Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Send DNS queries through a VPN tunnel

    Scheduled Pinned Locked Moved OpenVPN
    24 Posts 5 Posters 10.4k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      If you want all DNS traffic to over the VPN there are two options (there are probably more):

      1. Clients use Unbound for DNS and Unbound sends all of it queries over the VPN.

      2. Clients use some external DNS server and you policy route that over the VPN along with all the other client traffic.

      To achieve option 1 you either set Unbound to use the VPN address for it's queries, but that seems to be breaking the connection for you for as yet unknown reasons, or set the VPN gateway to be the default gateway.

      I would suggest finding out exactly why the tunnel fails to come back up if Unbound is set to use it exclusively.

      Steve

      T 1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        A completely separate option here if you're only trying to hide DNS queries from your ISP is just to set Unbound to use DNSoverTLS.

        Steve

        1 Reply Last reply Reply Quote 0
        • T Offline
          techtester-m @stephenw10
          last edited by techtester-m

          @stephenw10 said in Send DNS queries through a VPN tunnel:

          I would suggest finding out exactly why the tunnel fails to come back up if Unbound is set to use it exclusively

          I think that wasn't the problem. The problem was that the default gateway was set (by default) to be "automatic" and this problem probably occurred when the VPN gateway was chosen by pfSense to be the default gateway.

          Regardless, If I choose option 1 and I have a Pass rule for DNS (because of "Block RFC1918") then all the DNS requests made to the local interface address will be sent through the default gateway which is the WAN, when the VPN is down. In that case I think I'll just use DoT.

          @stephenw10 said in Send DNS queries through a VPN tunnel:

          Clients use some external DNS server and you policy route that

          That's not dynamic and would require human intervention and clients setting up stuff...I want a solution of "One ring to rule them all, One ring to find them, One ring to bring them all and in the darkness bind them" LOL

          @stephenw10 said in Send DNS queries through a VPN tunnel:

          set Unbound to use DNSoverTLS

          If I want the interface address to be the DNS address for clients, encrypt all of it AND also have the WAN as the default gateway to avoid the problems we discussed about then...My only option is probably DoT, right?

          Please clarify it for me if you may. I want to be a 100% sure I understand it correctly:

          1. Any DNS request sent to the interface address and catched by a firewall rule and forced through the VPN gateway would fail to resolve because the VPN server would see a DNS request with a destination of "192.168.x.x" and won't be able to resolve it. This happens because the firewall rule catched it before the DNS Resolver? Edit: If I totally misunderstood how it works then I should be able to policy route whatever I want, even DNS requests made to the local interface address, right?

          2. DoT is between a DNS server and the end user and unless the DNS server belongs to the VPN provider, it has nothing to do with them and therefore won't even matter if they themselves support DoT etc., right?

          3. If instead of Localhost, the VPN will be used as the Outgoing Network Interface in the DNS Resolver, would it affect the inner proper functionality of the pfSense box in case the VPN is down, or pfSense would still be able to resolve DNS/NTP for its own needs without needing the DNS resolver?

          EDIT: Making long story short, I want to be able to properly achieve both sending all DNS queries through one interface/gateway AND policy routing the DNS queries of certain interfaces if desired over the former.

          Thank you,

          1 Reply Last reply Reply Quote 0
          • D Offline
            Decepticon @techtester-m
            last edited by

            @techtester-m

            Sorry you had to wait five years for the answer, but here it is.

            Yes, you can do this. But, how you accomplish it depends upon how your devices are configured to get their DNS.

            If you set-up PfSense to route all traffic from a particular device on a particular IP over the VPN, and that device attempts to get its DNS from a public DNS resolver, then the DNS requests, like all traffic from that particular device, will already go out over the VPN.

            So, for example, if you configure Pfsense to send all traffic from 192.168.1.15 to a VPN, and 192.168.1.15 is configured to get DNS from 8.8.8.8, then when 192.168.1.15 attempts to query 8.8.8.8 for DNS, that traffic (like all traffic from 192.168.1.15) will go out on the VPN.

            But, if you configured 192.168.1.15 via DHCP and you told it to get DNS from YOUR ROUTER (192.168.1.1), and your router responds to DNS queries, then that traffic will NOT go out on the VPN. It will go to your Pfsense router, which will then obtain its DNS information however it normally gets it. If you configure your router to get secure DNS, the request will be encrypted, but it won't go out the VPN. If you get it from unencrypted DNS servers on port 53, the traffic won't be encrypted.

            There is a way to accomplish this, however, and that is by using a Port Forwarding rule. You would set-up a rule that automatically forwards any requests to port 53 from 192.168.1.15 to use a specific DNS server on the internet (such as 8.8.8.8). That would prevent 192.168.1.15 from using the router for DNS, but would instead send the query out on the internet. Here's how:

            Firewall -> NAT -> Port Forward
            Interface: LAN
            Protocol: TCP/UDP
            Source: Address or Alias: 192.168.1.15
            Destination Port Range: DNS / DNS
            Redirect Target IP: 8.8.8.8
            Redirect Target Port: DNS
            Filter Rule Association: Add associated filter rule
            Description: Force DNS to VPN
            Firewall -> Rules -> LAN

            Edit the rule "NAT Force DNS to VPN"
            Show Advanced
            Gateway: (Select your VPN Gateway Here)

            The "add associated filter rule" and editing that rule to refer to the gateway won't be necessary if you already have a LAN rule redirecting all internet traffic from 192.168.1.15 to the VPN, but there could be circumstances where you'd need it (such as if you configured it so that only TCP traffic from 192.168.1.15 to the VPN).

            Also, you can replace 192.168.1.15 and 8.8.8.8 with Aliases to make it easier to set-up rules affecting multiple clients if you like.

            1 Reply Last reply Reply Quote 0
            • D Decepticon referenced this topic on
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.