DNS FOR VPN
-
I have a similiar setup, Modem>LinkSys Router>PfSense Router....I use pgBlockerNG with DNSBL and IPv4 lists to function as a piHole rather than having a separate device... But I also run all my traffic through a Paid external VPN (TorGuard)...
Also rather than using DNS Forwarder (dnsmasq) I am using the DNS Resolver (Unbound)
If you try this config, please make a backup of your current config before making changes. That way, if changes are undesirable you can just restore your config.Here is my General Settings setup:
Here is my Unbound setup: (NOTE : I have DNS QUERY FORWARDING UNCHECKED)
I have DNS Forwarder (dnsmasq) DISABLED
On the LAN Firewall Rules, or In my case the LAN_Bridge I have the following policy based rules to route traffic to specific gateway interfaces... All Computers and mobile device pass through the VPN, my kids tablets and all other defined traffic is defaulted to bypass the VPN and go directly to the WAN. And then I have a DNS rule to allow traffic to the DNS Resolver
Here is my OpenVPN setup...Make sure you have the "Do Not Pull Routes" UNCHECKED...so that when the VPN is active the DNS routes go through the VPN rather than DNS Resolver (Unbound)
Then the remainder of the trick lies within the NAT-Outbound section...the easiest way to do this is first click make sure the Auto Rules have been generated by have is set to Auto Rules and SAVE...then Click MANUAL RULES and SAVE so that the auto rule are converted to manual rules, then click HYBRID RULES and SAVE to the the auto rules are regenerated. Then you will still have the Manual rule that are now duplicates left behind... Manually edit each rule, and only change the INTERFACE from WAN to the VPN interface....then you will need to add a DNS rule here in the outbound NAT
Here is a closer look at changing those WAN Manual rules to VPN manual rules
And here is a closer look at the DNS rule in the NAT outbound
If you have done the NAT outbound correctly.... now when you connect to your VPN service and it is active, your policy based rules will route traffic and dns requests to the VPN and route other traffic and DNS requests directly to the WAN and Unbound. AND we should have eliminated the DNS leaks when the VPN is active
-
Also for reference...
Here is my DHCP setup:
and then to have my Kids tablets use specific DNS servers and NOT use Unbound DNS Resolver.. I have a static mapping in the DHCP server for that device and that mapping specifies the DNS servers to be pushed to that device
-
another option might be to use Unbound DNS Resolver and DNS Forwarder (dnsmasq) at the same time
you'll need an NAT port forward rule:
Closer look at that rule:
Go to General settings and specify DNS servers for the VPN:
Then enable DNS FORWARDER (dnsmasq):
Using this method, the DNS queries for the VPN would be forwarded to the server specified in General Settings
but also using this method, when the VPN is down, DNS queries will still be sent to the server specified in General Settings all the time...and devices matching the policy would never use unbound...so you could adjust the port forward rule to suit your needs with aliases, so that some device use Unbound and others use DNSmasqI used to use this method....but am now using the first method I posted
(NOTE : If you use this method, you do NOT need the NAT>Outbound DNS mapping rule I mentioned earlier AND I THINK that in the VPN settings you MIGHT need to CHECK the "Do Not Pull Routes" option for this method to work) -
@teknikalcrysis
WOW - Thanks very much for taking the time to provide all this info!
I will certainly try this config but will need to back up what I have now just in case.
I don't have a router in between my modem and the PFSENSE box. Do you think it's necessary to set one up in there?
To confirm - the orange boxes in the screenshots are unchecked and the red ones with a dot are checked, correct?
Will let you know how it goes and thanks again for this great info. -
You shouldn't need a router in between, and yes checked boxes have the dot or line in the box and is more of a red color
-
@oxibquieh and no problem... Hopefully one of those methods works for your needs
-
If you have full vpn setup you should only see 2 wan states one for vpn connection and other for dpinger in the state table under diagnostics
-
@teknikalcrysis - Hi just to let you know I sent you a message over chat.
I hope that's OK.
Thanks,
OXIB. -
just to keep it open for all to see...
OXIBQUIEH said,
Hi Teknikalcrysis, I hadn’t replied about this as I hadn’t had time to try it but I have now and unfortunately, it did not work. There was connection using DNS unbound but unfortunately, DNS was leaking. I could not figure out how to fix it. I will try again with the DNS forwarder and Resolver tomorrow if I have some time available. Just a couple of questions: 1 - is the 172.16.1.1 in your screenshots, your PFSENSE router or another device in your network? Under network interfaces and outgoing network interfaces, is your VPN connection not selected?
On your Outbound screenshot - Why did you choose 192.168.0.0/20 for the WAN DNS to VPN? In my case - since I have all my devices from 192.168.1.100 to 192.168.1.160, could I use the 192.168.1.1/24 as source?
When I changed the mode on the rules from manual to Auto, then to manual again, and then to Hybrid, I was only able to auto-populate 8 rules. I changed everything to the VPN interface but nothing seemed to change.
Also under the general server setting for DNS, you mentioned to ignore the first two entries, I did specify or try to enter at least one of the DNS servers for my VPN provider but I was only wable to find one. Is this good enough or do you need two?
As I mentioned before, I will try again with the DNS Resolver and see if I am able to get it. I think in my case, this might work with those two working side by side.
Are you able to let me know the Alias you created for the DNS rule?
