Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route DNS requests to certain TLDs out Specific OpenVPN tunnels

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • CNLiberalC Offline
      CNLiberal
      last edited by

      I've got 3 OpenVPN Client tunnels on my pfSense box.  I have traffic destined for certain IP ranges going out those tunnels.  However, DNS requests for the TLDs aren't going out the tunnels.  I can see this by doing a DNSLeakTest.  I still receive the Google DNS servers that I have setup for my WAN connection in GENERAL SETUP.  I would like certain TLDs (.ca and .uk) to go out their own VPN tunnel.  On the GENERAL SETUP page, I have a DNS server set for the CA OpenVPN gateway, and a DNS server set for the UK OpenVPN gateway.  This isn't working though.

      I also have this checked in General Setup:  Do not use the DNS Forwarder as a DNS server for the firewall

      Basically, I want any client on my LAN to route it's traffic and DNS requests for certain TLDs over a specific VPN tunnel and to a specific DNS server.  Any help would be appreciated.  Thanks!

      pfSense 2.7.2-RELEASE

      Dell R210 II
      Intel E3-1340 v2
      8GB RAM
      SSD ZFS Mirror
      Intel X520-DA2, RJ45 SFP+ (WAN) and 10Gb SFP+ DAC (LAN)
      1 x Cisco 3850 12XS-S (Core Switch)
      2 x Cisco 3750X PoE Gig Switch (Access Stack)
      3 x Cisco 2802i APs (Mobility Express)

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        I guess all the clients are pointing to pfSense LAN IP for their DNS, and that DNS Forwarder is enabled on pfSense. By default, DNS Forwarder is going to ask all the upstream name servers it is told about for name translation of anything the clients ask for.
        You should be able to override this behavior by defining some domain overrides on the DNS Forwarder GUI. "uk" goes to the IP of the DNS server that is across the tunnel to the UK…
        And since, in General Setup, you have already told it what interface to use for each name server, the requests should go over the tunnels you expect, and not just via the public WAN.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • CNLiberalC Offline
          CNLiberal
          last edited by

          I've done as you suggested.  I didn't realize I could add "uk" to the domain override.  How would I go about verifying my setup?  An NSLOOKUP from my Linux desktop to bbc.co.uk shows the server as my pfSense box.

          $ nslookup bbc.co.uk 10.0.0.1
Server:		10.0.0.1
Address:	10.0.0.1#53

Non-authoritative answer:
Name:	bbc.co.uk
Address: 212.58.244.20
Name:	bbc.co.uk
Address: 212.58.244.18
Name:	bbc.co.uk
Address: 212.58.246.104
Name:	bbc.co.uk
Address: 212.58.246.103

          pfSense 2.7.2-RELEASE

          Dell R210 II
          Intel E3-1340 v2
          8GB RAM
          SSD ZFS Mirror
          Intel X520-DA2, RJ45 SFP+ (WAN) and 10Gb SFP+ DAC (LAN)
          1 x Cisco 3850 12XS-S (Core Switch)
          2 x Cisco 3750X PoE Gig Switch (Access Stack)
          3 x Cisco 2802i APs (Mobility Express)

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            Diagnostics->Packet Capture on the OpenVPN tunnel interface, looking for port 53 (and/or the IP address of the external DNS server it is supposed to be using) should show the traffic from DNS Forwarder doing the lookups.
            DNS Forwarder does caching, so on the client do "nslookup" of various different *.uk sites so DNS Forwarder has to go externally to look them up.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.