DNS check
-
I'm running pFsense 2.6.0 on a protectli vault FW4B and have the Cloudlare DNS'es (1.1.1.1 + 1.0.0.1) in the DNS settings but when I check which DNS is getting pinged via IPLeak.net, it's showing that my system is using my ISP's DNS ? Am I missing something here ? Do certain devices on my LAN (e.g. Windows pc) ignore the DNS settings in pFsense? Perhaps I don't understand IPLeak.net that well?
-
@stgeorge
You should explain your DNS settings on pfSense. By default pfSense has the DNS Resolver enabled and provide it to the internal devices.
The Resolver uses root servers to resolve host names.If you have enabled the forwarding mod in the DNS resolver, requests are forwarded to the servers stated in System > General.
If "DNS Server Override" is checked there, the DNS entries you did can be overridden by the ISP.Also set "DNS Resolution Behavior" to your desired value.
-
Do certain devices on my LAN (e.g. Windows pc) ignore the DNS settings in pFsense?
Only you can tell ...
Perhaps I don't understand IPLeak.net that well?
dns forwarding has nothing to do with what IPLeak.net can show you.
Btw : dns forwarding isn't the default setting.
Resolving is. -
@gertjan and @viragomann - Thanks for the comments- I think it's pretty clear that I need to learn more about DNS Resolver. I do not have 'DNS Server Override' checked, but I seem to recall not liking seeing the default 127.0.0.0 listed in my DNS prefs, so I somehow removed it. Don't laugh- I'm still learning! ;-) How can I reset the resolver so that it's working properly? Thanks.
-
Default :
which means you'll see this :
You can't and shouldn't remove this 127.0.0.1, as it used for pfSense itself.
Services > DNS Resolver > General Settings, checked are :
Enable
Network Interfaces : All
Outgoing Network Interfaces : All
DNSSEC
Python Module
Static DHCP
Display Custom Options : Custom options : nothing -
@gertjan Thank you for going through those options- I've run through them and had most of them, but added a couple- regardless though, I somehow did remove the 127.0.0.1 and can't seem to figure out how to reset it. After running through your suggested settings, and save/apply, it's not yet back.
-
Update-> I was able to resolve the DNS issues as stated above by selecting DNS Resolution Behavior = Use Local DNS (127.0.0.1), fallback to remote DNS servers (Default), and, thanks to @viragomann's comment about enabling the DNS query forwarding mode in the DNS Resolver settings, I am finally getting somewhere!
Now- I have two DNS addresses for my VPN (PIA), and two DNS addresses for my WAN (Cloudflare's DNServers), and the correct Gateway is selected for each. Now when I conduct a DNS leaktest, it shows me pfSense is resolving to both Cloudflare and to the PIA DNS addresses...? Firstly, I'm just happy that my ISP's DNS is no longer being resolved. Secondly, I guess I'm wondering if DNSleaktest.com is showing both because different devices on my LAN are using different gateways to resolve DNS queries or is it that my device which is being directed to use the VPN(PIA) gateway is actually resolving to all of the DNS addresses? I'm hoping it's the former and not the latter! Thanks.