getting DNS leaks

bluecovenant

i have set up pfsense with proton vpn. i have set the DNS resolver outgoing network interface to the vpn.

when i reboot pfsense and go to dnsleaktest.com, the dns resolver is my ISP. if i go into pfsense and look at the settings, the dns resolver is still set to the vpn. i press save, and then test again and the dns resolver is the VPN

if i reboot, the dns resolver goes back to the ISP, even though going back into the pfsense settings, it still says the dns resolver is the VPN

why is this happening and how do i prevent it?

stephenw10

Like the resolver is your ISPs DNS servers or it's resolving locally but using your WAN IP?

What do you have set in System > General Setup?

bluecovenant

@stephenw10 said in getting DNS leaks:

Like the resolver is your ISPs DNS servers or it's resolving locally but using your WAN IP?

when i check my ip address, it shows the ip of my vpn. when i do the test on dnsleaktest.com, the hostname is my ISP. not sure if this answers your question?

@stephenw10 said in getting DNS leaks:

What do you have set in System > General Setup?

haven't added any changes here, so just the default

i specified in services > dns resolver > outgoing network interfaces to use the vpn

stephenw10

@bluecovenant said in getting DNS leaks:

when i do the test on dnsleaktest.com, the hostname is my ISP. not sure if this answers your question?

Not really because both the ISPs DNS servers and your WAN IP may show as their domain. Is the IP address shown your local WAN IP?

In general setup do you have 'DNS Server Override' set?

And what is 'DNS Resolution Behavior' set to?

bluecovenant

@stephenw10 said in getting DNS leaks:

Not really because both the ISPs DNS servers and your WAN IP may show as their domain. Is the IP address shown your local WAN IP?

Sorry don't fully understand all the terms. When I run dnsleaktest the results show IP address of my ISP, hostname of my ISP, ISP of the actual name of my ISP, and country with my actual physical location (and not the location of my VPN server)

In general setup do you have 'DNS Server Override' set?

Yes

And what is 'DNS Resolution Behavior' set to?
Use local DNS, ignore remote DNS servers

Again just now, after logging in to my pfsense dashboard and checking the settings to reply to your question, I clicked save then ran DNS leak test again. Now the result shows the IP of the VPN server, hostname none, ISP protonvpn, and country the location of the VPN server I'm connected to. If I reboot pfsense, the DNS leak will occur again until I login to pfsense and "save" the settings without having changed any of the settings

stephenw10

@bluecovenant said in getting DNS leaks:

the results show IP address of my ISP

What I mean by that question is is the IP shown the address the ISP is giving to you or their remote address?

There are two possibilities:

You have allow DNS Server Override set so the ISP is probably passing DNS servers to pfSense when it connects. If it starts using those servers because Unbound cannot connect over the VPN yet then the leak test would return the IP address of the remote server.

Unbound cannot use the VPN before it comes up and sends queries directly out of the WAN. In that case the leak test would show your local public IP address because Unbound is still resolving there.

Try unchecking 'DNS Server Override' so the ISP cannot pass servers.

bluecovenant

@stephenw10 said in getting DNS leaks:

What I mean by that question is is the IP shown the address the ISP is giving to you or their remote address?

i haven't been able to reproduce the issue the last several times i've rebooted...but if i see it again how can i tell whether it is the address the IP assigned me vs. their remote address?

depending on whether it is the address the IP assigned me vs. their remote address, does that affect whether it is an actual dns leak/the ISP can see my queries?

There are two possibilities:

You have allow DNS Server Override set so the ISP is probably passing DNS servers to pfSense when it connects. If it starts using those servers because Unbound cannot connect over the VPN yet then the leak test would return the IP address of the remote server.

Unbound cannot use the VPN before it comes up and sends queries directly out of the WAN. In that case the leak test would show your local public IP address because Unbound is still resolving there.

Try unchecking 'DNS Server Override' so the ISP cannot pass servers.

what is "unbound"?

stephenw10

Unbound is the DNS Resolver service running in pfSense.

I assume you don't get the public IP address passed directly to your pfSense WAN interface then? Otherwise you could just check that.

If your WAN is behind some other NATing router then you can check that device or visit a site that reports you IP like:https://www.ipchicken.com/ from a client that isn't using the VPN.

bluecovenant

@stephenw10 so far, as far as i can tell, by unchecking "dns server override", the leaks don't seem to occur after rebooting.

one think i'm not understanding: when "dns server override" is allowed, if the reason leaks occur after reboot is because the VPN hasn't connect yet, why doesn't unbound start using the VPN for DNS queries after a period of time, which doesn't occur as far as i can tell. the DNS queries only go to the VPN if i login to pfsense and go to services > dns resolver > outgoing network interfaces and click vpn, then save?

stephenw10

More likely Unbound is using the VPN since you have set it to use only the VPN interface. But pfSense uses the servers passed by the ISP if Unbound cannot respond before the VPN comes up.

johnpoz

@bluecovenant well if the interface is not up when unbound starts it can't bind to it. You could try setting your outgoing interface to just localhost.. Now it should use whatever the default route is on pfsense, if the default route for pfsense is vpn, it should use your vpn once it comes up and is the default route.

If your not pulling routes and your vpn is not actually the default route yeah you would have to make sure that the vpn is up before unbound starts, or would have to say put in a cron or something that restarts unbound say 5 minutes after boot or something.

stephenw10

Or use some blocking outbound rules on WAN. But things start to get dicey pretty quick!

bluecovenant

hmmm i just rebooted with the "dns server override" unchecked, and got a leak again. any other suggestions? could this be a problem with how the vpn interface is set up?

@bluecovenant said in getting DNS leaks:

"dns server override"

nimrod

@bluecovenant said in getting DNS leaks:

hmmm i just rebooted with the "dns server override" unchecked, and got a leak again. any other suggestions? could this be a problem with how the vpn interface is set up?

@bluecovenant said in getting DNS leaks:

"dns server override"

I had same issue as you, and i resolved it by using DoT. See my thread here. The other not so elegant solution is to configure your DHCP server so it hands out proton DNS IP`s to your clients directly.