DNS going thru my cable company after reboot?
-
I am trying to eliminate any DNS queries going thru my WAN for certain VLANs, however after a reboot all queries go out my WAN and thru my cable company and stay that way? I reboot my resolver and all quesries then go thru my VPN going forward….no problem(with periodic checks)
My setup is as follows:
- Using PIA
- "Don't pull routes" is checked in my OpenVPN client
- I only have my VPN Interface selected in my "Outgoing Network Interfaces" for Unbound
- "DNS Server Override" and "Disable DNS Forwarder" NOT checked and NO "DNS Servers" assigned in System -> General Settings
- I have attached my rules for the interface (Basic internet alias ports are 80 and 443/RFC1918 alias is 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)
In effect I am trying to create a "Kill switch" for certain VLANs for everything to go thru VPN....
Thanks in advance,
V(Edit made after posting for clarification)
-
I continue to dig into this more, sorry to reply to my original post but I didn't want to keep editing my original question.
I found another post with a similar question…a recommendation was to look at this link for a solution:
https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN
However in the link the rules are "Any/Any" with no reference to whether Unbound was being used and how Unbound was configured.
It had 2 suggested solutions, I think I had implemented the 2nd suggestion and checked "Skip rules when gateway is down" but I am a little fuzzy as to whether this should be checked or not checked?
Again any recommendation on how to create a "Kill switch" would be surely appreciated...thanks in advance.
V
 -
I realized I never attached my rules on my original post so adding them now.
I tried shutting down my firewall a few times to replicate but I have struggled to replicate this issue in the last few days….
I have decided to test the "policy filtering" in what was detailed in this post below:
https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN
I added a "mark" of "NO_WAN_EGRESS" to my rule #1 and rule #3 and a "Quick" floating rule with my outgoing WAN per the blog....
Beyond the "tin foil hat"/DNS leak/ISP monitoring concern (I admit I am one of those!) this seems like a possible attack path for a malicious actor. Simply attack and restart a vulnerable downstream modem(seems like a lot of them are already vulnerable), briefly shutdown the OpenVPN connection and then monitor the ongoing traffic of the unencrypted traffic after a modem restart that ensues(while the user thinks they are using a VPN)? The only reason I discovered my DNS was going through my Cable company was I happened to do a DNSleak test one morning....
I'll surely report back if this solution doesn't work....thank you pfSense you are the rock in my network!
Happy holidays,
V
