Unbound resolver: DNS queries do not follow rules (bug or feature?)
-
Unbound settings:
In Outgoing Network Interfaces I have selected only the (three) OpenVPN interfaces/clients. Forwarding mode is disabled. DNSsec is enabled.Firewall rule:
Under "Guest" network I have defined a rule "allow to all" with a specific OpenVPN gateway assigned.Expected outcome:
DNS queries from clients in Guest-LAN network are being sent only to the OpenVPN gateway as defined under rulesExperienced outcome:
DNS queries from clients in Guest-LAN network are being sent to all OpenVPN gateways as selected in outgoing network interfaces in the unbound resolver.Bug/feature?
It seems to me that all network traffic should follow rules as defined (per fysical interface). This was the behaviour in dnsmasq/DNS forwarder: DNS queries would be send over the gateway as defined under firewall rules. With Unbound DNS traffic does not follow the gateway as defined under firewall rules. If a specific gateway is defined in firewall rules they do no seem to apply to DNS queries. DNS queries are being send to all gateways as selected in outgoing network interfaces. So, now it seems unpredictable how DNS queries are being sent (over which gateway).(Currently using pfSense 2.2.5).
-
And how exactly you imagine a Guest-LAN firewall rule to have any effect on DNS queries sent from the firewall itself?
-
That is a good question!
Made me think: with dnsmasq the client in Guest-Lan network was sending the DNS request itself, with Unbound the pfSense system itself is sending the DNS query. Is that what you mean/are my thoughts correct?
But in both cases the origin of the DNS queries is a client in the Guest-Lan network. As unbound is only relaying the dns query from the client shouldn't the DNS query follow firewall rules/gateway which do apply to the client in the Guest-Lan network?
-
As unbound is only relaying the dns query from the client
Well no, that's not how it works.
http://computer.howstuffworks.com/dns.htm
-
Thanks for the link!
I think, as being a newbie, I may not have expressed myself clearly. Or maybe I do not understand it correctly, but I believe it is correct to say when a client in Guest-Lan network is sending a DNS query to pfSense:
- Unbound: if the DNS query is not cached in unbound, unbound is asking root dns server (or DNS servers as specified under system - general setup if forwarding mode is enabled)
- DNSmasq: DNS query is forwarded to DNS servers as specified under system - general setup.
A DNS query under option 2) is being sent over the gateway as specificied under firewall rules (if I understand correct?) to specified DNS servers, while under option 2) is does not follow these rules/gateway. If under outgoing network all interface are selected the DNS query can be sent over any/all of the gateways available in pfSense. That does not make sense to me. It is not predictable. The origin (client in Guest network) and purpose (receive correct IP) are the same. Then why this different behaviour between Unbound and dnsmasq?
I would like my DNS queries to follow rules/gateways as specified per interface. I can return using dnsmasq, but then I wil be missing DNSsec, which is a great new security feature I would like to keep using.
-
A DNS query under option 2) is being sent over the gateway as specificied under firewall rules (if I understand correct?) to specified DNS servers, while under option 2) is does not follow these rules/gateway
Uhm, no. The client never talks to the DNS servers. This simply ain't doable when DNS server is the firewall itself. It will never work like this, resolver or forwarder does not matter at all. (Now, you can waste a couple of days with trying to mark the packets on LAN and match and re-route them on firewall via floating rules… good luck with that. Waste of time.)
-
Okay, I do understand that the client is never talking to DNS server directly. (only when pfSense itself "becomes" the DNS server if the IP is already cached). Now let's forget about relaying/forwarding/sending or whatever misleading terms I am using. For me it is about which route the DNS query will (or will not) follow. Specifically if it will follow a specific OpenVPN connection/gateway or not.
I know for a fact that DNS queries under option 2) will first follow my OpenVPN connection as specified as specific gateway in a firewall rule (I can see this when capturing traffic on WAN port) . Then after reaching the specified VPN end-point the DNS query will be send further (probably now in clear) to the specified DNS server (and then it will return with the IP asked for).
This is not the case with Unbound. Now the rule/gateway is not relevant. The DNS query may follow the OpenVPN connection, but I may also follow any other interface selected under Outgoing Network Interfaces. (or maybe it is being send over all interfaces such as all OpenVPNs gateways and WAN simultaneously?)
For me, but maybe also others (?), this is not desirable. It would like to force all DNS queries through a OpenVPN tunnel I have specified (under rule per interface), which must be the same OpenVPN tunnel as the rest of the internet traffic from this client is flowing through (before all traffic, DNS or not, leaves the internet [in clear]). If possible I would like this with Unbound so I can continue to use DNSsec.
Anybody else with the same wish?
-
If it's not desirable then run a DNS on the top-secret guest LAN that MUST 300% forward DNS queries to the sacred DNS servers ONLY. That way, the DNS queries can get matched and routed out the desired GW. Or – simply assign those sacred DNS servers to clients on that guest LAN directly. And forget about using your firewall as DNS server.
Your LAN policy routing rules will not match traffic originating from the firewall itself. If you look at Diagnostics - States and filter by port 53, you can very easily see that the DNS traffic outbound on WAN is originated from the firewall and not from the clients.
-
If it's not desirable then run a DNS on the top-secret guest LAN that MUST 300% forward DNS queries to the sacred DNS servers ONLY.
Yes! That's what I was looking for…300% secure... :) ;)
Didn't mention "top-secret", but also do like that :) ;)
So, please help me. This one is serious: how do I exactly set up to "run a DNS on the guest LAN"?Or – simply assign those sacred DNS servers to clients on that guest LAN directly. And forget about using your firewall as DNS server.
Yes, I know. I can always do that as least resort. But would like all clients to benefit from the pfSense DNS set up. Do not like to adjust all my guest clients DNS settings manually everytime ;)
Your LAN policy routing rules will not match traffic originating from the firewall itself. If you look at Diagnostics - States and filter by port 53, you can very easily see that the DNS traffic outbound on WAN is originated from the firewall and not from the clients.
So, this (Unbound) DNS query is originating from the firewall itself and will not match LAN policy routing rules. Then how will it pick the gateway (WAN / OpenVPN)? Most likely I am missing something here? I'm simple looking for a setup which sends DNS queries over the same OpenVPN gateway as other traffic from a client. Just trying to understand how to prevent DNS leaks (DNS queries outside the VPN tunnel). I believe this is something more people are looking for.
Just a picture (probably not for you), but for other people to understand (do not want the red line) to whatever DNS server I am using (in forward mode or root DNS server). There is no need to use the DNS server from the VPN provider (any good DNS server with DNSsec support is fine), but when a DNS query is made, just want to be sure it is being sent over the VPN tunnel. And preferable the same VPN tunnel all other traffic from the client is flowing through:
-
Don't tell your VPN clients to use pfSense as a DNS server. Tell them to use the DNS servers reachable via the VPN. Then DNS traffic will just be VPN traffic.
There are lots of different ways to accomplish the same thing.
-
Don't tell your VPN clients to use pfSense as a DNS server.
Maybe a little bit semantic, but pfSense IS the VPN client (connected to multiple VPN providers). But, most likely you meant the end-users devices (laptops/phones/etc)?
There are lots of different ways to accomplish the same thing.
Please elaborate on the most efficient and practical way to accomplish this (no DNS queries outside the VPN tunnel). You will not only help me, but lot of other users, as I do see this question pop up every time, everywhere, without a good description how to accomplish this (with regard to pfSense).
-
Of course. The hosts with the VPN traffic. Not the tunnel endpoint itself.
I cannot elaborate because every network is different.
Don't tell your VPN
clientshosts to use pfSense as a DNS server.