Dns query



  • I have openvpn setup with piano and I have setup some devices to bypass pia and go straight out via the wan connection however these devices are not getting Dns

    What do I have to do so Dns will work on devices that are going straight out the wan?

    Thanks very much



  • Just allow the access to the DNS server in firewall rules.



  • thanks very much how would I do that?



  • That depends on the DNS server your devices are using. You gave no information about your setup.

    If the pfSense is your DNS add a rule to the interface the concerned devices are connected to and allow TCP/UDP protocol from them to the interface address with destination port 53.

    If the devices try to access a public DNS, enter the DNS IP at destination or just any. If the VPN client is your default gateway you have to select the WAN gateway in the advanced options in addition here.



  • thanks very much

    I am using pfsense for dns, and openvpn (PIA) is set as the default gateway

    I setup a new rule with the devices IP to point to WAN instead of the OpenVPN connection, but it doesn't resolve dns, I shall try this.

    Thanks again



  • Hi

    I have my ps4 lan rule to forward straight to the WAN, would I just add another rule on the lan interface to pass dns traffic to port 53?

    Thanks very much really appreciate the help!




  • Yes, the rule for accessing the LAN interface must not have set a gateway.

    Your PS4 rule allows only traffic to the WAN GW. Access to LAN address do not pass this. So you have to an additional rule for DNS using no gateway (set to default) and put it above the other PS4 rule.



  • thats great thanks very much, really appreciate your help! :-)



  • Hi

    does the below set off rules look okay?

    Thanks again!



  • LAYER 8 Global Moderator

    Other than dns uses UDP, and sometimes - not very often tcp.  An you only have tcp vs udp/tcp on your dns rule.

    And your Source port should be ANY.. not 53…  Your dest is 53, but you have no idea what port the client would use for a dns query.



  • I mentioned it above in Reply #3.
    :)


  • LAYER 8 Global Moderator

    You did - and clearly he didn't listen ;)



  • Sure, it won't be any risk if also other clients access the DNS server. Since you control all clients this is on you anyway.
    You may also add an Alias for a group of granted host address (Firewall > Aliases > IP) and use this on in the firewall rule for source.



  • Thanks very much working great now appreciate your help  ;D


Log in to reply