NordVPN goin up and down is screwing up DNS Resolver.

elegantd

After a vpn interface removed/added multiple times from a routing group, DNS resolver will no longer work. CPU usage hits the max and pfsense run extremely slowly. Performing a reboot will alleviate the problem until the next time an interface is removed/added multiple times from a routing group.

This is how it starts, Nordvpn Connections goes down multiple times. This will cause the interface to be removed from the routing group and then just as fast added back on. As you can see something like this happened 752 times.
04edd90a-4712-428e-9a0a-5d358f889853-Screenshot_20240407_112428_Telegram.jpg file:///home/david/Downloads/Screenshot_20240407_112428_Telegram.jpg
I am using DNS Resolver going out all vpn gateways.
VPN 1 is NordVPN Dallas
VPN 2 is NordVPN Houston
Surfshark Dallas
Surfshark Houston
3fc124e6-7e79-4f8e-8af7-d5131e0b0f28-Screenshot from 2024-04-06 13-21-57.png /home/david/Pictures/Screenshot from 2024-04-06 13-21-57.png

In the next picture you can see both NordVPN tunnels are down. However, the DNS resolver is set to be able to go out the other two VPN tunnels. To be honest it dose not matter if one or both of the Nordvpn tunnels are open dns resolver will not function and cpu usage is extremely high.

In the next picture you can see hostnames can be resolved however, the 127.0.0.1 the localhost is showing no response. So no hosts can resolve DNS hostnames.
a1096b0d-5631-467b-9e4a-a4558ad13677-Screenshot from 2024-04-06 13-34-52.png file:///home/david/Pictures/Screenshot%20from%202024-04-06%2013-34-52.png
This picture shows no states at all for the DNS Resolver even after sending multiple request.
c7f4ed7a-ab4b-43d9-9d4a-f5c1b0837d19-Screenshot from 2024-04-06 13-37-13.png

file:///home/david/Pictures/Screenshot%20from%202024-04-06%2013-37-13.png

The DNS Resolver logs have this:

I still have connectivity as I can ping google if I use the ip address.
0a955748-60af-424f-ae99-170ee1756768-Screenshot from 2024-04-06 13-33-40.png
file:///home/david/Pictures/Screenshot%20from%202024-04-06%2013-33-40.png

Anyone have any advice? Can I rate limit the time it takes for an interface to be added back to the routing group? Maybe something like only add an interface back 1 once a minute. The whole thing is kinked until I do a reboot.

Thanks.

Bob.Dig

@elegantd My advice would be the same as in the other thread, don't use the Privacy VPNs for the DNS Resolver and also don't use their DNS-Servers, but use some good ones. Sure, you will get DNS-Leaks. For Clients where you don't want this, give them some public DNS-Servers in their DHCP-config, so they won't use Unbound.

Gertjan

@Bob-Dig

Because LAN clients using unbound is not good ?

@Bob-Dig said in NordVPN goin up and down is screwing up DNS Resolver.:

some public DNS-Servers

Unbound has already all the 13 public DNS (root) servers build in.

But I get it : you mean private (company) DNS servers like 8.8.8.8 etc

panzerscope

@Bob-Dig said in NordVPN goin up and down is screwing up DNS Resolver.:

@elegantd My advice would be the same as in the other thread, don't use the Privacy VPNs for the DNS Resolver and also don't use their DNS-Servers, but use some good ones. Sure, you will get DNS-Leaks. For Clients where you don't want this, give them some public DNS-Servers in their DHCP-config, so they won't use Unbound.

Surely though if you have PfSense setup to forward DNS requests to public DNS servers listed in System>General Setup, then clients should not be using the VPN DNS anyway? (making the assumption you have not set "Pull DNS" in the VPN config)

elegantd

First let me thanks everyone for responding.
I made a configuration change that seems to be helping. In the next 48 hours if the fix seems stable I will let the community know what caused the problem. It was great to see the support that was offered though. Here is to me being able to report my problem is gone in the next 48!

panzerscope

@elegantd said in NordVPN goin up and down is screwing up DNS Resolver.:

First let me thanks everyone for responding.
I made a configuration change that seems to be helping. In the next 48 hours if the fix seems stable I will let the community know what caused the problem. It was great to see the support that was offered though. Here is to me being able to report my problem is gone in the next 48!

If you do resolve it, I would be very interested in what it was as I am nearly at the end of my tether lol.

elegantd

Solved

Short answer: SNORT.

Long answer: SNORT was NOT blocking the formation of my VPN tunnels. I have NordVPN setup to use TCP. SO in effect I was creating a denial of service attack on my self! TCP looks for a response which a SNORT rule was blocking. I had SNORT set to drop on the WAN side. My firewall was being swamped by TCP response request that never were going to come. That is why I had CPU problems and my firewall was behaving extremely sluggish. All of this could be alleviated by a reboot. I was needing to do a reboot about once a day. I turned SNORT off and my problems went away. I will next just add my VPNS to a pass list.