Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS leak on WAN but not on OpenVPN gateway

    DHCP and DNS
    2
    6
    713
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      artgen
      last edited by

      Hi, I have pfSense configuration with two gateways:

      • WAN (used by one computer on the LAN via firewall rule)
      • OpenVPN over WAN to a private VPN provider (used by all other via firewall rule)

      Everything works perfect except DNS leak on the WAN interface - the DNS server by the VPN provider is detected and I would like to avoid this.

      WAN and OpenVPN have both assigned own DNS servers (in general setup), DNS forwarding is enabled and DNS Resolver is set to send queries only to the OpenVPN interface in order to prevent DNS leaks on the OpenVPN interface. I do not use DNS Forwarder.

      How can I prevent the leak on the WAN? If I allow sending queries to all interfaces in the DNS resolver, then I get leak on the OpenVPN. How can I force the resover to send queries for WAN only to the WAN DNS servers and for the OpenVPN client only to the OpenVPN DNS servers?

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @artgen
        last edited by Bob.Dig

        @artgen That is not possible with pfSense. The only thing you can do is to not use the resolver for one or the other, by defining another DNS-Server to use for those hosts in the first place.

        A 1 Reply Last reply Reply Quote 0
        • A
          artgen @Bob.Dig
          last edited by

          @bob-dig thx for your answer. It's a shame actually, there are already DNS Server-Gateway assignments in the general setup, just the code of DNS Resolver would need to use them exclusively, not inclusively in my case. It seems not much effort to implement, possibly with an additional check box in the DNS Resolver setup.

          What would be the easiest workaround for me, without having to create another DNS Server on my LAN? Would it be possible to create a separate VLAN for the computer which needs to access the web directly and assign a different DNS Resolver configuration to it (but it don't see how in the pfSense)? What about using DNS Forwarder in this case and assigning it into VLAN specific DHCP server config?

          A 1 Reply Last reply Reply Quote 0
          • A
            artgen @artgen
            last edited by

            BTW: what about using unbound (so no DNS forwarding, if I understand it correctly) and creating views in the console like in a (bit different) case here: https://lexxai.blogspot.com/2017/11/pfsense-dns-views.html
            Could I use this to separate DNS queries per interface/gateway?

            1 Reply Last reply Reply Quote 0
            • A
              artgen
              last edited by artgen

              I solved the problem using both DNS Resolver and DNS Forwarder.

              • I created a new VLAN for the computer which needs direct access (on the pfSense and on my managed switch)
              • I assigned an own DHCP Server to the VLAN (I could use DNS Server entries in its config to set my ISP's servers but I wanted more :)
              • I enabled DNS Forwarder just for this VLAN (and DNS Resolver's network interfaces are now limited only to the LAN)

              But I do hope that DNS Resolver will support exclusive usage of DNS Servers for multiple gateways in the future versions. Com'on, we live in the age of VPNs in all directions!

              1 Reply Last reply Reply Quote 0
              • A
                artgen
                last edited by artgen

                • I also had to change General setup:
                  • DNS Resolution Behavior: Use remote DNS servers, ignore local DNS
                  • I cleared all entered DNS server-Gateway assignments and reenabled "Allow DNS server list to be overridden by DHCP/PPP on WAN"
                • I limited DNS Resolver only to LAN and my OpenVPN gateway and disabled DNS forwarding

                According to DNS leak tests there's no leakage, neither on WAN nor on VPN.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.