NordVPN DNS servers seems to be down from my end but are apparently npt
-
@bob-dig
Hey there!
When you say bad what do you mean? Is there other servers that I can use? I just fired up an email to their tech support to complain a bit. I kinda feel entitled for once to do this, with the amount of troubles I've had so far.... They are quick to point pfsense as the culprit of my troubles. It may be true, but I pretty much started having issues all over the place the moment I configured pfsense to work with nord....
What would you need to know to be able to guide me a bit on this? I will probably end up trashing nordvpn completely (I asked for a refund or partial refund. if they accept then its case closed, otherwise I maybe try to make it work until my plan expires in 18 months).... This is why I'd like to understand whats going on here....
At the end of the day I still feel the issue is on their end. Why would I have ZERO connectivity this morning when Its been working for several months now (not well as I casually lose OpenVPN instances and have to jump start them manually....)
-
@pftdm007 What you describe is pretty normal with most VPN providers I guess. Nord has so many servers, the will go down, for minutes or forever. But you should keep in mind that nord isn't expensive.
Now DNS, there are several ways of handling DNS in pfSense, resolver, relayer, resolver doing DNS Query Forwarding ...
If you care about DNS-leaks, what I do is giving some hosts in my network 8.8.8.8 as their DNS-Server per DHCP and don't let them use pfSense for DNS (= no DNS leaks), problem solved (for me). If for some other hosts there is DNS Leak, I don't care that much. -
@bob-dig
while you're talking about DNS and how pfsense can be configured with it, I wonder why my VLAN300 clients cannot do DNS resolution unless I manually specify the DNS servers in the DHCP server of that interface?
The tooltip below the DNS text fields in the DHCP server page says
Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.I left them blank. Since Unbound is NOT running on VLAN300 (I want VLAN300 to completely bypass DNSBL and be straight to the "outside" world) I'd expect the servers configured on the System / General Setup page to be provided to the clients of VLAN300 for DNS resolution.
If I copy the DNS servers from the General Setup into the DHCP settings of VLAN300, everything works as expected. Do I need to setup FW rules or NAT stuff for this to work?
-
@pftdm007 said in NordVPN DNS servers seems to be down from my end but are apparently npt:
Do I need to setup FW rules
or NAT stufffor this to work?Sure but do it like I and now you did, provide a DNS server like 8.8.8.8 and there shouldn't be any DNS leak.
-
@bob-dig
Okay but why are the system DNS servers not being passed on to the clients??? the tooltip is clear
Leave blank to use the system default DNS serversIts NOT working. Is it a bug in pfsense?
-
@pftdm007 said in NordVPN DNS servers seems to be down from my end but are apparently npt:
Is it a bug in pfsense?
no... it is a bug in your rulemaking. ^^
-
@bob-dig
Excellent now I know where to investigate!
Thanks
-
@pftdm007 Here is a hint.
-
@bob-dig
Yes what you're showing me is what I had. Somehow, DNS resolution on the clients of that VLAN is not working. I see the amount of states going up in the rules but still clients cant resolve FQDN's..
From one of the linux client I can confirm the DNS server is indeed the VLAN interface (DHCP) IP (192.168.2.1 in that case).
mint@linuxmint:~$ nmcli dev show | grep DNS IP4.DNS[1]: 192.168.2.1The first rule with the 25/81 KiB (states) is the one I am trying to make work. Also note Unbound is not running on that VLAN.
Its like client requests for DNS resolution are indeed going thru pfsense and thru the FW rule but somehow are being blocked after that.
To test, I made a NAT rule to redirect any DNS requests to 8.8.8.8 but no improvements.
I confirm the clients can ping IP's on the internet. I tried with Google's IP:
PING 142.251.32.67 (142.251.32.67) 56(84) bytes of data. 64 bytes from 142.251.32.67: icmp_seq=1 ttl=118 time=19.9 ms 64 bytes from 142.251.32.67: icmp_seq=2 ttl=118 time=16.4 ms 64 bytes from 142.251.32.67: icmp_seq=3 ttl=118 time=18.5 ms 64 bytes from 142.251.32.67: icmp_seq=4 ttl=118 time=16.6 ms 64 bytes from 142.251.32.67: icmp_seq=5 ttl=118 time=18.3 ms 64 bytes from 142.251.32.67: icmp_seq=6 ttl=118 time=18.2 ms ^C --- 142.251.32.67 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5051ms rtt min/avg/max/mdev = 16.395/17.980/19.874/1.182 ms -
@pftdm007 But why? Why is unbound not running on your DMZ-VLAN, no wonder DNS is not working.
-
@bob-dig I was hoping not to open that can of worms but oh well ;)
I am running pfB+DNSBL on the other VLAN's but I didnt want to run it on VLAN_DMZ because it was interfering with my work laptop and equipment.
The only (easiest) solution was not to run unbound on VLAN_DMZ and manually pass DNS servers to its clients, effectively bypassing Unbound completely (and DNSBL at the same time).
Now DNSBL has python group policies which can be used to exclude IP's from it, I tried (really tried) to use it but it just kept bugging ans causing all kind of issues. So I reverted back to bypassing Unbound.
Now the only difference is that I am trying to "automate" the config a bit by having the system DNS servers (System > General Setup) automatically passed on to the clients of VLAN_DMZ when they request a lease.
Let me ask you a different question:
What does pfsense do if something is specified in these fields? Knowing how pfsense uses whats specified in these fields would help me understand how the routing happens.
-
@pftdm007 If left empty, it will be that pfSense interface. If filled, that will be given to the DHCP-Clients.
Not that complicated.
I don't know what happens when you disable unbound only on this interface, probably nothing > no more DNS. -
@bob-dig Make sense now that I read the tooltip differently. When the tooltip says "...if DNS Forwarder or Resolver is enabled" they mean enabled VS disabled from a service perspective and not on a per-interface basis.... That's what I misinterpreted.
That's be nice to be able to NOT run unbound on an interface and serve system DNS servers. IMO the DHCP server should pass DNS servers in the following order:
If DNS fields are populated use their settings; Otherwise If unbound is running on the interface use interface IP Else pass system DNS serversThat's probably more of an improvement idea than anything else. For now (and probably forever) I have copied the system DNS servers onto the DHCP fields for DMZ and I'm back to normal.
Sorry about the confusion. Funny how something can be interpreted differently... Thanks for your patience @Bob-Dig !
