DNS leaks



  • pfsense leaks. a lot.

    General setup –> DNS: everything you put here is leaked, even if you're using a VPN provider connection.

    Just for comparison, a simple router/firewall with DD-WRT or Tomato doesn't leak any DNS info, and shows only the DNS server of your VPN provider. Just play with

    https://www.dnsleaktest.com/


  • Banned

    @panz:

    Just play with https://www.dnsleaktest.com/

    Awesome. It shows the IP of my pfsense boxes running unbound. Oh noes, I am leaked!  ::) ::) ::)



  • As usual, I didn't say it in the right manner  ;D

    I mean, if you set for example 3 DNS servers in System General setup and you're using pfsense as OpenVPN client to a VPN provider, the pfsense box doesn't pass the test indicated above.

    I suppose that pfsense should only show the DNS in use (aka the DNS of the VPN provider) and not LIST all the system's DNSs.

    Am I missing something?



  • @doktornotor:

    Awesome. It shows the IP of my pfsense boxes running unbound. Oh noes, I am leaked!  ::) ::) ::)

    Just finished 4 days of testing. Involved configurations are: DD-WRT, Tomato (Toastman ver.), and D-Link 2640 firmware series (basically, it's Linux).

    All of these - in the DNSleak or IPLeak tests - show only the DNS pushed by the server (for AirVPN UDP settings the dns is 10.4.0.1).

    BTW Windows leaks (this is not bad news, we know that rubb…) but there is a workaround (and a clever one, I think):

    https://airvpn.org/topic/9798-windows-7-8-windows-firewall-prevent-leaks-thanks-to-omniferum/

    It requires a bit of knowledge, but it WORKS!  ;)

    Now, how can I get the same result with pfsense? I've just tried all the possible configurations (allowed by the GUI), but I didn't achieve the desired results.


  • Banned

    There is no DNS "pushed" by server to pfSense OpenVPN client. Add OpenVPN foreign_option support. Apparently noone produced anything so far.



  • So, it's impossible to honor the request set by redirect gateway def-1 because, if the "client" pfsense queries more than 1 DNS, we have not all traffic sent through the tunnel (for example Tomato does that for DNS; now I'm going to look at the source scripts to learn how it works), but I can't see how that can be a "feature"  :-[



  • By default all dns configured is queried in parallell to reduce delays.

    The setting used in pfSense is

    –all-servers
    By default, when dnsmasq has more than one upstream server available, it will send queries to just one server. Setting this flag forces dnsmasq to send all queries to all available servers. The reply from the server which answers first will be returned to the original requester.

    To disable it for now you can put a feature request in redmine and edit /etc/inc/services.inc  and remove the option manually.

    1738                $cmd = "/usr/local/sbin/dnsmasq –all-servers {$dns_rebind} {$args}";


  • Banned

    Well that won't exactly help I'm afraid since you won't be using the pushed DNS servers regardless. You do not want to use any of the preconfigured DNS servers for this.



  • That DNS leak test thing doesn't show crap for me…



  • @kejianshi:

    That DNS leak test thing doesn't show crap for me…

    With pfsense acting as OpenVPN client to a VPN provider?



  • No - With clients directly on pfsense or using pfsense as openvpn server.
    All that page is doing is looking at where you get your DNS, so far as I can tell.



  • @kejianshi:

    No - With clients directly on pfsense or using pfsense as openvpn server.
    All that page is doing is looking at where you get your DNS, so far as I can tell.

    I have no problems at all with your configuration. No leaks. My conf is different: pfsense is acting as OpenVPN client to a VPN service provider, so I'd like to use ONLY provider's DNS server.



  • If they have a couple DNS servers, that should be no problem.  If they aren't providing DNS servers, you are out of luck.  You could also run your own DNS server?



  • @kejianshi:

    If they have a couple DNS servers, that should be no problem.  If they aren't providing DNS servers, you are out of luck.  You could also run your own DNS server?

    They definitely have their own DNS servers! The matter seems to be that pfsense is not accepting all the pushed configs (OpenVPN foreign_option).



  • Is it possible you can get their server IPs from them and enter them manually?


  • Banned

    @kejianshi:

    Is it possible you can get their server IPs from them and enter them manually?

    Not really an option for most people, you are stuck with no DNS at all once the client gets disconnected. The foreign options support is pretty much required to work not just on Windows. Usually done via up/down scripts and resolvconf package on Linux distros.



  • Thats good - Then when the vpn is down, the internet won't work, which is how I like it when I want a full time vpn running.
    Thats exactly the way my phone behaves.  You either have vpn or you have nothing.



  • Its been several years, is this still the case? Followed this tutorial below and ended up in the same boat with VPN provided DNS servers not being picked up by pfsense/openvpn client. Would it be possible to add an additional argument to make this work? Thanks in advance

    https://forum.pfsense.org/index.php?topic=76015.0



  • Wow. Resurrecting a thread from 2013? OK, I'll bite.

    When I run dnsleaktest, the result is my vpn server ip for wan and dns.

    Make sure dns resolver is running.
    Uncheck forwarding mode.
    Select the vpn interface in Outgoing Network Interfaces.
    Do not enter dns servers in General settings.



  • @gjaltemba:

    Wow. Resurrecting a thread from 2013?

    Well I ran into the same problem lol.

    @gjaltemba:

    When I run dnsleaktest, the result is my vpn server ip for wan and dns.

    Make sure dns resolver is running.
    Uncheck forwarding mode.
    Select the vpn interface in Outgoing Network Interfaces.
    Do not enter dns servers in General settings.

    That does the trick and gives me the ability to use my vpn dns for my lan traffic. Kind of something I didn't even know I wanted. Thanks!!



  • This is off topic but I would like to highlight the firewall rules for the LAN interface in the PIA tutorial

    The proposed changes to the default LAN firewall rules are only necessary with more advanced firewall configurations.

    https://forum.pfsense.org/index.php?topic=76015.0



  • @gjaltemba:

    This is off topic but I would like to highlight the firewall rules for the LAN interface in the PIA tutorial

    The proposed changes to the default LAN firewall rules are only necessary with more advanced firewall configurations.

    https://forum.pfsense.org/index.php?topic=76015.0

    For my setup I required the defined gateway on my lan but not on the my vpn interface. (I had defined both gateways which blocked me from accessing my LAN from the VPN) Thank you so much!


Log in to reply