DNS Resolver and OpenVPN client



  • Good evening,

    I have successfully configured pfSense to connect to a subscription VPN provider, and route a SINGLE client through the VPN while the rest of the LAN is connecting to the internet via my normal ISP.

    As observed with http://ipchicken that single client gets the VPN public IP, while the rest of the LAN gets the ISP public IP, so far so good.

    Problem is that configuring the DNS resolver to an ALL/ALL configuration, and trying http://ipleak.net I found out that ALL the clients (both the single client routed through the tunnel and the rest of the LAN) has the VPN dns listed.

    If I remove the ALL/ALL from DNS Resolver and configure it as ALL/WAN, every client (even the one routed through the VPN) lists my ISP DNS…

    So my question is what i'm obviously missing to configure pfSense for my needs (I need the vpn client to have the VPN DNS, while the rest of the network has the ISP DNS) - so as to avoid DNS leaks.


  • Rebel Alliance Global Moderator

    Why would you have the resolve on all/all ?  Are you using the resolver or do you have it in forwarder mode?

    You should listen on the interfaces you want to listen, should only be lan interfaces.  And you should old request out the wan interface you want to request out of.

    If you are resolver and not forwarder unbound would always look up from root servers have nothing to do with your isp or any other dns..  If your in forwarder mode on unbound then it would forward to what it gets from dhcp/vpn connection etc.. or what is setup to forward too, etc..

    I don't know of a way to have all clients on your network point to pfsense forwarder/resolver and have it use either forwarder or roots for dns while one client uses something else.  If you want your vpn box on your network to use different dns than it would be simple solution to point that client to what dns you want to use - and it would use your vpn connection to query that dns.

    If I go to your leaktest it shows my public IP as my dns, because the resolver is doing the query..  Its not forwarded anywhere.



  • Thank you for the response!

    @johnpoz:

    Why would you have the resolve on all/all ?

    DNS resolver in pfsense reads "The default behavior is to respond to queries on every available IPv4 and IPv6 address." and "By default all interfaces are used."

    Are you using the resolver or do you have it in forwarder mode?

    DNS Forwarder is OFF
    DNS Resolver is ON
    Forwarding mode in DNS Resolver is OFF (Disabled)

    You should listen on the interfaces you want to listen, should only be lan interfaces.  And you should old request out the wan interface you want to request out of.

    Ok so:
    Network Interfaces: LAN & localhost,
    Outgoing Network Interfaces: WAN

    If you are resolver and not forwarder unbound would always look up from root servers have nothing to do with your isp or any other dns..  If your in forwarder mode on unbound then it would forward to what it gets from dhcp/vpn connection etc.. or what is setup to forward too, etc..

    I think its the other way around, if I enable "Forwarding mode" in the DNS Resolver, then my requests go through the root servers.

    I don't know of a way to have all clients on your network point to pfsense forwarder/resolver and have it use either forwarder or roots for dns while one client uses something else.  If you want your vpn box on your network to use different dns than it would be simple solution to point that client to what dns you want to use - and it would use your vpn connection to query that dns.

    Well i think there's no specific DNSs for my VPN provider I could use, at least there's nothing on the website. I would guess that since I route all that clients' traffic through the tunnel, then I should use whatever DNS that tunnel uses.

    If I go to your leaktest it shows my public IP as my dns, because the resolver is doing the query..  Its not forwarded anywhere.

    Same here, if I choose "VPN WAN" in the DNS resolver along with my ISP WAN it shows my VPN public IP as my DNS.


  • Rebel Alliance Global Moderator

    "I think its the other way around, if I enable "Forwarding mode" in the DNS Resolver, then my requests go through the root servers."

    Yeah you might want to rethink that for 2 seconds..  Forwarder mode!!  So to you that is when it would resolve via roots – or would it maybe FORWARD requests ;)

    As to your vpn service not providing dns.. So if you connect normal client to it, you don't get dns handed to you?  I find that unlikely to be honest.  Fire up say connection from windows - what does it get for dns??  Or just set it to whatever you want.. I like 4.2.2.2 its a public level 3 dns server..  Or googledns, or opendns.. There are many a public dns out there.  But if you point to pfsense resolver its gong to ask the roots be it through your normal isp connection or your vpn connection.  Since your using resolver - then just have it use your vpn wan that should be fine I would think.

    "shows my VPN public IP as my DNS."

    So back to the forwarder mode - as you think it uses roots if using forwarder mode, which your NOT using..  Then why does it show your vpn IP as your dns..  If its doing what??  If you don't have forwarder mode on -- where do you think it would ask dns??



  • I have explicitly stated that in DNS resolver pfSense I have the following settings:

    DNS Forwarder is OFF
    DNS Resolver is ON
    Forwarding mode in DNS Resolver is OFF (Disabled)

    Doesn't the "Forwarding mode in DNS Resolver if OFF" explain why I get my public IP in the leak test?

    If I had it enabled, thus forwarding my queries to a "root" DNS, I woulnd't get my public IP, but rather the IP of the DNS server.

    Anyway i'm still looking for a way to have a specific LAN IP query DNS servers via the VPN while the rest of the LAN queries them via pfsense/isp/root/whatever dns.

    I'll try installing my VPN provider's app on my windows pc and check what settings are getting pushed to the tap inteface and maybe have a proper dns they use.


  • Banned

    What's this "leak" nonsense yet again? From where are you testing the "leaks"? Stop configuring your VPN clients to use the DNS resolver on pfSense if you think it "leaks". And stop configuring the LAN clients to use VPN DNS servers. Really dunno what's the rocket science here.


  • Rebel Alliance Global Moderator

    "If I had it enabled, thus forwarding my queries to a "root" DNS, I woulnd't get my public IP, but rather the IP of the DNS server."

    What??  Really is english not your native language??  So is it you don't understand what the root servers are??

    If you forwarded your queries, it wouldn't be to the root servers - they do not do recursive queries..  You could forward to your isp, you could forward to opendns or googledns - you could forward to 4.2.2.2 – but you can not forward to roots..  Your resolver can use them to find out who is the authoritative name server for domainx.com that you might want to look up a record in, but you can not ask them to lookup www.google.com for you ;)

    So for somethone that clearly has no clue to how dns works - you seem overly concerned with LEAKS ;)  What are you worried is leaking??  Do you not want your isp to know what you do queries for??  What?



  • Its easy to configure pfsense so that it "leaks" DNS.  Its also easy to configure it so that it doesn't.

    IPV6 DNS is easy to forget about running in RADVD.  Also easy to forget DNS running in the basic config section of pfsense.

    Then there is the vpn client its self.  How do you know its not a problem at the client end?