• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver Custom Options

Scheduled Pinned Locked Moved DHCP and DNS
2 Posts 2 Posters 732 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    Asmodeus666
    last edited by Apr 27, 2024, 2:13 PM

    My goal is to have all devices on my network/s use the options in the General Setup DNS Servers (8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1).

    To this extent, the General Setup is as follows:

    DNS Servers are 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1. DNS Hostname is blank on each entry, and all gateways are set to None

    DNS Server Override is unchecked

    DNS Resolution Behavior is Use Local DNS, Fall back to remote DNS Servers

    Everything else is unchanged from default settings

    DNS Resolver is as follows:

    Enable DNS resolver is Checked
    Listen Port is 53
    Enable SSL/TLS Service is unchecked
    SSL/TLS Certificate is set to default
    SSL/TLS Listen Port is 853
    Network Interfaces is set to ALL
    Outgoing Network Interfaces is set to WAN only
    System Domain Local Zone Type is Transparent
    DNS Query Forwarding is enabled
    DHCP Registration is checked
    Static DHCP is checked

    I have set up NordVPN/OpenVPN correctly, it is working as intended, but in the Outbound NAT rule I set it up as follows:

    pfSense_8mR1kB4LOO.png

    So only devices under the Alias VPN_OUT_ENDPOINT are using the NORDVPN gateway. For testing purposes, only 1 device is listed under that alias, static IP 10.26.26.8. The WAN/LAN rules to deal with the VPN traffic for this Alias are setup and working correctly.

    Since I want the DNS queries from devices using the NORDVPN gateway to use the NordVPN DNS Servers, and that those queries also use the NORDVPN gateway, I added this snippet to the Custom Options in the DNS Resolver:

     server:
     access-control-view: 10.26.26.8/32 VPN_DNS_View  # Apply VPN DNS View to this specific IP

 view:
     name: "VPN_DNS_View"
     view-first: yes
     forward-zone:
         name: "."
         forward-addr: 103.86.96.100@53 # NordVPN DNS server 1, using standard DNS port
         forward-addr: 103.86.99.100@53 # NordVPN DNS server 2, using standard DNS port
         outgoing-interface: "ovpnc1"  # Directs DNS queries from the VPN client through the NordVPN interface enclosed in quotation marks

 view:
     name: "default_view"
     view-first: no
     # No specific settings needed for default view as it uses the system defaults

    However, this produces an error with the outgoing-interface: "ovpnc1" line. If I remove that line no error is produced. I had first tried "NordVPN" instead of "ovpnc1" but that resulted in the same error.

    pfSense_zD7kHE7gt2.png

    Is the outgoing-interface: directive correct as I am using it? I thought it was, ChatGPT 4.0 thinks it is correct as well, and hopefully, someone else has direct experience with this.

    Perhaps I am referencing the interface incorrectly?

    Note that I understand that the DNS Resolver settings, etc., may not be optimal as-is. If there are recommendations feel free to make them in addition to any suggestions regarding the use of outgoing-interface as described above.

    I don't have DNSSEC enabled because it is a global setting and if it is enabled in the DNS Resolver, it cannot be altered even through a custom options snippet (correct me if I am wrong). NordVPN setup specifically instructs you to leave DNSSEC Support unchecked. That is why I have it unchecked. If I can get this to work I will most likely enable DoT to make up for it, and expand the snippet so that it isn't used for the devices using the NordVPN gateway.

    If I can't get this to work I can try to handle this at the network routing level rather than at the DNS configuration level, by configuring the system’s routing table to direct all traffic from the NordVPN/ovpnc1 interface (including DNS) to go through the VPN, which I believe will bypass the need for specifying the interface in Unbound.

    I previously posted regarding this and another route I was attempting; however, that required that DNS Server Override be enabled, which I rather avoid. I don't think there is anything there that needs to be referenced, but just in case I included it
    https://forum.netgate.com/topic/187283/all-devices-use-dns-resolver-and-general-setup-except-select-ips

    J 1 Reply Last reply Jan 26, 2025, 7:41 AM Reply Quote 0
    • J
      jagradang @Asmodeus666
      last edited by Jan 26, 2025, 7:41 AM

      @Asmodeus666 hi, did you ever resolve this issue? I'm having the same problem and don't know how to fix this! Any help appreciated

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received