Thanks again
OXIB
Tteknikalcrysis said,
1)Yes 172.16.1.1 is my pfsense box
i will screenshot my oitgoing interface setup for you later today…3)on NAT outbound, the reason 192.168.1.1 is shown is because pfsense sits behind another router and the 192.* is the address of that router which is the pfsense WAN
after changing those outbound rules from WAN to the VPN interfaces, you need to add the NAT outbound rule for DNS on static port 53The portion that said ignore was to ignore thay IF you did the first method… But it is used in the second method… And yes one dns server address is fine, you do not NEED two… However, if that dns server goes down, you will fail to resolve since there is no second address… Using the first method tho, dns will not use the servers listed in general setup, it should tunnel the dns query through the vpn
On your vpn client setting… Have you made sure the “do not pull routes” option is UNChecked?
-
@OXIBQUIEH here ya go...sorry for the delay on getting you a screenshot
-
and were you referring to the NAT>Outbound DNS rule...or the NAT Port Forward redirect rule for using DNS Resolver and Forwarder simultaneously?
-
@teknikalcrysis - thanks for the reply and info.
I will try again this upcoming weekend. Hopefully I get it this time.
I am 100% sure that the do not pull routes option is unchecked under my VPN client settings. I will double check though.
i was referring to the both the NAT > Outbound DNS Rule and the NAT Port Forward redirect rule. -
NAT>Port Forward
This will redirect DNS (for specific devices if you define the Source) from the LAN on port 53 to Port 5305 on pfSense, make sure you change the DNS Forwader port to 5305 as the Resolver uses 53 and you need that the sameNAT>Outbound
On the NAT>Outbound DNS rule, you might need to tweak it a bit to work for you...I have the source net work address set to its WAN network because its resides behind a second router of 192.168.#.#
You might need to change the source to ANY -
Hi Teknikalcrysis - apologies for replying until now but it had been busy these past couple of weeks, I only was able to work on this today. Unfortunately, it did not work, I tried to do everything as you indicated, the VPN works but I can't for the life of me figure out why the DNS leaks.
I tried the first method and then the second unbound and forwarder.
I don't have enough time these days with work and life in general (kids), things to do around the house to spend a good chunk of time on it unfortunately. I thank you for your help.
I think I will leave it as is. Good thing I had a backup to revert back :)I think I will look down the road for a good guide to show me step by step, hopefully, one will exist.
Thanks again,
OXIB. -
@OXIBQUIEH
have you tried going into the DHCP server on pfSense and assigning static mappings and then specifying specific DNS servers for each static mapping? -
@OXIBQUIEH
... Just a side comment on your DNS path to resolving, I didn't see it mentioned already;If you are using a Windows DC and DNS, have your clients point to that server first.
Then set the Windows DC/DNS server recursion to the local PiHole on your network.
Next set your PiHole to recurse out the the internet/VPN/etc. It works much cleaner and the Windows systems on your network will thank you for it.[host]----->[WindowsDC]----->[PiHole]-------{VPN tunnel}-------->[Pubic/Provider DNS service]
If you are using a IP based vpn provider, you can just point everything to that DC or Pi (incl pfSense). If the provider uses DNS name for its VPN server, then you may be able to set the pfsense DNS to your local provider/ISP, then everything else to those internal DNS servers.
-
@teknikalcrysis
Hi,
I have static mappings for all my devices. I only have the PIHOLE set as the DNS server for all the devices. That's what blocks ads on all of the devices. -
@philw
Hi Philw,
Thanks for your input.
If I have the Windows DC and DNS point first for the clien'ts, won't that make the PIHOLE unable to block ads?
When you say recursion - you mean the Forwarders tab?
For the PIHOLE, set the VPN DNS address and one regular DNS WAN address?
Any of these settings below on the PIHOLE need to be set?
The VPN I am subscribed to only provides on DNS server address. Right now, I have a NAT port-forward rule for DNS to redirect to that VPN IP address. And I think that's the problem, even though I have set Alias for only selected devices for the VPN, all of my devices, including the non-VPN ones are going through the VPN DNS. If I try anything else the VPN works but then the DNS leaks.
-
Yes, on the Windows DC, it would be the "Forwarders" is where you would place the PiHole IP. Remove to local IPs from the PiHole and add either your ISP DNS or the other options there (google, lvl3, etc)
So, it would work like this:
- Host needs a DNS lookup.
- Host goes to the Windows DC DNS (if it's a local DNS, it stops here and all done)
- The Windows DNS says "I don't know what www.stupiddomain.com is" (and all associated ad domains, CDNs, etc dns names) I'll check with my FORWARDER.
- Windows DNS sends the request to the PiHole
- PiHole checks the DNS against a upstream (recursive DNS host, such is ISP, Google, Lvl3, whatever you set) and provides good IP's back to the Windows DNS and bad ip's with its own PiHole IP also back to the windows DNS.
- The Windows DNS then just relays all those DNS queries IP addresses back to the host with the legit DNS/IP records and the PiHol IP for the blocked DNS records.
- Host is happy and goes to those IP's.
-
@philw
Thanks very much Philw. I will try that this week and report back.
Maybe this is what causes the other problem I cannot figure out with all the clients using the same VPN DNS.Questions - so having set the Windows DC DNS for all devices through PFSENSE under the DHCP settings, and then setting the upstream DNS on the PIHOLE, there is no need to set anything for DNS under the General Settings for PFSENSE, correct? No need to set the PFSENSE IP address either anywhere in the equation, correct?
No need to set these options below:?
Allow DNS server list to be overridden by DCHP/PPP on WAN
Do not use the DNS forwarder/DNS resolver as a DNS server for the firewall.And under DNS Resolver:
Enable forwarding mode - checked off, correct?Thanks again,
OXIB.