DNS leak
-
Hello,
I tested DNS Leak test on www.dnsleaktest.com and noticed that we have DNS leak. I saw that many people complain about it.
Elvin
-
@emammadov said in DNS leak:
Hello,
After upgrading to pfsense 2.4.5 p1, I tested DNS Leak test on www.dnsleaktest.com and noticed that we have DNS leak. Is this bug in 2.4.5 p1 release? I saw that many people complain about it after upgrade to 2.4.5 p1.
In System->General do NOT specify any DNS servers.
Test again.
-
@Cool_Corona I receive ip address as static ip from ISP, not dhcp, that's why I have mentioned dns servers. If I remove them, I will lose internet connectivity.
Elvin
-
@emammadov said in DNS leak:
@Cool_Corona I receive ip address as static ip from ISP, not dhcp, that's why I have mentioned dns servers. If I remove them, I will lose internet connectivity.
I have a static IP as well. Use Unbound and no servers stated will use DNS Root servers around the world as resolvers.
-
Is this a bug? If yes, hope it to be fixed in the next release.
-
I have a static IP address, latest pfsense and my test shows exactly what it should
I am using the resolver for wan no forwarding
Tunnels use the servers I have set to be used
-
@emammadov said in DNS leak:
If I remove them, I will lose internet connectivity.
You should fix that first.
pfSense uses the resolver, unbound. It has a build in list with the 13 main root servers.
It's like the DNS request chain is set up statically.
You have to set up an IP, and a gateway for WAN nothing more.pfSense uses the default DHCP client for obtaining a WAN IP and gateway - it discards any DNS servers, if the upstream DHCP servers supplies them. This could be your up stream router, or an ISP router at the other end of the city.
@emammadov said in DNS leak:
Is this a bug?
What bug ?
An incomplete (?) setup of a VPN connection is a bug in the brain of the admin.
I admit being curious about you waiting to obtain a new release of ... yourself ???? I know, nightly builds exists, but still .... please explain.Example :
Resolver settings :
With this setting I gave unbound the possibility to use any (all) interface to connect to available DNS servers. It's knows that all these are on the outside (not local) thus it will choose de default route, or WAN in my case.
I should consider selecting OPENVPN as an outgoing interface, to force all DNS requests to take the VPN path.Also :
System > Routing > Gateways : select the VPN type interface, not your WAN type interface.( examples are NOT exhaustive - variants exists )
-
@emammadov Which version of pfsense are you running? I have the same issue with 2.4.5-RELEASE-p1 release. I had a working and tested setup of pfsense 2.4.4 (the last install that I remember). No config change after that, the only thing that I changed was the periodic updates. And today I noticed that the clients on the VPN subnet are leaking DNS. I have no way to revert to the earlier release to reproduce but looks like this is specific to 2.4.5-RELEASE-p1 as I tried various other recommended settings with no luck.
-
2.4.5-p1 of course.
Early versions shouldn't be used, mainly for security reasons.Unbound, as a resolver, use whatever interface (outgoing) it can get it hands on, to obtain DNS answers.
This is normally the WAN interface. If you add another WAN type interface, like a connection to remote VPN server, then that will be another WAN interface.
Unbound should be restarted if such a VPN interface comes up. This happens typically later on during the boot process.
Firewall rues should enforce the behaviour that looks like this :
Use the classic WAN if it's the only one available.
Use a VPN WAN if that one is available.Btw : take note : I only did some minor VPN experiences using pfSense as a VPN-client, using a (paid) remote VPN server. As such, never tried to understand what 'DNS leaks' means.
See (all !) the official VPN videos from Netgate on their Youtube channel.
-
There isn't a known issue in 2.4.5 that would present like that.
How exactly do you have the clients configured?Unfortunately there are a great number of people out there who have no idea what DNS leak tests actually do. That means the signal to noise ratio for reports like this is low inducing skepticism!
Steve
-
@stephenw10 said in DNS leak:
Unfortunately there are a great number if people out there who have no idea what DNS leak tests actually do. That means the signal to noise ratio for reports like this low inducing skepticism!
I found the config issue on my side. Sorry for the Spam.
-
You'll have to try a lot harder to get classified as spam.
There's a lot of misinformation out there.
-
This post is deleted! -
@PowerSing funny how both of the two posts you have ever made are about the FUD a "friend" has told you about pfsense.
@stephenw10 can we get this account banned for being a troll?
-
We can certainly keep a close eye out!
I agree that is just FUD.
-
He is putting up names from linked in with another key word to boost their SEO rating.. Banned and posts deleted.
-
@emammadov DNS leaks can happen because of your configuration, ISP and bugs.
- Disconnected cable of your ISP on your Pfsense device.
- Go to System > General Setup >Â DNS server setting > DNS server > Enter 2 IP addresses from Quad9 DNS: 9.9.9.9 and 149.112.112.112 > Unchecked DNS Server Override > Save.
- Go to Services > DNS Resolver :Â
√ Checked Enable DNS resolver boxÂ
Network Interfaces - ALL
Outgoing Network Interfaces - ALL
√Checked Enable Forwarding Mode box
√Checked Use SSL/TSL for outgoing
√Checked DHCP Registration
√ Checked Static DHCP
Save. - Reboot Pfsense, Diagnostics > Reboot and reconnect your ISP cable.

Hope this helps.
-
So 'leaking' all of your queries to quad9 as opposed to resolving it yourself?
It really depends what you're trying to achieve. If that's hiding DNS queries from your ISP that would do it. If the test is checking if clients are sending DNS over a VPN that would show as all leaked.
Steve
-
I feel really guilty for reviving this 3 months old thread.
-
@stephenw10 said in DNS leak:
So 'leaking' all of your queries to quad9 as opposed to resolving it yourself?
It really depends what you're trying to achieve. If that's hiding DNS queries from your ISP that would do it. If the test is checking if clients are sending DNS over a VPN that would show as all leaked.
Steve
But Steve, it is still not quite right. A DNS leak is still a leak, that means ISP can still see visited hosts.
Pfsense configurations need some tweaking. For those who use VPN provider with DNS leaks please follow these steps:-
Go to Firewall > Wan > add new rule:
Action: Block
Interface: Wan
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: Any
Destination: Any Port Range Custom: 53
Save -
Go to Firewall > Lan and/or Opt1 tab
Action: Pass
Interface: Lan and/or Opt1
Address Family: IPv4
Protocol: UDP
Source: Lan net or Opt1 net
Destination: any Port Range Custom: 53
#Click button# Display Advance
Gateway: Choose your VPN Interface
Save -
Go to Services > DHCP server > Lan and/or Opt1>Servers>DNS server (Quad9 DNS):
9.9. 9.9
149.112. 112.112
2620:fe::fe
2620:fe::fe:9
Save
Reboot your Pfsense and test it again for DNS leak https://ipleak.net

Hope this helps. -
