Policy routing DNS requests
-
Hi,
What's the way to route certain interfaces' DNS requests through VPN?
Would it simply be to add a firewall rule for UDP/TCP,53 with the VPN gateway (and maybe adding NO_WAN_EGRESS)?
Thank you,
-
I'd add 853 into the mix for DoT but yes, that's probably what one would do to policy route that through the VPN tunnel.
-
@JeGr Ok...But wouldn't it already be included in the rule in screenshot below?
Also, what 853 would be DNS over TLS, right? In that case it won't work with the VPN but I don't mind adding it :)
-
@techtester-m said in Policy routing DNS requests:
@JeGr Ok...But wouldn't it already be included in the rule in screenshot below?
Aye it would.
@techtester-m said in Policy routing DNS requests:
Also, what 853 would be DNS over TLS, right? In that case it won't work with the VPN but I don't mind adding it :)
What does it have to do with VPN? It's a DNS mode. If your client uses "normal" DNS, DoT or DoH - it's all possible. If you want to explicitly route DNS, you'd have to send tcp/udp 53, 853 and 443 (DoH) out via your VPN. That's all I was telling you ;) Has nothing to do with your VPN provider or anyone offering DoT, DoH or anything. But if you don't route it right, it might go to pfSense itself (DNS forwarder/resolver) and/or be sent out the wrong interface.
If you have a specific Interface/VLAN that all traffic from goes out via VPN anyway, then DNS shouldn't be a special case. Just be sure you don't have some DNS IP set up as Gateway check host or mapped to a specific interface in System/General or otherwise a host route for that IP through your physical interface gets created. You can check that in the routing table to be sure.
-
@JeGr said in Policy routing DNS requests:
Aye it would.
- So, in case that's the only pass rule I have for LAN, I can be 100% DNS traffic will be included there?
- In case a certain VLAN also has the "Reject RFC1918" rule, I would need to add (on top) pass rules for tcp/udp 53, 853 and policy route them through the VPN (if I want), correct?
@JeGr said in Policy routing DNS requests:
What does it have to do with VPN?
- I've asked NordVPN what if I configure the DNS resolver to send DNS queries over TLS like mentioned in the pfSense docs...they said in wouldn't work. Perhaps their employee misunderstood me or maybe they don't want you to encrypt your DNS? lol
@JeGr said in Policy routing DNS requests:
Just be sure you don't have some DNS IP set up as Gateway check host or mapped to a specific interface in System/General
- According to the screenshot above, am I ok with what you've said?
- I don't remember why exactly I checked the "Disable DNS Forwarder" box. I think it was in order to be sure internal DNS servers/settings of the pfSense won't be used...what do you think?
@JeGr said in Policy routing DNS requests:
check that in the routing table to be sure
Sorry, but how do I do that? I can google but still... haha
-
@techtester-m said in Policy routing DNS requests:
So, in case that's the only pass rule I have for LAN, I can be 100% DNS traffic will be included there?
I don't see why it wouldn't.
In case a certain VLAN also has the "Reject RFC1918" rule, I would need to add (on top) pass rules for tcp/udp 53, 853 and policy route them through the VPN (if I want), correct?
Depends. Do you want DNS to be resolved locally? Otherwise the "Reject RFC1918" wouldn't hit DNS calls to say 1.1.1.1 or 8.8.8.8. So your ruleset with 1) reject rfc1918 and 2) pass any but use GW VPN should still be enough.
I've asked NordVPN what if I configure the DNS resolver to send DNS queries over TLS like mentioned in the pfSense docs...they said in wouldn't work. Perhaps their employee misunderstood me or maybe they don't want you to encrypt your DNS? lol
Again, DNS has nothing to do inherently with your VPN! If you want to use some DNS that NordVPN provides, THAT would be another case but you didn't say so. So using DoT or not is completely your call UNLESS you use special NordVPN DNS servers and they don't support DoT, then, yeah, of course it won't work.
According to the screenshot above, am I ok with what you've said?
Have a look at Diagnostics / Routes and look in your routing table. Do 1.1.1.1 or 1.0.0.1 happen to be there?
I don't remember why exactly I checked the "Disable DNS Forwarder" box. I think it was in order to be sure internal DNS servers/settings of the pfSense won't be used...what do you think?
That's only used for pfSense internal services or e.g. package updates. Someone has to do DNS for the OS itself, so with disabling Forwarder you force pfSense to use the 2 DNS servers supplied in general settings. That's it. Other than that, it has no impact for your clients.
Sorry, but how do I do that? I can google but still... haha
See above: Look in Diagnostics / Routes.
-
@JeGr Ahhh man...your explanations are pure GOLD! Plain and simple!
@JeGr said in Policy routing DNS requests:
Otherwise the "Reject RFC1918" wouldn't hit DNS calls to say 1.1.1.1 or 8.8.8.8.
Yeah, of course! Silly me... lol
@JeGr said in Policy routing DNS requests:
UNLESS you use special NordVPN DNS servers and they don't support DoT
Got it! Apparently NordVPN misunderstood me or something...assumed I'm using their DNS servers.
@JeGr said in Policy routing DNS requests:
Do you want DNS to be resolved locally?
Edit: Not sure what you meant here but All users will be using their own gateway/interface address as DNS.
@JeGr said in Policy routing DNS requests:
Have a look at Diagnostics / Routes and look in your routing table. Do 1.1.1.1 or 1.0.0.1 happen to be there?
The pfSense I'm working on right now, is not connected to anything yet (except a "lab PC") so no WAN or Internet access. It's currently offline and I don't see any 1.1.1.1 or 1.0.0.1 in the IPv4 routing table. Since it's offline I don't know if that's relevant...you tell me.
@JeGr said in Policy routing DNS requests:
That's only used for pfSense internal services or e.g. package updates
Ok...so, what would you say is the "best practice" so to speak? @JeGr
