun

Then, we chroot into the guest, and mount our host's /run/lvm in the guest's /run

arch-chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm


rerun grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)


quarta-feira, fevereiro 20, 2019

PXE Boot setup custom menu default

https://www.syslinux.org/wiki/index.php?title=PXELINUX#Custom_Menu_Example_with_sub-menus



Custom Menu Example with sub-menus

Many advanced options here. Read full documentation on Syslinux to understand it all.
Its password protected from modification during PXE boot, very useful to prevent tampering.
Note: this example uses the legacy way to generate submenus, which is compatible with older Syslinux versions. Syslinux 3.62 supports a slightly different syntax, which is faster and somewhat more flexible.
Directory Structure:
    /tftpboot/
    /tftpboot/memdisk
    /tftpboot/pxelinux.0
    /tftpboot/menu.c32
    
    /tftpboot/pxelinux.cfg/
    /tftpboot/pxelinux.cfg/default
    /tftpboot/pxelinux.cfg/graphics.conf
    /tftpboot/pxelinux.cfg/fixes.menu
    /tftpboot/pxelinux.cfg/setup.menu
    
    /tftpboot/TRK/
    /tftpboot/TRK/chkdsk.trk
    /tftpboot/TRK/initrd.trk
    /tftpboot/TRK/kernel.trk
    
    /tftpboot/Memtest/memtest.x86
    
    /tftpboot/Suse/
    /tftpboot/Suse/initrd92
    /tftpboot/Suse/linux92
    
    /tftpboot/Floppy/
    /tftpboot/Floppy/kbfloppy.img
/tftpboot/pxelinux.cfg/default:
 DEFAULT menu.c32
 PROMPT 0
 
 MENU TITLE PXE Special Boot Menu
 MENU INCLUDE pxelinux.cfg/graphics.conf
 MENU AUTOBOOT Starting Local System in # seconds
 
 LABEL bootlocal
   MENU LABEL ^Boot Point of Sale
   MENU DEFAULT
   LOCALBOOT 0
 TIMEOUT 80
 TOTALTIMEOUT 9000
 
 LABEL FixesMenu
   MENU LABEL ^Fixes Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/graphics.conf pxelinux.cfg/fixes.menu
 
 LABEL SetupMenu
   MENU LABEL ^Setup Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/graphics.conf pxelinux.cfg/setup.menu
/tftpboot/pxelinux.cfg/graphics.conf:
 MENU COLOR TABMSG    37;40  #80ffffff #00000000
 MENU COLOR HOTSEL    30;47  #40000000 #20ffffff
 MENU COLOR SEL       30;47  #40000000 #20ffffff
 MENU COLOR SCROLLBAR 30;47  #40000000 #20ffffff
 MENU MASTER PASSWD yourpassword
 MENU WIDTH 80
 MENU MARGIN 22
 MENU PASSWORDMARGIN 26
 MENU ROWS 6
 MENU TABMSGROW 15
 MENU CMDLINEROW 15
 MENU ENDROW 24
 MENU PASSWORDROW 12
 MENU TIMEOUTROW 13
 MENU VSHIFT 6
 MENU PASSPROMPT Enter Password:
 NOESCAPE 1
 ALLOWOPTIONS 0
Change ALLOWOPTIONS to 1 (one) so to be able to edit any of the entries while booted with PXE on the menu system for testing purposes. Also change NOESCAPE to 0 (zero) for the same reasons.
/tftpboot/pxelinux.cfg/fixes.menu:
 MENU TITLE Fixes Menu
 
 LABEL MainMenu
   MENU LABEL ^Return to Main Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/default
 
 LABEL fsck
   MENU LABEL ^File system check
   KERNEL TRK/kernel.trk
   APPEND initrd=TRK/chkdsk.trk ramdisk_size=32768 root=/dev/ram0 vga=0
 
 LABEL memtest
   MENU LABEL ^Memory Test: Memtest86+ v1.65
   KERNEL Memtest/memtest.x86
 
 LABEL trk3
   MENU LABEL ^Trinity Rescue Kit
   KERNEL TRK/kernel.trk
   APPEND initrd=TRK/initrd.trk ramdisk_size=32768 root=/dev/ram0 vga=0 trknfs=IPADDR:/trk ip=::::::dhcp splash=verbose
/tftpboot/pxelinux.cfg/setup.menu:
 MENU TITLE Setup Menu
 
