Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    getting DNS leaks

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 4 Posters 1.9k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Online
      stephenw10 Netgate Administrator @bluecovenant
      last edited by

      @bluecovenant said in getting DNS leaks:

      when i do the test on dnsleaktest.com, the hostname is my ISP. not sure if this answers your question?

      Not really because both the ISPs DNS servers and your WAN IP may show as their domain. Is the IP address shown your local WAN IP?

      In general setup do you have 'DNS Server Override' set?

      And what is 'DNS Resolution Behavior' set to?

      B 1 Reply Last reply Reply Quote 0
      • B Offline
        bluecovenant @stephenw10
        last edited by

        @stephenw10 said in getting DNS leaks:

        Not really because both the ISPs DNS servers and your WAN IP may show as their domain. Is the IP address shown your local WAN IP?

        Sorry don't fully understand all the terms. When I run dnsleaktest the results show IP address of my ISP, hostname of my ISP, ISP of the actual name of my ISP, and country with my actual physical location (and not the location of my VPN server)

        In general setup do you have 'DNS Server Override' set?

        Yes

        And what is 'DNS Resolution Behavior' set to?
        Use local DNS, ignore remote DNS servers

        Again just now, after logging in to my pfsense dashboard and checking the settings to reply to your question, I clicked save then ran DNS leak test again. Now the result shows the IP of the VPN server, hostname none, ISP protonvpn, and country the location of the VPN server I'm connected to. If I reboot pfsense, the DNS leak will occur again until I login to pfsense and "save" the settings without having changed any of the settings

        stephenw10S 1 Reply Last reply Reply Quote 0
        • stephenw10S Online
          stephenw10 Netgate Administrator @bluecovenant
          last edited by

          @bluecovenant said in getting DNS leaks:

          the results show IP address of my ISP

          What I mean by that question is is the IP shown the address the ISP is giving to you or their remote address?

          There are two possibilities:

          You have allow DNS Server Override set so the ISP is probably passing DNS servers to pfSense when it connects. If it starts using those servers because Unbound cannot connect over the VPN yet then the leak test would return the IP address of the remote server.

          Unbound cannot use the VPN before it comes up and sends queries directly out of the WAN. In that case the leak test would show your local public IP address because Unbound is still resolving there.

          Try unchecking 'DNS Server Override' so the ISP cannot pass servers.

          B 1 Reply Last reply Reply Quote 0
          • B Offline
            bluecovenant @stephenw10
            last edited by

            @stephenw10 said in getting DNS leaks:

            What I mean by that question is is the IP shown the address the ISP is giving to you or their remote address?

            i haven't been able to reproduce the issue the last several times i've rebooted...but if i see it again how can i tell whether it is the address the IP assigned me vs. their remote address?

            depending on whether it is the address the IP assigned me vs. their remote address, does that affect whether it is an actual dns leak/the ISP can see my queries?

            There are two possibilities:

            You have allow DNS Server Override set so the ISP is probably passing DNS servers to pfSense when it connects. If it starts using those servers because Unbound cannot connect over the VPN yet then the leak test would return the IP address of the remote server.

            Unbound cannot use the VPN before it comes up and sends queries directly out of the WAN. In that case the leak test would show your local public IP address because Unbound is still resolving there.

            Try unchecking 'DNS Server Override' so the ISP cannot pass servers.

            what is "unbound"?

            1 Reply Last reply Reply Quote 0
            • stephenw10S Online
              stephenw10 Netgate Administrator
              last edited by

              Unbound is the DNS Resolver service running in pfSense.

              I assume you don't get the public IP address passed directly to your pfSense WAN interface then? Otherwise you could just check that.

              If your WAN is behind some other NATing router then you can check that device or visit a site that reports you IP like:https://www.ipchicken.com/ from a client that isn't using the VPN.

              B 1 Reply Last reply Reply Quote 0
              • B Offline
                bluecovenant @stephenw10
                last edited by

                @stephenw10 so far, as far as i can tell, by unchecking "dns server override", the leaks don't seem to occur after rebooting.

                one think i'm not understanding: when "dns server override" is allowed, if the reason leaks occur after reboot is because the VPN hasn't connect yet, why doesn't unbound start using the VPN for DNS queries after a period of time, which doesn't occur as far as i can tell. the DNS queries only go to the VPN if i login to pfsense and go to services > dns resolver > outgoing network interfaces and click vpn, then save?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • stephenw10S Online
                  stephenw10 Netgate Administrator
                  last edited by

                  More likely Unbound is using the VPN since you have set it to use only the VPN interface. But pfSense uses the servers passed by the ISP if Unbound cannot respond before the VPN comes up.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @bluecovenant
                    last edited by

                    @bluecovenant well if the interface is not up when unbound starts it can't bind to it. You could try setting your outgoing interface to just localhost.. Now it should use whatever the default route is on pfsense, if the default route for pfsense is vpn, it should use your vpn once it comes up and is the default route.

                    If your not pulling routes and your vpn is not actually the default route yeah you would have to make sure that the vpn is up before unbound starts, or would have to say put in a cron or something that restarts unbound say 5 minutes after boot or something.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Online
                      stephenw10 Netgate Administrator
                      last edited by

                      Or use some blocking outbound rules on WAN. But things start to get dicey pretty quick!

                      1 Reply Last reply Reply Quote 0
                      • B Offline
                        bluecovenant
                        last edited by

                        hmmm i just rebooted with the "dns server override" unchecked, and got a leak again. any other suggestions? could this be a problem with how the vpn interface is set up?

                        @bluecovenant said in getting DNS leaks:

                        "dns server override"

                        N 1 Reply Last reply Reply Quote 0
                        • N Offline
                          nimrod @bluecovenant
                          last edited by

                          @bluecovenant said in getting DNS leaks:

                          hmmm i just rebooted with the "dns server override" unchecked, and got a leak again. any other suggestions? could this be a problem with how the vpn interface is set up?

                          @bluecovenant said in getting DNS leaks:

                          "dns server override"

                          I had same issue as you, and i resolved it by using DoT. See my thread here. The other not so elegant solution is to configure your DHCP server so it hands out proton DNS IP`s to your clients directly.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.