Policy routing of Unbound DNS requests on multiple query interfaces (OpenVPN)
-
First of all let me just say that I am a total newb to Networking and only tinkering around with pfSense as a hobby. I don’t have any background in IT at all so please forgive me if my approach is incorrect or rudimentary.
I am trying to figure out how to define the behavior of Unbound DNS when operating on more than one Query Interface and in particular, if this yields any dns leaks when using OpenVPN.
My interfaces are as follows: LAN, WLAN, WAN with OpenVPN running on WAN.
What I am trying to do is to get all the LAN traffic associated with those hosts using the VPN tunnel to be sent down the OpenVPN tunnel and all the WLAN traffic associated with those hosts using the WAN interface to be sent through the WAN interface. This includes the dns requests associated with those interfaces, independently. Thereby isolating any dns cross-talk between those interfaces and plugging any leaks that may or may not exist.
My system is operating as follows:
The DHCP Server settings on LAN & WLAN stipulate that dns requests get directed to the subnet controller. Unbound DNS is listening on the LAN & WLAN subnet controllers and it is querying on WAN & VPN Gateways. Default Gateway is WAN. I include manual Outbound NAT rules that provide the option for LAN traffic to be directed through either the VPN tunnel or the WAN interface depending on which Gateway is explicitly set in the Firewall Rules for each host on the LAN interface. WLAN hosts just use the default Gateway.
Gateways = WAN(default) & VPN
Unbound DNS Query Interfaces = WAN & VPN
I am using https://www.dnsleaktest.com to analyze where my dns requests on each (LAN / WLAN) interface are being sent.
So my question is then: How do I explicitly set which Unbound DNS query interface is to be used for which host, operating on each Gateway? I would like to send all dns request down the interface that that host is using for hypertext requests as well. Thereby having a closed system for each host on any subnet.
In terms of privacy concerns, let’s just say that I opt for using just a single Query Interface, i.e. VPN Gateway; then the problem becomes if the VPN goes down, then hosts on WLAN fail to resolve.
-
I'm just trying to implement this, Did you figure it out?