The DNS Dilemma - To leak or not to leak
-
You are probably here wondering about the title. Why would anybody ever consider leaking DNS an option when connected over a VPN? Let me explain, and maybe you can help me not need this option.
On my firewall (pfSense 2.5.1), I have 2 interfaces that tunnel their connection via an OpenVPN client. The other interfaces (and the majority of the traffic) do not go through the VPN.
Under System -> General Setup, I have my DNS servers set to Quad9. I also have settings enabled under Services -> DNS Resolver that Quad9 can utilize, like DNSSEC and DNS over TLS (port 853). This has all been working beautifully.
Once I set up my OpenVPN clients with PIA, I noticed that my DNS requests were naturally leaking to Quad9. To plug the leak, I specified PIA's public DNS servers under Services -> DHCP Server -> Servers -> DNS Servers. This plugged the leak and worked well for that purpose.
Over time I noticed a problem, though. I noticed that my clients connecting over the VPN were never showing up in my pfBlockerNG logs. I did a test and was able to access analytics.yahoo.com when connected over the OpenVPN client, but on a client not tunneled through the VPN, the site was blocked and pfBlocker block page was shown.
I removed PIA's DNS servers from my DHCP settings (purposefully leaking and using Quad9) and pfBlocker now works.
Back under System -> General Setup, there is a way to specify DNS servers per gateway. So I assigned Quad9 to the WAN gateway, and PIA Public DNS to the VPN gateway. During DNS leak testing, the VPN still appears to be using Quad9, and I'm seeing errors in the DNS logs related to port 853 (since PIA's public DNS doesn't support DoT or DoH). So maybe there is a setting I'm missing here, but it does not appear I can configure one DNS group to use DoT/DoH (Quad9), and an alternate group that doesn't (PIA). It's either on or off for all servers.
At this point, I either have to choose between:
- Plug the DNS leak, using PIA's public DNS for the VPN traffic, and giving up pfBlocker features on this traffic.
- Leak DNS to Quad9 for VPN clients, but still be able to take advantage of pfBlocker features for VPN traffic, and gain things like DNSSEC, DoT, etc. from Quad9.
Which option would you choose? Ideally, I'd want to use PIA DNS for VPN traffic, and Quad9 for non-VPN traffic, and able to utilize pfBlocker for all. If that is possible, let me know. Thanks.