DNS leak on WAN but not on OpenVPN gateway
-
Hi, I have pfSense configuration with two gateways:
- WAN (used by one computer on the LAN via firewall rule)
- OpenVPN over WAN to a private VPN provider (used by all other via firewall rule)
Everything works perfect except DNS leak on the WAN interface - the DNS server by the VPN provider is detected and I would like to avoid this.
WAN and OpenVPN have both assigned own DNS servers (in general setup), DNS forwarding is enabled and DNS Resolver is set to send queries only to the OpenVPN interface in order to prevent DNS leaks on the OpenVPN interface. I do not use DNS Forwarder.
How can I prevent the leak on the WAN? If I allow sending queries to all interfaces in the DNS resolver, then I get leak on the OpenVPN. How can I force the resover to send queries for WAN only to the WAN DNS servers and for the OpenVPN client only to the OpenVPN DNS servers?
-
@artgen That is not possible with pfSense. The only thing you can do is to not use the resolver for one or the other, by defining another DNS-Server to use for those hosts in the first place.
-
@bob-dig thx for your answer. It's a shame actually, there are already DNS Server-Gateway assignments in the general setup, just the code of DNS Resolver would need to use them exclusively, not inclusively in my case. It seems not much effort to implement, possibly with an additional check box in the DNS Resolver setup.
What would be the easiest workaround for me, without having to create another DNS Server on my LAN? Would it be possible to create a separate VLAN for the computer which needs to access the web directly and assign a different DNS Resolver configuration to it (but it don't see how in the pfSense)? What about using DNS Forwarder in this case and assigning it into VLAN specific DHCP server config?
-
BTW: what about using unbound (so no DNS forwarding, if I understand it correctly) and creating views in the console like in a (bit different) case here: https://lexxai.blogspot.com/2017/11/pfsense-dns-views.html
Could I use this to separate DNS queries per interface/gateway? -
I solved the problem using both DNS Resolver and DNS Forwarder.
- I created a new VLAN for the computer which needs direct access (on the pfSense and on my managed switch)
- I assigned an own DHCP Server to the VLAN (I could use DNS Server entries in its config to set my ISP's servers but I wanted more :)
- I enabled DNS Forwarder just for this VLAN (and DNS Resolver's network interfaces are now limited only to the LAN)
But I do hope that DNS Resolver will support exclusive usage of DNS Servers for multiple gateways in the future versions. Com'on, we live in the age of VPNs in all directions!
-
- I also had to change General setup:
- DNS Resolution Behavior: Use remote DNS servers, ignore local DNS
- I cleared all entered DNS server-Gateway assignments and reenabled "Allow DNS server list to be overridden by DHCP/PPP on WAN"
- I limited DNS Resolver only to LAN and my OpenVPN gateway and disabled DNS forwarding
According to DNS leak tests there's no leakage, neither on WAN nor on VPN.
- I also had to change General setup: