Need help for config DNS Resolver with VPN Client

pfcode

HI, All

I need your help for setup DNS Resolver with my VPN Client. Its currently working partially: I got VPN IP but DNS is leaked.  I knew something was not setup properly.  One of the reason why I am using DNS Resolver is because of pfBlockerNG DNSBL functions. Here is what my pfSense-2.4.3 setup:

1.  Interfaces:  WAN, LAN, WLAN, OPT.  Gateways:  WAN_DHCP (default),  PUREVPNWAN_VPNV4(I am using PureVPN, udp, tun, interface WAN,  port 53)

2.  LAN and WLAN's gateway are set to use default gateway.

3.  OPT's gateway is set to use PUREVPNWAN_VPNV4 gateway. I want all the devices behind OPT to use VPN only.

4. DNS Resolver Network interfaces and Outgoing network interfaces were set to ALL, enable DNSSEC is ticked, the rest options were all unchecked.

5. System->General, I have DNS Servers defined to use OpenDNS, none set to gateways. and the option "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" is checked.

6. OPT firewall rule:  Protocal: IPv4, source: *, port: *, destination: *, port *, Gateway: PUREVPNWAN_VPNV4, Queue: none.
    Outbound NAT:  PUREVPNWAN_VPNV4, 127.0.0.0/8, PUREVPN_WAN address
                            PUREVPNWAN_VPNV4,  192.168.2.0/8  PUREVPN_WAN address

7. My laptop Win 10 internet network IPv4 properties were set to Obtain an IP address automatically, and Obtain DNS Server address automatically.

What I want:

1. All the devices behind OPT to use VPN DNS.  But currently its failed. having DNS leaked, showing my ISP by using DNSLeakTest.com

2. Devices behind LAN and WLAN to use default DNS, which currently are working fine.

for Help:

How to let the devices behind OPT to use VPN DNS??  Sorry for my English, its not my native language.

Thanks

William

TheNarc

There may be a better/easier way to do this, but here is the only way that I know how to do it:

• In your DNS Resolver settings, select only your PureVPN interface in the "Outgoing Network Interfaces" list.  Be aware of the following caveats though.  In your VPN client configuration, in the "Server host or address" field, you'll want to put the IP of the server instead of its host name.  So if you have, for example, vpnserver1.purevpn.com in there now, you'll want to get the IP for it (Diagnostics > DNS Lookup) and use that instead.  Also, I have found that on a fresh start of pfSense, if the DNS resolver comes up before your VPN client connection, it will default to using all outgoing interfaces for queries even if you had specified just your VPN interface.  As a non-ideal workaround, I just manually restart the DNS resolver after a reboot of my pfSense machine, which is a rare enough occurrence that I can live with it.

• I don't think you want the "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" option in System > General checked, but it may not hurt anything either.

• Make DHCP static mappings for any clients on your network whose DNS queries you do not want to go through the VPN.  In the static mapping, you can specify up to 4 DNS servers.  This is where you'll want to put the OpenDNS server IPs.

Like I said, I don't know if this will be a viable option for you or not, because if you have a big network you probably don't want to have to manually make a lot of DHCP static mappings.  But this is what I do to achieve the separation that you're looking for, and it works fine with the caveat of needing to manually restart the DNS resolver after a reboot.

And I wouldn't worry about your English, it's probably better than most native speakers'  ;)

pfcode

@TheNarc:

There may be a better/easier way to do this, but here is the only way that I know how to do it:

• In your DNS Resolver settings, select only your PureVPN interface in the "Outgoing Network Interfaces" list.  Be aware of the following caveats though.  In your VPN client configuration, in the "Server host or address" field, you'll want to put the IP of the server instead of its host name.  So if you have, for example, vpnserver1.purevpn.com in there now, you'll want to get the IP for it (Diagnostics > DNS Lookup) and use that instead.  Also, I have found that on a fresh start of pfSense, if the DNS resolver comes up before your VPN client connection, it will default to using all outgoing interfaces for queries even if you had specified just your VPN interface.  As a non-ideal workaround, I just manually restart the DNS resolver after a reboot of my pfSense machine, which is a rare enough occurrence that I can live with it.

• I don't think you want the "Do not use the DNS Forwarder/DNS Resolver as a DNS server for the firewall" option in System > General checked, but it may not hurt anything either.

• Make DHCP static mappings for any clients on your network whose DNS queries you do not want to go through the VPN.  In the static mapping, you can specify up to 4 DNS servers.  This is where you'll want to put the OpenDNS server IPs.

Like I said, I don't know if this will be a viable option for you or not, because if you have a big network you probably don't want to have to manually make a lot of DHCP static mappings.  But this is what I do to achieve the separation that you're looking for, and it works fine with the caveat of needing to manually restart the DNS resolver after a reboot.

And I wouldn't worry about your English, it's probably better than most native speakers'  ;)

Thank you, much appreciated.  Only one drawback for setting PureVPN interface in the "Outgoing Network Interfaces" list is that once VPN is down, then VPN and/or non-VPN Users can't get internet access since no more DNS.  Meanwhile, I'm very confused about what "Network interfaces" and "Outgoing Network Interfaces" are about in DNS Resolver.

TheNarc

You're correct that if you set PureVPN as the only outgoing interface in the "Outgoing Network Interfaces" list that VPN users will lose DNS if the VPN goes down, but isn't that what you would want?  Non-VPN users would not lose DNS in this case, because if you assign them OpenDNS servers via DHCP static mappings, they won't be using the resolver at all, so they wouldn't be impacted by the VPN going down.

With respect to "Network Interfaces" versus "Outgoing Network Interfaces," it's just specifying which interfaces(s) the resolver will listen on for DNS queries (the "Network Interfaces" list) and which interfaces it will use to contact root servers in order to resolve those queries ("Outgoing Network Interfaces").  In most setups, you'll have only your LAN interface(s) and localhost selected as listening interfaces and only your WAN interfaces(s) selected as outgoing interfaces.  But of course, in your case with a VPN client connection in use, you can force all DNS resolution to go through the VPN by instead selecting only your VPN interface(s) as outgoing interfaces.

pfcode

@TheNarc:

You're correct that if you set PureVPN as the only outgoing interface in the "Outgoing Network Interfaces" list that VPN users will lose DNS if the VPN goes down, but isn't that what you would want?  Non-VPN users would not lose DNS in this case, because if you assign them OpenDNS servers via DHCP static mappings, they won't be using the resolver at all, so they wouldn't be impacted by the VPN going down.

With respect to "Network Interfaces" versus "Outgoing Network Interfaces," it's just specifying which interfaces(s) the resolver will listen on for DNS queries (the "Network Interfaces" list) and which interfaces it will use to contact root servers in order to resolve those queries ("Outgoing Network Interfaces").  In most setups, you'll have only your LAN interface(s) and localhost selected as listening interfaces and only your WAN interfaces(s) selected as outgoing interfaces.  But of course, in your case with a VPN client connection in use, you can force all DNS resolution to go through the VPN by instead selecting only your VPN interface(s) as outgoing interfaces.

The issue is that I'm using pfBlockerNG that requires DNS Resolver.  Thanks for the clarification for "Network Interfaces" and "Outgoing Network Interfaces".

TheNarc

That's a good point.  If you're using the DNSBL functionality of pfBlockerNG, and you want both VPN and non-VPN hosts to benefit from that, then both VPN and non-VPN hosts must use the resolver.  But I'm not aware, then, of any way to say "non-VPN hosts use the resolver via non-VPN interfaces and VPN hosts use the resolver via VPN interfaces."  Does PureVPN allow you to have multiple concurrent connections?  Because you could set up a few client connections and allow the resolver to use any of those client connections.  Then all of your VPN client connections would have to go down before you lose DNS, so it would be safer to take the approach of "whether a host uses VPN or not for normal traffic, just make all hosts do DNS via the VPN."  This wouldn't suffice for mission critical systems requiring uptime arbitrarily close to 100%, but for a home network I expect it would be fine.

pfcode

@TheNarc:

That's a good point.  If you're using the DNSBL functionality of pfBlockerNG, and you want both VPN and non-VPN hosts to benefit from that, then both VPN and non-VPN hosts must use the resolver.  But I'm not aware, then, of any way to say "non-VPN hosts use the resolver via non-VPN interfaces and VPN hosts use the resolver via VPN interfaces."  Does PureVPN allow you to have multiple concurrent connections?  Because you could set up a few client connections and allow the resolver to use any of those client connections.  Then all of your VPN client connections would have to go down before you lose DNS, so it would be safer to take the approach of "whether a host uses VPN or not for normal traffic, just make all hosts do DNS via the VPN."  This wouldn't suffice for mission critical systems requiring uptime arbitrarily close to 100%, but for a home network I expect it would be fine.

Yes, PureVPN does allow multiple concurrent connections.