question about dns and vpn

vpittman · Mar 11, 2023, 9:06 AM

I have Pfsense set up with expressvpn, everything is looking good, but I'm confused about dns.

I'd like to set up seperate dns servers for the wan and the vpn. Just for ease of use, I'd like to set the DNS Servers globally so to add a Vlan to the VPN all I have to do is add a NAT and Firewall rule for that Vlan.

In System->General I have 4 dns servers configured, 2 with the gateway as WAN (quad9), 2 with the gateway as VPN (ExpressVPN) . 'DNS Server Override' is unchecked.

In DNS Resolver I have 'Enable Forwarding Mode' checked.

When I check for DNS leaks (https://dnscheck.tools) on either the lan or VPN, I see both sets of DNS servers (both quad9 and ExpressVPN). I was expecting to only see quad9 for lan and only ExpressVPN for the VPN

What am I missing ? Or maybe there is a better way to do this ?

Thanks
Victor

And thanks to everyone here that has posted on this forum, I was able to get this up and running without too much trouble !!

viragomann · Mar 11, 2023, 9:06 AM

@vpittman said in question about dns and vpn:

I was expecting to only see quad9 for lan and only ExpressVPN for the VPN

What so you call "lan" and what "VPN"?
Are these different networks or is VPN an IP alias for certain devices?
Do you policy route the traffic to ExpressVPN or is the routing given by the default route?

vpittman · Mar 11, 2023, 10:36 PM

@viragomann By Lan I guess I should have said non vpn traffic, but they are both separate networks. There is no policy routing, just default

vpittman · Mar 12, 2023, 8:19 AM

I realize that I can add the dns to the dhcp server for the vlan using vpn and I will get the dns separation that I'm looking for. But I thought specifying the gateway in the system->general dns settings would do the same thing

viragomann · Mar 12, 2023, 8:19 AM

@vpittman
The gateway setting for the DSN servers in the general settings is meant for MultiWAN, when using DNS server, which are only reachable over a specific gateway.

For directing a network segment or certain source IPs in an alias to the desired DNS server, you can add a port forwarding rule fro all DNS requests from these devices.

However, I'm wondering, how your "VPN" network is routed to expressvpn without policy routing, while the LAN isn't.

vpittman · Mar 12, 2023, 3:16 PM

@viragomann
Thanks for all the help, but for right now I'm just going to add the dns servers to dhcp and call it good.

Thanks again,
Victor

vpittman · Mar 12, 2023, 4:21 PM

I just realized that I have no idea what I'm taking about...
I am using policy routing on the vpn