How do I force the use of my DNS setting ?

fin1000

Have been attempting to get my vlan networks - one a OpenVPN and the other straight to ISP to use the servers listed in gen settings dns
Tried multiple other settings from DCHP to OpenVPN setup but nothing overrides it and Comcast dns is always there. Wasting way too much time on this changing setting etc - can anyone give a simple walkthrough of settings to use to just make everything use the servers listed - it used to work fine when first set up on 2.4 but since upgraded it does not (I’m afraid I’ve forgotten everything I learned when setting up years ago. Having to use dns setting on connected devices which is a pia
Thanks

SteveITS

@fin1000 You want clients to use specific DNS that is not pfSense correct?

The DHCP Server options have a setting for which DNS to use.

You can then block access to external DNS by firewall rules. And may need to block DoH/DoT, by using pfBlocker or rules.

Or set/force clients to use pfSense for DNS, and set pfSense to forward to an external DNS server.

https://docs.netgate.com/pfsense/en/latest/recipes/#dns
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html#forwarding-mode

fin1000

Thanks
I need to make anything connected to ether the straight out to the isp or the OpenVPN client to use the dns servers listed in the genaral settings vpn server boxes but it all uses the isp dns
Your link (Firewall > NAT, Port Forward tab) on my box is set exactly as suggested
It’s odd because it used to work - then didn’t

Gertjan

@fin1000 said in How do I force the use of my DNS setting ?:

to use the servers listed in gen settings dns

If you want your LAN(s) client to use the "servers listed in gen settings dns" then ... well ... why not give them to your LAN clients ?
As they are using DHCP, go here : Services > DHCP Server > LAN and enter all your DNS servers :

Save, Apply - now go to one of your LAN devices, if it's a Windows device, type

ipconfig /renew

and then

ipconfig /all

and you'll see that your LAN device uses now the 8.8.8.8 4.4.4.4 9.9.9.9 as its DNS.
( something you actually don't want as you'll find out later ... but that's another story ^^ )

edit : An OpenVPN client : same thing : see the OpenVPN server page : you can give a list of DNS servers for your OpenVPN clients.

fin1000

Thanks for that - the result was strange I thought - wouldn’t use the imputed dns but even worse it then leaked my ip whilst using the OpenVPN client and continued to use the isp dns

Gertjan

@fin1000 said in How do I force the use of my DNS setting ?:

and continued to use the isp dns

If you have checked ( System > General Setup) :

then the DNS server(s) obtained from the ISP are assigned to the pfSense DHCP server(s), thus the LAN clinst will get the ISP DN servers.
That's something that was normal or even mandatory, in the past.

fin1000

I do have pull DNS set on the OpenVPN client - I assumed that would use the vpns own dns servers?
But dont quite understand the wording in general settings
If checked is the servers listed in gen settings overruled and ones put in DCHP used? A the moment it’s unchecked.
At the moment only have serves set on DCHP server for vpn interface the rest are blank
The other problem I’ve got is I’m in 2 places one was in US using Comcast now in uk with BT system but dont know if that makes any difference - using the same config file

Gertjan

@fin1000 said in How do I force the use of my DNS setting ?:

DCHP server for vpn interface

VPN what ? server ? client ?
The pfSense DHCP server can only be activated for 'classic' LAN (and OPtx and so on) interface, not the special special ones like 'openvpn'.

@fin1000 said in How do I force the use of my DNS setting ?:

if that makes any difference - using the same config file

The same ? Humm ....
The file you export for backup purposes is meant to be used to the same device, not another device.
After all, hardware IDs (netgate ID, and so on) will be different ...

See it as a complete 'Windows PC backup'. You don't restore the backup on 'another' PC as this will bring issues with it, and it start with the licensing that will break ...

fin1000

I’m sorry didn’t fully explain - config file exported to exact same dell server with same intel nics and exact same Cisco 3500 switch and unfi ap both instances are identical
My only problem that needs a solution is how do force the use of either my vpn dns servers or ones I chose on things connected to my vpn client as the way it runs now is that dns leak testing displays my isp address which is fixed (at least in uk can’t tell if Comcast is fixed)
I can use dedicated dns on browsers and also on devices buts not very satisfactory.
Unfortunately I’m not anyway a networking expert just having to find my way around stuff - thou when I built it years ago it did exactly what I needed but something changed either with Pfsense or Nordvpn service (been there to find solutions but no help) anyways thanks for the help!