DNS resolver leaks (+ISP hijack)

kncar77

Hi.

I'm an expat in a country where the ISP is eavesdropping on everything, blocking VOIP and so on. I've got pfSense (2.3.2) up and running (limited experience with firewalls..) with a VPN client connecting back home to EU routing all traffic through the tunnel, works great. I've got an intermittent issue with DNS leakage though.

General setup:
Googles DNS 8.8.8.8 and 8.8.4.4 with NONE as gateway.
DNS Server Override - deselected
Disable DNS Forwarder - deselected

Service -> DNS resolver:
Enabled.
Network interfaces: All
Outgoing Network Interfaces: VPN-gateway

I've found that every now and then a DNSleaktest returns my ISP's DNS instead of my VPN IP, suggesting the query is not going through the tunnel even with the above settings plus that the ISP is hijacking the google DNS. If I go into the DNS resolver, not changing a thing but click "Save", queries are then back using the tunnel again. Is there a glitch or some workaround I can use?

I guess I can delete all DNS settings in the General setup and for the VPN-client connect straight to the VPN-server's IP rather than it's host record but that only works until the VPN provider changes it's IP on their server.

Any info or suggestions are appreciated

Thanks,
Knut

mauroman33

Hi,

in Services>DNS Resolver>General Settings, select DNSSEC and DNS Query Forwarding

With DNS Query Forwarding selected, when you run a DNSleaktest it will return the DNS you have inserted in System>General Setup

To prevent some device in your network can use a different DNS from what is set in pfSense you should add in Firewall>Rules>LAN two rules like these


johnpoz

You do not have to forward, you just need to make sure pfsense sends all queries through your vpn.  Select your vpn interface for outgoing queries in unbound.

And yes make sure your client your running your dns leak test through is only using pfsense for dns.

mauroman33

Totally agree with johnpoz!
Sorry, I haven't read that you're routing ALL traffic through the tunnel.

kncar77

@johnpoz:

You do not have to forward, you just need to make sure pfsense sends all queries through your vpn.  Select your vpn interface for outgoing queries in unbound.

And yes make sure your client your running your dns leak test through is only using pfsense for dns.

In Services/DNS Resolver/General Settings I've already selected the VPN-interface under "Outgoing Network Interfaces" as suppose to the default "All". It normally works but every now and then queries still seems to slip through the WAN interface for some weird reason and hence this topic.

All clients on the network have pfSense's LAN IP as DNS received via DHCP (checked and double checked with all the clients)

johnpoz

So the ONLY interface you have selected in unbound is your vpn interface?  If you have more than 1 queries can go out any of them

kpa

What's in the pfSense's /etc/resolv.conf? You don't want to have anything else but 127.0.0.1 with the set up you've described.

johnpoz

^ valid point, its possible its pfsense going directly to 8.8.8.8 vs using unbound via loopback.

But doesn't make sense why pfsense would be trying to go to the dnsleak fqdn site, which would be the only way the dnsleak site would know that dns queries are leaking.