DNS leaks using OpenVPN client tunnel

strangegopher

@gschmidt:

I have specified the Google servers at System/General Setup/DNS Server Settings

No need to do this as unbound by default uses root servers for dns, so no need for dns forwarding.
If you want you can remove all the dns servers from this section and dns will still work.

above or under which rule should your "I am also blocking any access to dns server on the firewall" rule be located?

Sorry I posted the wrong image.
This is what the dns rule should look like:
(above all other rules in your case [except anti-lockout])
Action: Block
Protocol: IPv4 TCP/UDP
Source: ExpressVPN_Hosts
Src Port: Any
Destination: This Firewall
Dst Port: 53 (DNS)

That will block access to firewall's dns server.

Now you will have to to do to is go to:
Services/DHCP Server/LAN
and Under DNS Servers add dns server of your choice (like google dns).

Also like Derelict mentioned you can remove the 2nd rule of NAT redirection to expressvpn.
And any other port forwarding rules u created under Firewall -> Nat.

gschmidt

On the static DHCP mappings in pfSense (which is my main router): Empty
On client 1 (Window 10 PC): automatically (which is the gateway 192.168.1.1)
On client 2 (linux device): 192.168.1.1

strangegopher

Do you not see this under Services/DHCP Server/LAN?

Derelict

That DOES NOT MEAN that you do not have static DNS servers on the client you are testing, bro.

This really is. not. that. hard.

gschmidt

Ok….I have created the rule =Block rule.jpg
Added the google dns servers = "DHCP Server DNS Server.jpg"
and the ExpressVPN DNS servers = Static DHCP Mapping.jpg"

dnsleaktest result= dnsleaktest.jpg

:o


gschmidt

I did an nslookup at the client W10 PC
Which shows the DNS server of ExpressVPN
Which I entered in the Static Mapping DNS servers in pfSense

strangegopher

try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4

Derelict

It doesn't matter where anything is configured. What are the DNS servers configured on the client. Use ipconfig /all

Hell, if you're having this much trouble, configure them statically.

gschmidt

ipconfig /all

I dont see static dns servers?
Only the express vpn dns servers i have specified in pfsense

strangegopher

my guess is expressvpn dns servers might be the issue, so try using 8.8.8.8 in windows go to Control Panel\Network and Internet\Network Connections right click your interface, select properties, double click "Internet Protocol Version 4", select "Use Following DNS server addresses" and enter 8.8.8.8 and 8.8.4.4

and run dns leak test again

gschmidt

@strangegopher:

try removing the ExpressVPN DNS servers from Static DHCP Mapping and replacing it with 8.8.8.8 and 8.8.4.4

Check!…Still leaking Google and openDNS servers....looks exact the same as with the NAT redirection of port 53
I just did a default pfsense 2.4.2 setup (update to 2.4.3), nothing special

strangegopher

Well I am out of ideas then. I don't know what could be going wrong.

Derelict

What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.

gschmidt

@strangegopher:

Well I am out of ideas then. I don't know what could be going wrong.

Look now I have removed the DNS servers at System/General Setup
And in DNS Resolver i set (see picture)
In DHCP Server all DNS Servers are empty
Also Clients have no DNS specified
Your rule (stopped temporarily)

See dnsleaktest pic!


gschmidt

But with this setup, all my network clients use the EXPRESSVPN interface….so if this interface is down...no internet for all

strangegopher

you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.

gschmidt

@Derelict:

What matters is that they are not coming from YOU. You cannot control where the resolvers you query go to get their information. If the resolvers you query don't do what you like, use different resolvers.

….my knowledge is not that fancy of pfsense I admit...but i knew that my clients did NOT have static dns servers
On a simple modem with OPENWRT this was a piece of cake....on their forum they helped instead of shouting

gschmidt

@strangegopher:

you can try setting the outgoing interface in dns to WAN and try with dhcp settings and firewall rule again and see if that works.

Thanx man for your help sofar, I will try tomorrow…have to get some sleep now...ciao!

gcu_greyarea

In my opinion handing out DNS Servers via DHCP isn't sufficient to prevent DNS Leaks. There are Clients that will use hard coded DNS Servers. E.g. I had a Roku Player and a Fire TV that bypassed my specified DNS Server with hard coded Google DNS Servers. Perhaps even Apps installed on the FireTV may use their own DNS Server.
The only thing that worked reliably was to port forward (DNAT) DNS Requests (Dest. Port 53) to my DNS Server of Choice, which is my VPN providers own internal DNS Server. If you trust your VPN provider with your Data traffic you might as well trust them with your DNS Traffic.

My VPN Provider also has a public DNS Server which pfSense uses to resolve the VPN Servers. Once the Tunnel is up my LAN clients will send their DNS Queries through the Tunnel to the VPN providers internal DNS Server.

For Clients that do not need tunneling via VPN you can hand out DNS Servers via DHCP (e.g. Google or OpenDNS). You do not need to have a DNS Forwarder or Resolver run on your pfSense box.

@gschmitt:
In your screenshot your Windows IP Config shows a DNS Server of 85.203.37.1. That is a public DNS Server. Use this Server under pfSense General Setup.
Uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN"
Check "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall"

I assume you use the pfSense OpenVPN Client to connect to Express VPN. Express VPN will assign you an RFC1918 Address (an internal IP Address) . E.g.

10.8.0.5 with a Gateway of 10.8.0.1

My VPN Provider (Mullvad) also has a DNS Server listening on 10.8.0.1.

So the DNAT(Port Forward rule) should forward DNS Traffic to 10.8.0.1 and there shouldn't be any leaks anymore.

gschmidt

Thanx for the effort man!

"I assume you use the pfSense OpenVPN Client to connect to Express VPN"

Yes

In your screenshot your Windows IP Config shows a DNS Server of 85.203.37.1. That is a public DNS Server.

Aha…I used the "public DNS Server: 85.203.37.1" for port forwarding the DNS server 53
85.203.37.1 and 85.203.37.2 are the DNS servers ExpressVPN is showing on their site.
In my pfsense dashboard I also see at the EXPRESSVPN Gateway a internal ip-address 10.111.0.21 and a remote/virtual ip-adress of 10.111.0.22
Which one should I use to DNAT port forward?

Use this (85.203.37.1) Server under pfSense General Setup

Both 85.203.37.1 and 85.203.37.2? With or without selected EPRESSVPN gateway?
Any other DNS Servers here?

Should I set DNS Servers at my DHCP Server/LAN? (for clients not going trough the VPN tunnel)
I have made static mappings for the client(s) that I want to go through EXPRESSVPN gateway.
And a firewall alias of those clients

Any special settings for System/AdvancedFirewall & NAT/Network Address Translation?
I currently have "Pure NAT"and the rest is unchecked

Greetzzz