DNS Forwarder/Resolver only on LAN because OpenVPN 53/UDP on WAN - possible?

Nachtfalke · Mar 3, 2015, 6:17 PM

Hi,

I am running OpenVPN using port 53 and UDP on my WAN interface. This is only working if I disable DNS Forwarder or DNS Resolver on pfsense completely.
As I want to use the squid Auto-configure option with WPAD I need to have a DNS Host override.

So is there a possibility if I only have pfsense to run OpenVPN and DNS on the same machine but DNS just listening on my LAN interface and OpenVPN can still listen on my WAN?

Any suggestions would be appreciated!

doktornotor · Mar 5, 2015, 8:40 AM

Should be possible with the resolver at at least, since it actually seems to behave and listens only where configured to (unlike ntpd).

However, the idea to run OpenVPN on 53/UDP is something quite astonishing for me. It really does not attract unwanted traffic for you? :o

johnpoz · Mar 5, 2015, 7:25 PM

yeah using openvpn on 53 would clearly be an attempt to circumvent someones polices ;)

Nachtfalke · Mar 5, 2015, 9:50 PM

I am only interested in that for my home environment. I found the one and the other public capive portal which allowed users to connect to public "DNS servers" without authentication.
So the only intention behind using OpenVPN and udp/53 is - like johnpoz said - to bypass policies. Another OpenVPN Server is running on port 443/tcp.

To block unwanted traffic I am using pfblocker-ng and I block all countries but my home country.

Yesterday I tried again with the DNS resolver and it seemed to work that OpenVPN and DNS resolver could run together when configuring DNS resolver to just listen on the LAN interface for incoming requests and WAN for outgoing. But the WPAD part did not work very well for all browsers and most commons browsers seem to have the auto-discovery option disabled by default. So I am going back to use squid just in transparent mode and leave DNS Resolver/Forwarder disabled so it does not conflict with my OpenVPN.

So thanks for your help and your suggestions.

doktornotor · Mar 5, 2015, 9:52 PM

@Nachtfalke:

But the WPAD part did not work very well for all browsers and most commons browsers seem to have the auto-discovery option disabled by default.

You totally lost me … How's WPAD and proxy autodiscovery relevant here? ???

cmb · Mar 6, 2015, 4:11 AM

@doktornotor:

However, the idea to run OpenVPN on 53/UDP is something quite astonishing for me. It really does not attract unwanted traffic for you? :o

Don't think it'd attract anything. Those scanning the Internet for DNS servers won't get any response. It will make OpenVPN log spam "Authenticate/Decrypt packet error: packet HMAC authentication failed" when a DNS request is sent to its port, but it doesn't reply. Just looks like an IP with nothing listening to DNS scanners.