DNS Leaks using DNS Resolver

ahiggs117

Instead of the word leaking, would the word override be better? I did use the search function of this site as well as a few hours just esearching for a solution. I wouldnt be posting a question if I had been able to find the answer myself. Yes, its the weekend, but you also werent required to answer, but thanks anyway, I guess? This isnt a production server nor is it that dire so I can wait for advice or an answer.
My Netgear modem has DNS servers set inside it, pfsense has DNS servers specified in the General Setup section.
When I use a service like ipleak.net or dnsleaktest.com, the IPs that are set in the DNS settings of my Netgear modem show up along with the ones that I've set in pfsense. If pfsense was perfect, I think it would just use the DNS server IPs that i have set in pfsense itself. This is not the case. If I have two WAN connections and I want to make it so each WAN connection uses a specific DNS server, which I should be able to do according to pfsense settings and also the documentation around it, but it still shows my modems DNS servers, is it realyl doing what its supposed to. I obviously have a hole somewhere or have misconfigured something, so what could it be with all of the information that ive given so far? Or where should I be checking?

Bob.Dig

Which DNS-servers are shown on the dashboard of pfSense? If you really have turned off DNS Server Override, they shouldn't be listed there.

johnpoz

@ahiggs117 said in DNS Leaks using DNS Resolver:

This is not the case. If I have two WAN connections and I want to make it so each WAN connection uses a specific DNS server

This is where I am a bit confused.. While yes you can setup multiple dns, and have specific ones use a specific connection by setting a gateway for that dns server.

And while you can policy route a client to use a specific gateway - what is that client using for dns? If it just asks pfsense. How do you suppose you are controlling which path pfsense uses to query dns.. If your forwarding to multiple dns, its not really possible to know which one will be queried at any given time..

Showing us your actual config and which dns setup in pfsense, and what your dns leak test is showing would help us figure out what is going on.

edit: Keep in mind in this day an age of CDN, global dns providers - there is little reason to list more than 1.. They are all hosted on global networks via anycast.. And highly unlikely to go down, if they did it would be a major global outage.. So it is better to just use 1 dns provider if you insist on forwarding to someone.. So you are sure which provider you are using - the other problem with using multiple providers is they provide different info - if you are using a filtering dns - cloudflare filtering is going to be different than say quad9.. Setting both to maybe be used, you have no idea which filtering you will get. And once something is cached, that is what would be used. You should pick 1 dns provider that filters how you want, and only use them. So you are sure what filtering is taking place, if any..

This is no longer the days of users using ISP dns that was almost always under powered, and lack of maint.. And they provided you multiple IPs normally to just load share their users across nameservers. This is no longer the case with global DNS providers.. And the reliability and performance of current systems. There is little reason to ever list more than 1 forwarder anycast address.

Gertjan

@ahiggs117 said in DNS Leaks using DNS Resolver:

or dnsleaktest.com

Here you got my test result :

Note that my WAN IPv4 is correct. The IPv6 also, although that "WAN IP" is actually the IP v6 of my PC, somewhere on my LAN. But that another story.

The 2 DNS shown ..... is my IPv6 tunnel IP - the one that ends with a "::2" => ???? and the other IPv4 is my .... WAN IP => ??^2 My WAN == my DNS ?
Yeah. As said, it's Friday.

My main conclusion is : nice looking page full with no useful information. At least, I qualify it, using my connection, as close to BS ...

@ahiggs117 said in DNS Leaks using DNS Resolver:

My Netgear modem has DNS servers set inside it

So, even if it has a modem thing integrated, converting, for example, cable or ADSL signals to an pure IP flux, it is NOT a modem but a known router.
So, like my ISP router, which uses ADSL to connect to my ISP, it probably has it's own ISP-DNS. But pfSense isn't forwarding to my ISP router, I'm not forwarding at all.
I use the default Resolver mode.

To complete the question of @Bob-Dig : you should be seeing this :

127..0.0.1 works great ;)
And it is the default setting. Netgate was right !

@ahiggs117 said in DNS Leaks using DNS Resolver:

werent required to answer

True. Just see it as a way to start up the thread ;)

You use 2 WANs.
Good question : which WAN is used for requests from unbound ?
Both ? Using round robin ? Using the "lowest latency known" ? Random ? Other criteria ?
In a best case - or worst case ^^, the answer can be found in the manual == the open source code.

ahiggs117

Here is my Dashboard and also the config for the DNS Resolver

johnpoz

And who is 10.8.8.1 for dns?

Why do you have dnssec enabled if your forwarding - pointless.. Also why are you listening via tls? locally?

Where are you settings for dns..

ahiggs117

10.8.8.1 is for the ProtonVPN gateway. I have set up NAT forwarding rules for it.
Here are the DNS server settings, sorry, will double check when I post now to make sure everything is in the message.

