DNS on VPN Client
-
Hello VPN experts,
I followed one of the excellent tutorials on setting up a OpenVPN and it works great. I can connect using the Viscosity client to my network at home and access the computers on my network at home. This works great.
In Viscosity, there are four DNS Setting options:
- Automatic
- Full DNS (all traffic)
- Split DNS (use VPN DNS for VPN domains only)
- None
If I choose #1 or #2, if I try to use Safari to connect to any website, I get a DNS error. If I use #3, I can connect and the traffic is forced through the VPN tunnel (which is what I want) and I have the IP address of my home network when I check it.
I'm not a security expert, however I understand that it is much more secure to use the DNS on the VPN tunnel (my home network) rather than the DNS of the my remote connection. How do I enable the DNS so that my remote computer uses the DNS of my home network?
-
"I'm not a security expert, however I understand that it is much more secure to use the DNS on the VPN tunnel"
I think the part about not being a security expert is key here ;) Why do you think its more secure to use the dns down your tunnel exactly? How is your vpn dns going to lookup stuff on your local network? Is someone watching your local dns your vpn from and seeing that your IP is looking up porn sites while at work - what?
If you want your vpn clients to use your dns on pfsense via vpn, did you edit the ACLs in unbound to allow for that? Are you using unbound or the forwarder? etc..
-
I take the 5th on the security expert. I was regurgitating something I read somewhere else on the interwebs.
How would I edit the ACLs to allow for that? I assume by ACL you mean the rules for the OpenVPN access under Firewall -> Rules -> OpenVPN
I'm running PFSense 2.3 and my clients use Viscosity to connect via OpenVPN.
-
No what I mean by ACLs is the ACLs in unbound (resolver).. Unless you have turned that off and turned on the forwarder (dnsmasq)? There seems to be an issue going around with that dnsmasq seeing a conf file and limiting queries to the local network if your using the forwarder.
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Access_Lists_Tab
"I was regurgitating something I read somewhere else on the interwebs."
Hehe yeah since we all know everything you read on the internet has to be true ;) Some of the nonsense I see that says it more secure or better to do something is most of the time complete utter hogwash!!
The big thing as of late is dns leakage.. How tight is your tin foil hat?? What dns are you using exactly? Do you really think your ISP is tracking what IP address 1.2.3.4 (which they know is billy bob their customer) is going queries for.. Oh that billy likes his fetish porn, serve him up more fetish porn ads? Or maybe they are selling that to ??? The nsa maybe??
While yes data can be gotten from dns queries.. Who do you think is watching yours? And where exactly are they doing it from? Once you know who your trying to hide from, then you can figure out how and if you need too. All comes down to how tight that tin foil hat is…
