Route DNS requests to certain TLDs out Specific OpenVPN tunnels



  • I've got 3 OpenVPN Client tunnels on my pfSense box.  I have traffic destined for certain IP ranges going out those tunnels.  However, DNS requests for the TLDs aren't going out the tunnels.  I can see this by doing a DNSLeakTest.  I still receive the Google DNS servers that I have setup for my WAN connection in GENERAL SETUP.  I would like certain TLDs (.ca and .uk) to go out their own VPN tunnel.  On the GENERAL SETUP page, I have a DNS server set for the CA OpenVPN gateway, and a DNS server set for the UK OpenVPN gateway.  This isn't working though.

    I also have this checked in General Setup:  Do not use the DNS Forwarder as a DNS server for the firewall

    Basically, I want any client on my LAN to route it's traffic and DNS requests for certain TLDs over a specific VPN tunnel and to a specific DNS server.  Any help would be appreciated.  Thanks!



  • I guess all the clients are pointing to pfSense LAN IP for their DNS, and that DNS Forwarder is enabled on pfSense. By default, DNS Forwarder is going to ask all the upstream name servers it is told about for name translation of anything the clients ask for.
    You should be able to override this behavior by defining some domain overrides on the DNS Forwarder GUI. "uk" goes to the IP of the DNS server that is across the tunnel to the UK…
    And since, in General Setup, you have already told it what interface to use for each name server, the requests should go over the tunnels you expect, and not just via the public WAN.



  • I've done as you suggested.  I didn't realize I could add "uk" to the domain override.  How would I go about verifying my setup?  An NSLOOKUP from my Linux desktop to bbc.co.uk shows the server as my pfSense box.

    $ nslookup bbc.co.uk 10.0.0.1
    Server:		10.0.0.1
    Address:	10.0.0.1#53
    
    Non-authoritative answer:
    Name:	bbc.co.uk
    Address: 212.58.244.20
    Name:	bbc.co.uk
    Address: 212.58.244.18
    Name:	bbc.co.uk
    Address: 212.58.246.104
    Name:	bbc.co.uk
    Address: 212.58.246.103
    
    


  • Diagnostics->Packet Capture on the OpenVPN tunnel interface, looking for port 53 (and/or the IP address of the external DNS server it is supposed to be using) should show the traffic from DNS Forwarder doing the lookups.
    DNS Forwarder does caching, so on the client do "nslookup" of various different *.uk sites so DNS Forwarder has to go externally to look them up.