DNS override to custom DNS servers

smk

Hello

The objective is to reconfigure pfsense 2.3.3 to only use torguard.net's DNS servers and not the ISP's.

I have torguard.net's DNS servers configured under: System-> General Setup
DNS Servers: 104.223.91.194
DNS Servers: 104.223.91.210
Allow DNS server list to be overridden by DHCP/PPP on WAN: Unchecked

I have also enabled DNS Resolver (Unbound) and disabled DNS Forwarder. Clients are configured to use pfsense gateway as DNS server.

Yet my ISP's DNS server shows up when I go to their DNS leak test page here https://torguard.net/vpn-dns-leak-test.php

Why is pfsense not using the specified DNS servers it has in its configuration?

Best Regards

SMK

jahonix

And why do you use the resolver then? DNS in your case should be done by the forwarder, forwarding to the tor DNS server(s).
You know how a resolver works, don't you?

Your clients get IP, gateway and DNS servers assigned by DHCP? Did you renew the lease or do they still use the data assigned yesterday?

smk

The resolver is used for host overrides and domain overrides on DNS resolutions of machines on the local networks. Currently the resolver is also attached to the WAN network interface. You make a point in that the resolver on the WAN interface does not add value. Are you suggesting I remove the DNS resolver binding to the WAN interface and bind the WAN interface to the DNS Forwarder instead? I understood the resolver and the forwarder to have similar capabilities and that the resolver forwards DNS request to upstream servers configured under System->General Setup if it did not match a host overwrite or domain override.

My clients get IP, gateway and DNS servers assigned by DHCP. The assignment for DNS happens via DHCP to the pfsense box's IP address. I did renew the release and still keep going back to the ISP's DNS servers as shown by the DNS leak test page although the System->General Setup has the correct DNS servers to use. Not sure why.

Thank you for taking the time to help me.

johnpoz

" the resolver forwards DNS request to upstream servers configured under System->General Setup if it did not match a host overwrite or domain override."

Just plain wrong.. The resolver RESOLVES down from roots..

Hey roots who is NS for .com
Hey NS for .com who is NS for domain.com
Hey NS for domain.com what is the A record for www.domain.com

It does not "forward" anywhere.. Unless you have changed it to be in forwarder mode vs the default resolver mode.

If you want to just ask the tor dns.. then just use the forwarder.. It will ask all the dns configured and use the fastest response.  While unbound in forwarder mode is just going to ask each dns you have listed in turn if doesn't get an answer from the first one..

What just blows me is away, is the seemly complete lack of understanding how dns works at all.. Yet users seem just freaking nuts that they have a "dns leak"  Just tinfoil hat so freaking tight its cutting off blood flow to the brain.

jahonix

Relax john, I am optimistic we pushed smk in the right direction. Thanks for the details, BTW!

johnpoz

Can't go a day without someone bringing up I have a dns leak ;)  Freaking sky is falling ;)

Oh my gawd, the authoritative servers for domain.com will have my IP that I looked up www.domain.com - oh my gawd.. They are going to hack me or sell my info.. That this IP looked up the record they are authoritative for ;)

If so worried just use the resolver via vpn connection…