DNS Leaks, Internet VPN, and Internal DNS Servers
-
Here is my setup:
Workstations/devices are configured to use internal AD servers for DNS. AD has root hints disabled and forwarders to a Sophos UTM (bridge mode). Sophos UTM has forwarder to Pfsense box (router/firewall/Internet) which uses Unbound in resolver mode. Pfsense has domain overrides for the AD domain forward and reverse lookup zones so that it can successfully resolve internally. The Sophos UTM box has a similar configuration for internal resolution. The Pfsense box is also hosting an Inernet VPN with all traffic configured to go out the Internet VPN save two boxes serving Netflix and connections to the Internet modem.
Unbound is configured to allow DNS resolution from my internal networks and the outgoing network interfaces are configured for the interface the AD servers is on, and the Internet VPN. This is were the problems come up.
When using DNS leak tests from https://www.dnsleaktest.com, It shows DNS leaks with my Internet VPN being one and my ISP being the other. However, if I remove the interface the AD servers is on from the outgoing interfaces in Unbound, the DNS leak test come back clean BUT, AD resolution on the Pfsense box dies (along with radius authentication and NTP sync and other internal DNS-related services).
Has anyone else seen this before and know of a solution that allows me to use my internal DNS services with Unbound while stopping dns leaks from occurring?
Edit: Better clarity in the subject information.
-
Let me get this right.. your clients use your AD dns - this is fine..
You then forward to UTM, which then forwards to pfsense which resolves. Why is the UTM in the mix, why not just have your AD use pfsense?
if pfsense can only use your vpn, how would it be possible to be showing a leak via your normal wan? Unless something else was doing the query out your wan.. Are you not blocking outbound dns?
-
Let me get this right.. your clients use your AD dns - this is fine..
You then forward to UTM, which then forwards to pfsense which resolves. Why is the UTM in the mix, why not just have your AD use pfsense?
if pfsense can only use your vpn, how would it be possible to be showing a leak via your normal wan? Unless something else was doing the query out your wan.. Are you not blocking outbound dns?
To answer your questions:
I use the UTM for the UTM features as I had it in play before I started using Pfsense. It uses Advanced Threat Protection via its own DNS proxy to detect malicious traffic. This requires it to receive DNS requests. This is why AD servers do lookups to it.
As I mentioned previously, when Pfsense is configured to to use ONLY the Internet VPN, there is no DNS leak but, when I configure Unbound to use the Internet VPN interface AND the inside interface the AD servers reside on (so it can do internal lookups via the AD server as well as radius for VPN) it shows a DNS leak.
Now, some additional information:
Tthe Internet VPN was set up not to pull routes from the Internet VPN servers. As such, I create a separate interface for the Internet VPN and had specific firewall rules configured to use that interface for the default gateway. I was wondering if this could be the problem. I decided to re-configured the Internet VPN to pull routes so that the default routes configured on Pfsense as a whole would be the Internet VPN routes. Once done, the DNS leaks stopped. I tested and confirmed as well as ensuring the Pfsense could still resolve the internal AD domain and radius was still working.
This leads me to believe that, even though Unbound is configured to only use the Internet VPN and the inside interface for Outgoing DNS traffic, because its default route is still "technically" the raw, unencrypted Internet connection's route, Unbound "may" be sending DNS traffic out thru the raw Internet connection via its default route configuration. Is this normal behavior of Unbound, a reconfiguration on my part, or a bug?
-
I just tested this recently for a different thread with the same sort of thing..
I do not pull routes from the vpn connection I have to one of my vps. If you want pfsense to use the vpn you would have to config the outbound nat for loopback to be able to use this interface.
I can set this test up again - what dnsleak site are you using so I can use the same one as your testing. Did you setup manual outbound nat for your vpn connection interface?
-
I just tested this recently for a different thread with the same sort of thing..
I do not pull routes from the vpn connection I have to one of my vps. If you want pfsense to use the vpn you would have to config the outbound nat for loopback to be able to use this interface.
I can set this test up again - what dnsleak site are you using so I can use the same one as your testing. Did you setup manual outbound nat for your vpn connection interface?
I'm using the following:
https://www.dnsleaktest.com
I have Outbound NAT set to manual and configured for the localhost rules (standard and isakmp) with rules to the Internet VPN interface.
-
I just tested this recently for a different thread with the same sort of thing..
I do not pull routes from the vpn connection I have to one of my vps. If you want pfsense to use the vpn you would have to config the outbound nat for loopback to be able to use this interface.
I can set this test up again - what dnsleak site are you using so I can use the same one as your testing. Did you setup manual outbound nat for your vpn connection interface?
I know this was a while ago but did you ever re-test this?
-
no that dnsleaktest.com site hung and I never got back to it.. Just spins and spins..
-
no that dnsleaktest.com site hung and I never got back to it.. Just spins and spins..
Weird, I think I've seen that before. Well, how about this one:
https://torguard.net/vpn-dns-leak-test.php
FYI, it will start testing automatically when you go there.
-
Just spins.. Maybe their dnssec is broken ;)
How long should such a test take.. I can point to my isp dns and test it.. Would have to sniff to why maybe its failing using the resolver.. What should happen is they should report my wan IP in normal operation since that would be the IP doing the queries to where ever they point to in the test, etc..
Ok figured out why their site broke for me – my adblocker blocking some shit they prob use to test with..
So I turned off adblocker and pointed my client to my isp dns 75.75.75.75 - oh my gawd I leaked that I am from the US and use comcast.. I am F'd now ;) hehehehe
But atleast I can test the "leakage" thing we were talking about.. But have to wait til later this morning.. Off for my morning walk and then off to work..
