How best to set DNS servers/unbound/VPN
-
I have unbound active (pfSense+ 23.09.1).
I am running a full time pfSense Wireguard VPN (through Windscribe if that matters). I have a gateway group configured so that if the VPN goes down, pfSense will automatically fail over to the regular WAN. Yes, occasionally the VPN does go down while the WAN remains usable.
I am unclear as to how best to set the DNS providers on the pfSense General Setup page.
-
The VPN wants (recommends?) a specific DNS provider at 10.255.255.2. I can add that on the General Setup page. If that's the only entry on the General Setup page, then if the VPN goes down I have no DNS (and effectively no internet) since 10.255.255.2 is not a routable IP and is only available through the VPN tunnel.
-
If I add a second DNS to the General Setup page (e.g., 9.9.9.9) then I still have DNS if the VPN goes down and I can use the internet. However, since pfSense is free to choose at any time which of the servers specified on the General Setup page to use, sometimes it chooses 9.9.9.9 and that causes a DNS leak.
What I would like is to configure pfSense so that the sole DNS is 10.255.255.2 if the VPN is active, and use 9.9.9.9 as the sole DNS if the VPN is not active. I am hoping there is some unbound magic that can be added to the unbound additional configuration box to accomplish this. I can't find anything in the Wireguard configuration to force use of a particular DNS with the tunnel active.
-
-
@hspindel
So your DNS resolver is running in forwarding mode already? Otherwise is won't use the DNS server stated in the general settings.
And did you already assign an interface to the Wireguard instance?If that is done, just state the proper gateway on the the general settings page for each DNS server. So the Wireguard gateway for 10.255.255.2 and the WAN gateway for 9.9.9.9.
-
@viragomann No, DNS is not operating in forwarding mode. And it is using the DNS settings in General Settings. Perhaps I am misconfigured?
Yes, an interface is assigned to Wireguard.
-
@hspindel
If didn't enable DNS query forwarding in the Resolver settings, the DNS servers in the general setup are used only by pfSense itself, but not for the internal devices.
The Resolver requests DNS root servers by default, which you cannot configure manually.The requests are sent out to the default gateway.
-
@viragomann If what you are telling me is correct, then my system would not be operating the way it does.
All local devices eventually refer DNS requests to pfSense. When my VPN tunnel is up, sometimes DNS requests are sent out through the tunnel and sometimes over the WAN.
-
@hspindel Are you using a public DNS server as a gateway monitoring IP? IIRC that creates a static route for it. But if forwarding is unchecked in Resolver then client queries shouldn’t use those servers.
-
@SteveITS I have two gateways - one for the VPN and one for the WAN. The VPN uses a private DNS server while the WAN uses a public server.
Forwarding is unchecked.
Here is the network topology:
All clients are configured to use bind running on a local Linux server for DNS.
Bind is configured to forward to any one of three piholes.
Every pihole is configured the same to forward to pfSense.So pfSense has to be making the DNS requests specified in General Settings. The clients have no other path to non-local DNS.
-
@hspindel said in How best to set DNS servers/unbound/VPN:
So pfSense has to be making the DNS requests specified in General Settings.
Again, without query forwarding, this servers are only used for pfSense itself!
If you want to use them for you local devices go into the Resolver settings and enable query forwarding and state the proper gateways for the servers in General Settings, as mentioned above. -
@viragomann said in How best to set DNS servers/unbound/VPN:
@hspindel said in How best to set DNS servers/unbound/VPN:
So pfSense has to be making the DNS requests specified in General Settings.
Again, without query forwarding, this servers are only used for pfSense itself!
If you want to use them for you local devices go into the Resolver settings and enable query forwarding and state the proper gateways for the servers in General Settings, as mentioned above.I don't understand this. View my topology above. If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.
-
@hspindel said in How best to set DNS servers/unbound/VPN:
If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.
you wrote above, "DNS is not operating in forwarding mode." Ergo, it's not forwarding. It either forwards, or resolves against the DNS root servers. The servers listed in General Settings are only relevant for clients, if the option for forwarding is checked.
-
@hspindel said in How best to set DNS servers/unbound/VPN:
View my topology above.
Your topology seems strange to me, however, this doesn't change the behavior of the DNS Resolver on pfSense at all.
I'm wondering, why you need three local DNS servers. I think, all you need could also be done with only the Piholes or at least by them and a second DNS.
-
@SteveITS said in How best to set DNS servers/unbound/VPN:
@hspindel said in How best to set DNS servers/unbound/VPN:
If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.
you wrote above, "DNS is not operating in forwarding mode." Ergo, it's not forwarding. It either forwards, or resolves against the DNS root servers. The servers listed in General Settings are only relevant for clients, if the option for forwarding is checked.
Then please explain how my system could be working at all.
-
Your topology seems strange to me, however, this doesn't change the behavior of the DNS Resolver on pfSense at all.
I'm wondering, why you need three local DNS servers. I think, all you need could also be done with only the Piholes or at least by them and a second DNS.
Why strange? bind is for local name resolution. piholes are for adblocking. Multiple piholes for redundancy.
Yes, I could convert the functions bind is performing to run on the piholes, but it is very convenient for me the way it is. Also, bind has been running for decades and it works well for me. piholes are new.
-
@hspindel
It doesn't make any difference for your local devices if the DNS Resolver uses the DNS servers in stated in System > General or if it uses Root name server to resolve host names.
It's just for the root servers, you cannot state a gateway for going out. -
@viragomann said in How best to set DNS servers/unbound/VPN:
@hspindel
It doesn't make any difference for your local devices if the DNS Resolver uses the DNS servers in stated in System > General or if it uses Root name server to resolve host names.
It's just for the root servers, you cannot state a gateway for going out.It does make a difference to me. When the VPN is active, I want DNS requests to go to he VPN's DNS server.
The root servers are not currently being contacted. I can see this with a dns leaks test.
-
@hspindel I reviewed my configuration, and discovered that I actually do have DNS forwarding enabled but not in the way I was looking.
DNS forwarding service is NOT enabled.
But DNS Resolver service is enabled, and the checkbox for "Enable Forwarding Mode" is checked. Description says if this is checked, then DNS queries are forwarded to the servers set in System/General Setup.
So that explains why my current setup is working.
I still do not have a solution that chooses one or the other of the DNS services in System/General Setup dependent on whether the Wireguard VPN is enabled or not.