Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Leaks, Internet VPN, and Internal DNS Servers

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      datdamnmachine
      last edited by

      Here is my setup:

      Workstations/devices are configured to use internal AD servers for DNS.  AD has root hints disabled and forwarders to a Sophos UTM (bridge mode).  Sophos UTM has forwarder to Pfsense box (router/firewall/Internet) which uses Unbound in resolver mode.  Pfsense has domain overrides for the AD domain forward and reverse lookup zones so that it can successfully resolve internally.  The Sophos UTM box has a similar configuration for internal resolution.  The Pfsense box is also hosting an Inernet VPN with all traffic configured to go out the Internet VPN save two boxes serving Netflix and connections to the Internet modem.

      Unbound is configured to allow DNS resolution from my internal networks and the outgoing network interfaces are configured for the interface the AD servers is on, and the Internet VPN.  This is were the problems come up.

      When using DNS leak tests from https://www.dnsleaktest.com, It shows DNS leaks with my Internet VPN being one and my ISP being the other.  However, if I remove the interface the AD servers is on from the outgoing interfaces in Unbound, the DNS leak test come back clean BUT, AD resolution on the Pfsense box dies (along with radius authentication and NTP sync and other internal DNS-related services).

      Has anyone else seen this before and know of a solution that allows me to use my internal DNS services with Unbound while stopping dns leaks from occurring?

      Edit:  Better clarity in the subject information.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Let me get this right.. your clients use your AD dns - this is fine..

        You then forward to UTM, which then forwards to pfsense which resolves.  Why is the UTM in the mix, why not just have your AD use pfsense?

        if pfsense can only use your vpn, how would it be possible to be showing a leak via your normal wan?  Unless something else was doing the query out your wan.. Are you not blocking outbound dns?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          datdamnmachine
          last edited by

          @johnpoz:

          Let me get this right.. your clients use your AD dns - this is fine..

          You then forward to UTM, which then forwards to pfsense which resolves.  Why is the UTM in the mix, why not just have your AD use pfsense?

          if pfsense can only use your vpn, how would it be possible to be showing a leak via your normal wan?  Unless something else was doing the query out your wan.. Are you not blocking outbound dns?

          To answer your questions:

          I use the UTM for the UTM features as I had it in play before I started using Pfsense.  It uses Advanced Threat Protection via its own DNS proxy to detect malicious traffic.  This requires it to receive DNS requests.  This is why AD servers do lookups to it.

          As I mentioned previously, when Pfsense is configured to to use ONLY the Internet VPN, there is no DNS leak but, when I configure Unbound to use the Internet VPN interface AND the inside interface the AD servers reside on (so it can do internal lookups via the AD server as well as radius for VPN) it shows a DNS leak.

          Now, some additional information:

          Tthe Internet VPN was set up not to pull routes from the Internet VPN servers.  As such, I create a separate interface for the Internet VPN and had specific firewall rules configured to use that interface for the default gateway.  I was wondering if this could be the problem.  I decided to re-configured the Internet VPN to pull routes so that the default routes configured on Pfsense as a whole would be the Internet VPN routes.  Once done, the DNS leaks stopped.  I tested and confirmed as well as ensuring the Pfsense could still resolve the internal AD domain and radius was still working.

          This leads me to believe that, even though Unbound is configured to only use the Internet VPN and the inside interface for Outgoing DNS traffic, because its default route is still "technically" the raw, unencrypted Internet connection's route, Unbound "may" be sending DNS traffic out thru the raw Internet connection via its default route configuration.  Is this normal behavior of Unbound, a reconfiguration on my part, or a bug?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            I just tested this recently for a different thread with the same sort of thing..

            I do not pull routes from the vpn connection I have to one of my vps.  If you want pfsense to use the vpn you would have to config the outbound nat for loopback to be able to use this interface.

            I can set this test up again - what dnsleak site are you using so I can use the same one as your testing.  Did you setup manual outbound nat for your vpn connection interface?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              datdamnmachine
              last edited by

              @johnpoz:

              I just tested this recently for a different thread with the same sort of thing..

              I do not pull routes from the vpn connection I have to one of my vps.  If you want pfsense to use the vpn you would have to config the outbound nat for loopback to be able to use this interface.

              I can set this test up again - what dnsleak site are you using so I can use the same one as your testing.  Did you setup manual outbound nat for your vpn connection interface?

              I'm using the following:

              https://www.dnsleaktest.com

              I have Outbound NAT set to manual and configured for the localhost rules (standard and isakmp) with rules to the Internet VPN interface.

              1 Reply Last reply Reply Quote 0
              • D
                datdamnmachine
                last edited by

                @johnpoz:

                I just tested this recently for a different thread with the same sort of thing..

                I do not pull routes from the vpn connection I have to one of my vps.  If you want pfsense to use the vpn you would have to config the outbound nat for loopback to be able to use this interface.

                I can set this test up again - what dnsleak site are you using so I can use the same one as your testing.  Did you setup manual outbound nat for your vpn connection interface?

                I know this was a while ago but did you ever re-test this?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  no that dnsleaktest.com site hung and I never got back to it.. Just spins and spins..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • D
                    datdamnmachine
                    last edited by

                    @johnpoz:

                    no that dnsleaktest.com site hung and I never got back to it.. Just spins and spins..

                    Weird, I think I've seen that before.  Well, how about this one:

                    https://torguard.net/vpn-dns-leak-test.php

                    FYI, it will start testing automatically when you go there.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Just spins.. Maybe their dnssec is broken ;)

                      How long should such a test take.. I can point to my isp dns and test it..  Would have to sniff to why maybe its failing using the resolver.. What should happen is they should report my wan IP in normal operation since that would be the IP doing the queries to where ever they point to in the test, etc..

                      Ok figured out why their site broke for me – my adblocker blocking some shit they prob use to test with..

                      So I turned off adblocker and pointed my client to my isp dns 75.75.75.75 - oh my gawd I leaked that I am from the US and use comcast.. I am F'd now ;) hehehehe

                      But atleast I can test the "leakage" thing we were talking about.. But have to wait til later this morning.. Off for my morning walk and then off to work..

                      justspins.png
                      justspins.png_thumb
                      whybroke.png
                      whybroke.png_thumb
                      dnsleaked.png
                      dnsleaked.png_thumb

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.