How to get separate DNS for "OpenVPN subnets" and "ISP subnets"?



  • In my network I have subnets with direct access to Internet via ISP and also subnets with Internet access via a VPN service provider running OpenVPN. Currently the system has encrypted access to DNS via my VPN service provider and I use their DNS servers. I also have the Unbound DNS resolver running.

    If the VPN service or connection to ISP goes down for some reason then access to Internet is lost on all subnets because the connection to the DNS servers is broken. I have to restart the OpenVPN client to get Internet access again.

    I want this behaviour only for the VPN-subnets and not for the ISP subnets. I don't want the computers with direct ISP connection to be affected if VPN connection is lost. Can I have the DNS resolver working only on the ISP-subnets or do I have to specify DNS servers for each and every subnet? What is the best way to solve this problem?



  • I'm not sure how large of a network you're administering, so this may or may not be an option for you, but I use static mappings in the DHCP server for all clients that I want to exclude from the VPN.  In those same static mappings, you can optionally assign DNS servers that override whatever the system default DNS settings are.  This works for me, although I'm dealing with a small home network and realize this approach wouldn't scale well to a much larger network.



  • @TheNarc:

    I'm not sure how large of a network you're administering, so this may or may not be an option for you, but I use static mappings in the DHCP server for all clients that I want to exclude from the VPN.  In those same static mappings, you can optionally assign DNS servers that override whatever the system default DNS settings are.  This works for me, although I'm dealing with a small home network and realize this approach wouldn't scale well to a much larger network.

    This is just a small home network with two LANs, two WLANs and a DMZ. I am trying your solution and it appears to be working. I'm a bit puzzled about the funcion of the DNS resolver in my system. I have it enabled by default. Should i turn it off?  Maybe it is possible to use it on just the ISP subnets?



  • There shouldn't be any need to turn off the resolver, but you want to make sure that in its "outgoing network interfaces" area, only your VPN interface(s) is/are selected.  At least, that's how I have it set up.  So the resolver only contacts authoritative root servers via the VPN tunnel, and all clients on your LAN user the resolver (i.e. the pfSense box itself) as their DNS server except for those clients that you have explicitly excluded from the VPN by way of static mappings in the DHCP server, which instead use the DNS server(s) that you have configured for them in those static mappings.

    Two other things to be aware of though:

    1.  When you tell your resolver it must only use your VPN interface(s) for outgoing traffic, you lose the ability to bring up your VPN client connections if you specified host names instead of IPs in their configurations.  This isn't a big deal in my experience, but if you've currently got host names in there you'll need to put in the raw IPs instead.

    2.  When the resolver is configured to use VPN interfaces for outgoing traffic, a race condition occurs on startup.  See this bug:  https://redmine.pfsense.org/issues/6186  What this means in practice (or at least in my experience) is that when your pfSense machine is restarted, the resolver will come up before your VPN clients have connected and will default its outgoing interface settings to "all interfaces".  All you need to do to correct this is go to the resolver's settings page, click on Save, and then Apply Changes.  This may or may not be acceptable to you.  In my case, I almost never need to restart my pfSense box, so it's not a huge deal.  On the other hand, it's burden to remember that extra step, because otherwise your DNS queries will not be going out exclusively by way of your VPN.



  • @TheNarc:

    There shouldn't be any need to turn off the resolver, but you want to make sure that in its "outgoing network interfaces" area, only your VPN interface(s) is/are selected.  At least, that's how I have it set up.  So the resolver only contacts authoritative root servers via the VPN tunnel, and all clients on your LAN user the resolver (i.e. the pfSense box itself) as their DNS server except for those clients that you have explicitly excluded from the VPN by way of static mappings in the DHCP server, which instead use the DNS server(s) that you have configured for them in those static mappings.

    Two other things to be aware of though:

    1.  When you tell your resolver it must only use your VPN interface(s) for outgoing traffic, you lose the ability to bring up your VPN client connections if you specified host names instead of IPs in their configurations.  This isn't a big deal in my experience, but if you've currently got host names in there you'll need to put in the raw IPs instead.

    2.  When the resolver is configured to use VPN interfaces for outgoing traffic, a race condition occurs on startup.  See this bug:  https://redmine.pfsense.org/issues/6186  What this means in practice (or at least in my experience) is that when your pfSense machine is restarted, the resolver will come up before your VPN clients have connected and will default its outgoing interface settings to "all interfaces".  All you need to do to correct this is go to the resolver's settings page, click on Save, and then Apply Changes.  This may or may not be acceptable to you.  In my case, I almost never need to restart my pfSense box, so it's not a huge deal.  On the other hand, it's burden to remember that extra step, because otherwise your DNS queries will not be going out exclusively by way of your VPN.

    In my system the resolver doesn't appear to do anything useful. In General Setup I have the two DNS Servers from my VPN service provider and the OpenVPN gateway. For the subnets without VPN I specify another DNS (OpenDNS) in the DHCP server as recomended in the previous post. I would rather use the resolver for the non VPN subnets but I don't know how to accomplish that.



  • You have to assign DNS services on their respective config pages to interfaces.



  • @jahonix:

    You have to assign DNS services on their respective config pages to interfaces.

    By "their" I suppose you are referring to the subnets not using the VPN service. What "config pages" do you mean? The Interface menu? I find nothing related to DNS there.



  • I may be wrong about this, but I believe that if you have either the DNS resolver (unbound) or the DNS forwarder (dnsmasq) enabled, then your clients will be handed the IP of your pfSense machine's LAN interface by default to use as a DNS server (e.g. 192.168.1.1).  If the resolver is enabled, then queries will be handled by the pfSense machine contacting authoritative root servers.  If the forwarder is enabled, then queries will be handled via the DNS server(s) you have configured on the "System > General Setup" page.  If neither the resolver nor the forwarder is enabled, then I believe clients will be directly handed the IPs of the DNS server(s) you have configured on the "System > General Setup" page.  But I've never tried that; pfSense may enforce that either the resolver or the forwarder is enabled.  In any case, I believe you can always supersede DNS server assignment on a per-client basis by way of DHCP static mappings.  If you want to use the resolver only for non-VPN traffic, then I believe you would need to enable it and configure the "outgoing interfaces" to be only your WAN interface.  Then, for any clients you want on the VPN, create DHCP static mappings that assign them both the VPN gateway and your VPN's DNS servers.



  • @Ip:

    By "their" I suppose you are referring to the subnets …

    I'm refering to  Services > DNS Resolver  and  Services > DNS Forwarder
    You have to pick the interfaces they serve.


Log in to reply