Dns query

techy82 · Jan 10, 2017, 8:40 PM

I have openvpn setup with piano and I have setup some devices to bypass pia and go straight out via the wan connection however these devices are not getting Dns

What do I have to do so Dns will work on devices that are going straight out the wan?

Thanks very much

viragomann · Jan 10, 2017, 11:35 PM

Just allow the access to the DNS server in firewall rules.

techy82 · Jan 11, 2017, 8:04 AM

thanks very much how would I do that?

viragomann · Jan 11, 2017, 9:14 AM

That depends on the DNS server your devices are using. You gave no information about your setup.

If the pfSense is your DNS add a rule to the interface the concerned devices are connected to and allow TCP/UDP protocol from them to the interface address with destination port 53.

If the devices try to access a public DNS, enter the DNS IP at destination or just any. If the VPN client is your default gateway you have to select the WAN gateway in the advanced options in addition here.

techy82 · Jan 11, 2017, 10:22 AM

thanks very much

I am using pfsense for dns, and openvpn (PIA) is set as the default gateway

I setup a new rule with the devices IP to point to WAN instead of the OpenVPN connection, but it doesn't resolve dns, I shall try this.

Thanks again

techy82 · Jan 11, 2017, 7:04 PM

Hi

I have my ps4 lan rule to forward straight to the WAN, would I just add another rule on the lan interface to pass dns traffic to port 53?

Thanks very much really appreciate the help!

viragomann · Jan 11, 2017, 7:27 PM

Yes, the rule for accessing the LAN interface must not have set a gateway.

Your PS4 rule allows only traffic to the WAN GW. Access to LAN address do not pass this. So you have to an additional rule for DNS using no gateway (set to default) and put it above the other PS4 rule.

techy82 · Jan 12, 2017, 7:40 AM

thats great thanks very much, really appreciate your help! :-)

techy82 · Jan 12, 2017, 11:47 AM

Hi

does the below set off rules look okay?

Thanks again!

johnpoz · Jan 12, 2017, 2:12 PM

Other than dns uses UDP, and sometimes - not very often tcp. An you only have tcp vs udp/tcp on your dns rule.

And your Source port should be ANY.. not 53… Your dest is 53, but you have no idea what port the client would use for a dns query.

viragomann · Jan 12, 2017, 2:26 PM

I mentioned it above in Reply #3.
:)

johnpoz · Jan 12, 2017, 4:30 PM

You did - and clearly he didn't listen ;)

viragomann · Jan 12, 2017, 5:36 PM

Sure, it won't be any risk if also other clients access the DNS server. Since you control all clients this is on you anyway.
You may also add an Alias for a group of granted host address (Firewall > Aliases > IP) and use this on in the firewall rule for source.

techy82 · Jan 12, 2017, 5:38 PM

Thanks very much working great now appreciate your help ;D