Send DNS queries through a VPN tunnel
-
If you want all DNS traffic to over the VPN there are two options (there are probably more):
-
Clients use Unbound for DNS and Unbound sends all of it queries over the VPN.
-
Clients use some external DNS server and you policy route that over the VPN along with all the other client traffic.
To achieve option 1 you either set Unbound to use the VPN address for it's queries, but that seems to be breaking the connection for you for as yet unknown reasons, or set the VPN gateway to be the default gateway.
I would suggest finding out exactly why the tunnel fails to come back up if Unbound is set to use it exclusively.
Steve
-
-
A completely separate option here if you're only trying to hide DNS queries from your ISP is just to set Unbound to use DNSoverTLS.
Steve
-
@stephenw10 said in Send DNS queries through a VPN tunnel:
I would suggest finding out exactly why the tunnel fails to come back up if Unbound is set to use it exclusively
I think that wasn't the problem. The problem was that the default gateway was set (by default) to be "automatic" and this problem probably occurred when the VPN gateway was chosen by pfSense to be the default gateway.
Regardless, If I choose option 1 and I have a Pass rule for DNS (because of "Block RFC1918") then all the DNS requests made to the local interface address will be sent through the default gateway which is the WAN, when the VPN is down. In that case I think I'll just use DoT.
@stephenw10 said in Send DNS queries through a VPN tunnel:
Clients use some external DNS server and you policy route that
That's not dynamic and would require human intervention and clients setting up stuff...I want a solution of "One ring to rule them all, One ring to find them, One ring to bring them all and in the darkness bind them" LOL
@stephenw10 said in Send DNS queries through a VPN tunnel:
set Unbound to use DNSoverTLS
If I want the interface address to be the DNS address for clients, encrypt all of it AND also have the WAN as the default gateway to avoid the problems we discussed about then...My only option is probably DoT, right?
Please clarify it for me if you may. I want to be a 100% sure I understand it correctly:
-
Any DNS request sent to the interface address and catched by a firewall rule and forced through the VPN gateway would fail to resolve because the VPN server would see a DNS request with a destination of "192.168.x.x" and won't be able to resolve it. This happens because the firewall rule catched it before the DNS Resolver? Edit: If I totally misunderstood how it works then I should be able to policy route whatever I want, even DNS requests made to the local interface address, right?
-
DoT is between a DNS server and the end user and unless the DNS server belongs to the VPN provider, it has nothing to do with them and therefore won't even matter if they themselves support DoT etc., right?
-
If instead of Localhost, the VPN will be used as the Outgoing Network Interface in the DNS Resolver, would it affect the inner proper functionality of the pfSense box in case the VPN is down, or pfSense would still be able to resolve DNS/NTP for its own needs without needing the DNS resolver?
EDIT: Making long story short, I want to be able to properly achieve both sending all DNS queries through one interface/gateway AND policy routing the DNS queries of certain interfaces if desired over the former.
Thank you,
-
-
Sorry you had to wait five years for the answer, but here it is.
Yes, you can do this. But, how you accomplish it depends upon how your devices are configured to get their DNS.
If you set-up PfSense to route all traffic from a particular device on a particular IP over the VPN, and that device attempts to get its DNS from a public DNS resolver, then the DNS requests, like all traffic from that particular device, will already go out over the VPN.
So, for example, if you configure Pfsense to send all traffic from 192.168.1.15 to a VPN, and 192.168.1.15 is configured to get DNS from 8.8.8.8, then when 192.168.1.15 attempts to query 8.8.8.8 for DNS, that traffic (like all traffic from 192.168.1.15) will go out on the VPN.
But, if you configured 192.168.1.15 via DHCP and you told it to get DNS from YOUR ROUTER (192.168.1.1), and your router responds to DNS queries, then that traffic will NOT go out on the VPN. It will go to your Pfsense router, which will then obtain its DNS information however it normally gets it. If you configure your router to get secure DNS, the request will be encrypted, but it won't go out the VPN. If you get it from unencrypted DNS servers on port 53, the traffic won't be encrypted.
There is a way to accomplish this, however, and that is by using a Port Forwarding rule. You would set-up a rule that automatically forwards any requests to port 53 from 192.168.1.15 to use a specific DNS server on the internet (such as 8.8.8.8). That would prevent 192.168.1.15 from using the router for DNS, but would instead send the query out on the internet. Here's how:
Firewall -> NAT -> Port Forward
Interface: LAN
Protocol: TCP/UDP
Source: Address or Alias: 192.168.1.15
Destination Port Range: DNS / DNS
Redirect Target IP: 8.8.8.8
Redirect Target Port: DNS
Filter Rule Association: Add associated filter rule
Description: Force DNS to VPN
Firewall -> Rules -> LANEdit the rule "NAT Force DNS to VPN"
Show Advanced
Gateway: (Select your VPN Gateway Here)The "add associated filter rule" and editing that rule to refer to the gateway won't be necessary if you already have a LAN rule redirecting all internet traffic from 192.168.1.15 to the VPN, but there could be circumstances where you'd need it (such as if you configured it so that only TCP traffic from 192.168.1.15 to the VPN).
Also, you can replace 192.168.1.15 and 8.8.8.8 with Aliases to make it easier to set-up rules affecting multiple clients if you like.