These are the NAT settings that I have, for context about the Proton gateway

edit:
Here are the settings in my Netgear modem.

---

---

I have set the desired DNS servers so when I run a leak test, it only shows one or more of these three. But when I have it set to get automatically from ISP, ill see their DNS servers show up in a leak test. This is what I am trying to avoid. There is no way for me to leave these blank, dont even know if that would serve for this but either way, my DNS requests will be sent to one or two of the servers I have set in pfsense but I will also see my ISPs DNS servers in the leak test. I will change this back to my get automatically from ISP and run a leak test at dnsleaktest.com and ipleak.net so i can show the results

johnpoz

Pfsense is not set to ask that router for dns - is I don't see it listed.. so pfsense would never ask it.. Unless pfsense was set to get dns from isp... Which you turned off - so unless something asks that router for dns - your isp dns would not be used.

ahiggs117

This is exactly my frustration. I'm a complete noob to pfsense so I wasn't sure if i missed something or that I misread directions on how to set this up.
I'm going to set the modem router to use my ISPs DNS and then run a couple tests so I can get screenshots of the repro.
@johnpoz Thanks for confirming that I haven't done this to myself and just set it up wrong.

johnpoz

What client are you testing from - if its on that routers wifi, and using that routers dhcp the client would ask your router, which would then ask whatever you have in that router for dns.

ahiggs117

I was using wifi, which was connected to a wifi AP that Ive setup. That is set to forward all requests to pfsense. I also am testing on a client that is connected to a switch that has two VLANs running through it. The clients I was testing with were not connected to the Netgear routers wifi.
Here are the DNS tests that I ran to see what happens when I set the modem router DNS to googles resolvers 8.8.8.8 and 8.8.4.4 pfsense still has the same DNS servers as before.

johnpoz

You understand that is what suppose to show up right if your using google.. did you think it would be 8.8.8.8

You have no freaking clue to what your 10.8.8.1 could be doing - prob forwarding to google ;)

I would suggest as I stated before - pick 1!!! Don't try and use multiple.. For those nixnet ones - why would you not just use the anycast address?

Maybe your router is intercepting dns? Sniff on pfsense wan and validate it sending the dns query to where you think its going..

Just like how pfsense can intercept dns - your router could be doing the same sort of thing.

ahiggs117

Haha yes, that is exactly what should happen because those are googles servers. Im not that dense, buddy. The reason I set those in the Netgear modem router is to prove the fact that DNS requests are getting handled there when they should just be handled by Unbound DNS resolver in pfsense.
The 10.8.8.1 is so the DNS requests are sent to the protonvpn interface so that the DNS requests made through the protonvpn interface go through protonvpn.

You can clearly see that the 10.8.8.1 should only be used by the protonvpn interface thats set in the general setup in one of my earlier posts.
Shouldnt ubound be stopping my ISP from intercepting requests? Isnt that part of the point of it lol?

johnpoz

Well I would think you router is intercepting your dns then...

Its a common setting in many a soho router.. Prove it to yourself.. do a sniff on pfsense wan - if you only see it sending queries to what you set, then your router is intercepting the traffic.. Just like pfsense can do if you set that up.

You can clearly see that the 10.8.8.1 should only be used by the protonvpn interface thats set in the general setup in one of my earlier posts.

But you don't know when pfsense(unbound) would use those.. You have multiple dns listed - which interface used to talk to something doesn't mean its not used.

If you have dns 1,2 and 3 listed as forwarders - any of those can be used.. You don't have control over when which is used..

I would for your testing, turn everything off but 1 dns in unbound.. And then sniff on your wan - do you see it sending to that IP.. But your dns leak shows what your router is using - then its intercepting the traffic!

Just like you can setup pfsense to intercept traffic... Here I set my client to use 4.2.2.2 as dns

  Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GbE Family Controller
   Physical Address. . . . . . . . . : 00-13-3B-2F-67-63
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.9.253
   DNS Servers . . . . . . . . . . . : 4.2.2.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

And before I tell pfsense to intercept that via your dnsleak test site - I see exactly that, 4.2.2.2 is a level3 public dns... So if I set that level3 is what shows as dns doing the lookups.

I then set pfsense to intercept the traffic - and even though my client is still sending to 4.2.2.2, you can not see that pfsense intercepted the traffic and my public IP (resolver) is what is seen as the dns on the leak test.

If your router is doing dns intercept - that is exactly what would happen no matter where pfsense is trying to query for dns.

Gertjan

A Netgear doing DNS intercepting ?
Google up the firmware, that would be known on the net.

The ISP doing intercepting, that would be the next question.

restwzeasy

This post is deleted!