NordVPN guide suggests certain DNS settings that I'm not sure about.

  • I went through this guide only to find a number of things wrong with it.

    My questions are specific to the DNS section. It suggests I turn off DNSSEC and Disable DNS Forwarder/Resolver. Do either of these settings cause DNS leaks?

    DNSSEC: Not sure why I would want to have this off…

    Disable DNS Forwarder/Resolver: I was reading that the DNS resolver simply caches DNS lookups, if cached just hand out the resolved IP. Again, why would I turn this off? If it's cached then I'm not doing an external lookup, thus, no leak... these settings seem odd to have off.

    Just wanted your guy's opinion on the matter. I'm really new at networking so please forgive my questions.

  • LAYER 8 Global Moderator

    While it says to turn off dnssec.. If your forwarding this means nothing to be honest, so yeah when your forwarding you would normally turn off dnssec.

    It does not say to turn off forwarder/resolver - it says clearly to enable forwarder mode in the resolver (unbound).  And then you set the dns your going to forward to in the general setup area.

    And you setup unbound to only be able to use the vpn interface for dns lookups.

    The resolver (unbound) does not only cache, it also actually resolves.. Unless you tell it to just use forwarder mode which is what that guide says to do.

  • While it says to turn off dnssec.. If your forwarding this means nothing to be honest, so yeah when your forwarding you would normally turn off dnssec.

    Makes sense, thanks.

    The resolver (unbound) does not only cache, it also actually resolves.. Unless you tell it to just use forwarder mode which is what that guide says to do.

    Sorry, this is what I meant. In the guide at step 11 it has "Do not use the DNS Forwarder as a DNS server for the firewall". I'm just not understanding why not. Does this mean the resolver will run a query on a DNS I have not specified?

  • LAYER 8 Global Moderator

    That is just saying not to have pfsense point to itself.. Kind of stupid step that does nothing other than not allowing pfsense resolve its own entries..  That is not something I would do at all, unless you don't want pfsense to resolve any sort of overrides or static dhcp entries, etc..

    I would not do that checkbox.

    To be honest I can not think of a scenario at all that it would make sense to do such a setting…  Only time I would think that checkbox would make sense is if you were not going to run any dns at all on pfsense.

  • I don't want to confuse the issue, but it is possible to use the resolver and configure it to only use your VPN client interface(s) for sending queries.  Note, however, that if you do so, you will need to configure your OpenVPN client(s) to use the raw IPs of the servers that you're connecting to instead of their host names, because you won't have DNS until those client(s) are connected.

  • Interesting TheNarc…how do you figure you need the "..raw IPs..." because you won't have DNS? I understand the concept, however I am still getting a connection with my VPN

    My set up is:
    I use PIA, very similar setup, I use say "US-EAST.PRIVATEINTERNETACCESS.COM" in my "server host field"
    I have my "PIA Interface" set to be the only "Outgoing Network Interfaces". (Services->DNS Resolver->General Settings)
    "Don't Pull Routes" is checked (VPN->OpenVPN->Clients->Edit)
    I am using DNS resolver

    Have I configured this wrong? Is this a PIA specific issue? Is NordVPN "more secure"

    Just curious of your setup because some how my VPN is getting DNS access...

    I hope some of the above tips might help you out...
    Here is the PIA setup which is very similar:
    Here is a link regarding a "Kill switch":

  • That's interesting.  Although this does remind me of a known race condition targeted to be fixed in 2.4.4:  Specifically, on a fresh boot of pfSense, if unbound comes up before your VPN interface(s), it will default to use all interfaces for outgoing queries.  This could possibly explain why your configuration is still working, but would also mean your DNS queries are leaking.  You can always check which interface(s) unbound is truly using for outgoing queries by going to "Diagnostics > Edit File" and looking at the file /var/unbound/unbound.conf.  Scroll down to the comment "# Outgoing interfaces to be used" and just see which interface(s) are listed there.

    Because of the aforementioned known issue, as a matter of policy I always manually restart unbound after a fresh boot of pfSense (and after I know that my VPN client interfaces have come up).

  • In my case "# Outgoing interfaces to be used"  line is empty.
    What should be there?

    My Status->Interfaces shows DHCP down for OpenVPN client and Status->OpenVPN shows my ISP assigned IP address as OpenVPN local IP address. Is this what I should expect to see?
    I also followed NordVPN setting in the first post.

  • I'm fairly certain that when nothing appears underneath the "# Outgoing interfaces to be used" comment in /var/unbound/unbound.conf that it means it will use any (all) interfaces for outbound queries, which is its default.  If you have specified that it should only use your VPN client interface(s) for outgoing queries, than you may be running into the same issue (i.e. unbound comes up before your VPN client interface(s), and it reverts to its default to use all interfaces).  You can see whether this is the case my manually restarting unbound (from Status > Services) and then check /var/unbound/unbound.conf again, at which point you should see only the virtual adrress(es) of your VPN client(s) listed (e.g.

    With regard to your other questions, it's fine for DHCP to show as "down" for your VPN client interface(s).  In fact, you should be able to set the IPv4 Configuration Type of your VPN client interface(s) to "None".  And your screen from "Status > OpenVPN" is also fine.  Local address is, indeed, just your WAN IP.  Remote host is the IP of the VPN server to which that client interface is connected, and virtual address is the IP assigned to your client interface by the VPN server (which in my experience is always in a private, non-routable subnet like

    But basically, your configuration looks good except for the fact that you should only see your OpenVPN client interface(s) virtual address(es) listed as outgoing interfaces in /var/unbound/unbound.conf.  So double check that you only have them selected on unbound's configuration page (Services > DNS Resolver) and then restart unbound and check /var/unbound/unbound.conf again.

  • Thank you TheNarc.  :)
    I'll check it out later today after work.

  • After DNS Resolver restart:

    Outgoing interfaces to be used


    It looks like I'll have to wait for fix in the version 2.4.4

    Thank you for your help TheNarc.

  • No problem, glad to heard it worked!

Log in to reply