 LABEL MainMenu
   MENU LABEL ^Return to Main Menu
   KERNEL menu.c32
   APPEND pxelinux.cfg/default
 
 LABEL setupkb
   MENU LABEL ^Any floppy disk image
   KERNEL memdisk
   APPEND initrd=Floppy/kbfloppy.img
 
 LABEL linux
   MENU PASSWD yourpassword
   MENU LABEL Install - ^Classic
   KERNEL Suse/linux92
   APPEND initrd=Suse/initrd92 ramdisk_size=65536 vga=0 textmode=1 install=http://IPADDR serverdir=/9.2/install autoyast=http://IPADDR/9.2/scripts/ay92.xml
 
 LABEL trkclone
   MENU PASSWD yourpassword
   MENU LABEL Install - ^Faster
   KERNEL TRK/kernel.trk
   APPEND initrd=TRK/initrd.trk ramdisk_size=65536 root=/dev/ram0 vga=0 install=Y trknfs=IPADDR:/trk ip=::::::dhcp splash=verbose
 
 LABEL linuxfull
   MENU PASSWD yourpassword
   MENU LABEL Install - ^Developer
   KERNEL Suse/linux92
   APPEND initrd=Suse/initrd92 ramdisk_size=65536 vga=0 textmode=1 install=http://IPADDR serverdir=/9.2/install autoyast=http://IPADDR/9.2/scripts/develdesktop.xml




--------
https://forums.fogproject.org/topic/8488/how-to-pxe-boot-cent-os-7/61
:MENU
menu
item --gap -- ---------------- iPXE boot menu ----------------
item mac Macrium Reflect
item clonezilla Clonezilla 2015
item ubuntu6 Ubuntu 16:04.1 x64
item ubuntu6 Ubuntu 16:04.1 x32
item ubuntu Ubuntu 15:10 x64
item ubuntu Ubuntu 15:10 x32
item kubuntu6 Kubuntu 16:04.1 x64 
item kubuntu6 Kubuntu 16:04.1 x32
item kubuntu Kubuntu 15:10 x64 
item kubuntu Kubuntu 15:10 x32
item mint18 Linux Mint 18 "Sarah" - MATE (32-bit)
item Mint18 Linux Mint 18 "Sarah" - MATE (64-bit)
item mint Linux Mint 17.2 "Rafaela" - MATE (32-bit)
item Mint Linux Mint 17.2 "Rafaela" - MATE (64-bit)
item mint Linux Mint 17.2 "Rafaela" - Cinnamon (32-bit)
item Mint Linux Mint 17.2 "Rafaela" - Cinnamon (64-bit)
item BOOTCD Hirens 15.2 BOOTCD
item pgon Paragon Harddisk Manager 12
item ubd Ultimate Boot Disk
item ez  EZ Gig IV Cloning Software
item centos Centos
item centos2 Centos Live
item hostinfo details about this computer
item shell ipxe shell
item return return to previous menu
choose --default return --timeout 5000 target && goto ${target}
:mac
initrd http://${fog-ip}/fog/service/ipxe/mac/mac.iso
chain memdisk iso raw ||
goto MENU

:clonezilla
kernel http://${fog-ip}/bootimgs/clonezilla/vmlinuz
initrd http://${fog-ip}/bootimgs/clonezilla/initrd.img
imgargs vmlinuz boot=live username=user fetch=http://${fog-ip}/bootimgs/clonezilla/filesystem.squashfs locale=en_US.UTF-8 keyboard-layouts=NONE
boot || echo failed to boot
prompt
goto MENU```

:ubuntu6
kernel http://${fog-ip}/bootimgs/16.04.1_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/16.04.1_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu6
kernel http://${fog-ip}/bootimgs/16.04.1_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/16.04.1_32/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu
kernel http://${fog-ip}/bootimgs/15.10_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/15.10_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:ubuntu
kernel http://${fog-ip}/bootimgs/15.10_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/15.10_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu6
kernel http://${fog-ip}/bootimgs/kubuntu6_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/kubuntu6_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu6
kernel http://${fog-ip}/bootimgs/kubuntu6_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/kubuntu6_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed

:kubuntu
kernel http://${fog-ip}/bootimgs/kubuntu5_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/kubuntu5_64/casper/initrd.lz
imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:kubuntu
kernel http://${fog-ip}/bootimgs/kubuntu5_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/kubuntu5_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint18
kernel http://${fog-ip}/bootimgs/lm18_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm18_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint18
kernel http://${fog-ip}/bootimgs/lm18_64/casper/vmlinuz.efi
initrd http://${fog-ip}/bootimgs/lm18_64/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint
kernel http://${fog-ip}/bootimgs/lm_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint
kernel http://${fog-ip}/bootimgs/lm_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lm_64/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:mint
kernel http://${fog-ip}/bootimgs/lmc_32/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lmc_32/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:Mint
kernel http://${fog-ip}/bootimgs/lmc_64/casper/vmlinuz
initrd http://${fog-ip}/bootimgs/lmc_64/casper/initrd.lz
imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US
boot || goto failed
goto start

:centos
initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img method=http://${fog-ip}/bootimgs/centos/ devfs=nomount ip=dhcp
boot || goto MENU

:centos2
initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img
chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img root=live:http://${fog-ip}/bootimgs/centos/LiveOS/squashfs.img ip=dhcp rootflags="loop" rootfstype=auto ro rd.live.image quiet rhgb rd.luks=0 rd.md=0 rd.dm=0 
boot || goto MENU

:BOOTCD
initrd http://${fog-ip}/bootimgs/bootcd/hirensboot.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:pgon
initrd http://${fog-ip}/bootimgs/pgon/phdman12.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:ubd
initrd http://${fog-ip}/bootimgs/ubcd/ubcd535.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:ez
initrd http://${fog-ip}/bootimgs/ez/EZGIG438.iso ||
chain memdisk iso raw ||
boot ||
goto MENU

:hostinfo
echo This computer : ||
echo MAC address....${net0/mac} ||
echo IP address.....${ip} ||
echo Netmask........${netmask} ||
echo Serial.........${serial} ||
echo Asset number...${asset} ||
echo Manufacturer...${manufacturer} ||
echo Product........${product} ||
echo BIOS platform..${platform} ||
echo ||
echo press any key to return to Menu ||
prompt
goto MENU

:shell
shell ||
goto MENU
:return
chain http://${fog-ip}/${fog-webroot}/bootimgs/boot.php?mac=${net0/mac} ||
prompt
goto MENU
Autoboot

terça-feira, fevereiro 19, 2019

GParted Live on PXE Server

https://gparted.org/livepxe.php

GParted Live on PXE Server

Besides GParted Live CD and Live USB, we can put the GParted Live image on a PXE server so that a client can boot via the network to use GParted. The steps to do this are as follows:
  1. Set up a PXE server. You might refer to documentation, such as setting up a server for PXE network booting, or DRBL (Diskless Remote Boot in Linux) to assist you.
    In these steps we assume the pxelinux config file is /tftpboot/nbi_img/pxelinux.cfg/default, and the image files are in /tftpboot/nbi_img/.
  2. Set up an http service on the PXE server.
  3. Download GParted live zip file. You have to use 0.3.7-2 or later because network drivers are only included after that.
  4. Unzip all the files in a temp dir /tmp/gparted/. You can do this with a command such as:
        mkdir -p /tmp/gparted; unzip gparted-live-*.zip -d /tmp/gparted/
        
    NOTE: Replace gparted-live-*.zip with the file name you just downloaded.
  5. Copy the necessary boot files (vmlinuz and initrd.img) to /tftpboot/nbi_img/. For example:
        cp /tmp/gparted/live/{vmlinuz,initrd.img} /tftpboot/nbi_img/
        
  6. Copy /tmp/gparted/live/filesystem.squashfs to your http server. For example:
        cp /tmp/gparted/live/filesystem.squashfs /var/www/
        
  7. Edit your PXE config file /tftpboot/nbi_img/pxelinux.cfg/default, and append the following:
        label GParted Live
                MENU LABEL GParted Live
                kernel vmlinuz
                append initrd=initrd.img boot=live config components union=overlay username=user noswap noeject ip= vga=788 fetch=http://$webserverIP/filesystem.squashfs
        
    If the GParted live version you are using is <= 0.22.0-1, then the config file is like:
        label GParted Live
                MENU LABEL GParted Live
                kernel vmlinuz
                append initrd=initrd.img boot=live config union=aufs noswap noprompt vga=788 fetch=http://$webserverIP/filesystem.squashfs
        
    NOTE1: Replace $webserverIP with the IP address of your http server.
    NOTE2: Remember to check the boot parameters in syslinux/syslinux.cfg from the zip file. You should replace the above listed parameters with these more recent ones because these newer boot parameters might be different. For example the vmlinuz path might be different.
    NOTE3: Do not use the parameter "ip=frommedia" in your PXE config file.
For more information about pxelinux, refer to the following article on PXELinux.

Change linux password error asking Current Kerberos password:

The error is:
# passwd user1
Current Kerberos password:


This user1 is a local user not an AD or remote user, so why this happens...


Run;
# pam-auth-update



Check if Kerberos is enabled, if is, "disable"

This is done on Linux Debian 8.6

Now the password can be changed via command line using shell

sexta-feira, fevereiro 15, 2019

firebird 3.0 error Statement failed, SQLSTATE = 08004 connection rejected by remote interface

https://stackoverflow.com/questions/30390465/connection-rejected-by-remote-interface-connecting-to-firebird-3-with-pdo

setting to change in firebird.conf

Find firebird.conf, uncomment (if using fbclient 2.x) and change the following parameters to disable WireCrypt and set higher priority for legacy authentication:
WireCrypt = Disabled
AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi

sábado, fevereiro 02, 2019

Stopping DNS leakage with pfSense - avoid dns leak on pfsense

Stopping DNS leakage with pfSense - ZenCoffee Blog





Stopping DNS leakage with pfSense

I’ve recently changed my core router over from OpenWRT to pfSense.  I was pretty happy with OpenWRT, but I wanted something more powerful since it was running in a VM anyway.
A few days ago, CloudFlare announced their new 1.1.1.1 service.  This is a public DNS service very much like Google’s 8.8.8.8 DNS service, with a notable difference.  It supports TLS.
Why should you care?  Because DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change.  Running DNS over TLS prevents that, by encrypting your DNS traffic so that it can’t be manipulated or collected.
In this post, we’ll be configuring pfSense to do three things – provide a local standard unencrypted port 53 DNS resolver which uses CloudFlare’s 1.1.1.1 encrypted service on the WAN end, and then set up a NAT redirect so any attempts on the internal network to use port 53 DNS servers outside the network instead are intercepted and resolved by the internal resolver.  Lastly, it will also make sure that it blocks any outbound requests to port 53 just to be sure.
NOTE:  There’s one piece here I haven’t figured out yet.  How to pin a cert for the DNS endpoints listed here, so it’s not perfect.  When I figure that out, I’ll edit this post.
Let’s get started.

Configuring the pfSense Local Resolver

In pfSense, go to Services -> DNS Resolver, then put the following block into Custom Options:
server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
    name: "." 
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853
You will also need to make sure that the DNS Query Forwarding option is NOT selected, otherwise the above settings will conflict.  It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway.  Follow the prompts, then test it with something like;
dig www.google.com @yourrouter.local
You should see a resolve against your router’s local DNS resolver that works.  If you really want, use Diagnostics -> Packet Capture, and capture port 853 to verify that requests are being triggered.

Redirect all DNS requests to outside DNS servers to pfSense

Follow the article you can find here.  You will need to do this once for each of your interfaces (in my case, LAN, DMZ, and VPN).  Obviously don’t configure this for the WAN interface.  This then causes any requests to addresses that are not on your internal network to be resolved through the local pfSense resolver (which goes out to port 853 anyway).
To test this, try and dig something against an IP that you know is not internal and is not a DNS server.  It should work, since the request will be NATted.  Something like;
dig www.google.com @1.2.3.4
Assuming that’s all fine, you should now be able to configure a broad block rule to bar all outbound port 53.

Block all outbound non-encrypted DNS

This shouldn’t really be required if the NAT rule is working, but we’ll do it anyway to be sure we’re stopping any DNS leaks.
In pfSense, go to Firewall -> Rules, and for the WAN interface, define a new rule at the top of the list.  This rule should use these settings;
Action: Block
Interface: WAN
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: any
Destination: any
Destination Port: DNS (53)
Description: Block outbound insecure DNS
After doing this, verify that you can still resolve against the local resolver (your router’s IP), and that you can still resolve against what seems to be external resolvers (eg, 8.8.8.8).  You should also check that when you do so that nothing passes on the WAN interface on port 53.
If that all passes, you’re done.   It’s up to you if you use the ‘Block’ target or the ‘Reject’ target.  Block causes a simple timeout if something hits 53 (which shouldn’t happen anyway), Reject causes an immediate fail.