Re: [pfSense] DNS configurazione under VPN
> On May 13, 2018, at 11:39 AM, WebDawgwrote: > > "In any case, if you configure your DNS Resolver to use the LAN > interface as outgoing interface, the DNS Resolver should use the same > routing than your computer, VPN or not." > > Can anyone confirm that this is true? I never tested it, but it would > be nice to get a confirm. I had an issue, similar to what Antonio is > trying to do, that required something like this in the past. No. Unfortunately it is not true. Traffic originating from the firewall itself is never policy routed. In that case it is sourced from LAN address but it never actually arrives into LAN and is therefore not policy routed according to the rules there. That configuration will, however, make that traffic interesting to IPsec as long as the source address and the DNS server are contained in a traffic selector (phase 2). It can also be routed across OpenVPN according to the routing table to a server on the other side of the VPN and, thanks to the LAN source address, the other side might be able to route back. dnsmasq (the DNS forwarder) can be a little more flexible here since you can select a different source address for each domain override. Really though, the best solution for policy routing DNS (and LDAP and RADIUS, etc) traffic is to tell the clients to use server(s) on the inside network (external to the firewall). That way any resolution queries that server has to do can be policy routed however you want just like any other traffic into LAN. > > Also, are not the firewall rules ingress only, what would be the > relationship between the DNS resolver being on an ingress interface > instead of egrees? How does it 'set it self up' on this interface? > > On Mon, May 7, 2018 at 4:36 AM, Stephane Bouvard wrote: >> Hi, >> >> Try this : >> >> - Create a gateway group (System / Routing / Gateway Groups) with VPN >> Gateway as Tier 1 and WAN Gateway as Tier 2 >> >> - Use this gateway group as outgoing gateway (in my config, i use a LAN >> Firewall rule with the created gateway group, and i use LAN as outgoing >> interface for my DNS Resolver). >> >> In any case, if you configure your DNS Resolver to use the LAN interface as >> outgoing interface, the DNS Resolver should use the same routing than your >> computer, VPN or not. >> >> >> >> >> Le 07-05-18 à 01:09, Antonio a écrit : >>> >>> After messing around for much of the weekend and reading a bit here and >>> there I have made one small step to achieving my goal. Basically, I am >>> able to bound the DNS Resolver to the VPN interface by selecting it >>> under "Outgoing Network Interfaces". This all traffic goes through the >>> VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com, >>> I do not have any leaks and this is very positive. >>> >>> The only problem is that when the VPN link fails, then I cannot resolve >>> DNS queries anymore on my LAN devices. So, what I need to do now, is >>> understand how I can achieve this automatically, i.e. when the VPN link >>> comes up, it tells the DNS Resolver to route through the VPN tunnel; >>> when the VPN link is down, it tells the DNS Resolver to route the DBS >>> queries through the LAN interface. Any suggestions? >> >> -- >> Bien à vous... >> >> _ Envie de vous concentrer sur votre coeur de métier ? >> (_'Nous gérons et surveillons vos serveurs pour vous >> ,_)téphane Bouvard http://www.myown.eu >> >> ___ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS configurazione under VPN
"In any case, if you configure your DNS Resolver to use the LAN interface as outgoing interface, the DNS Resolver should use the same routing than your computer, VPN or not." Can anyone confirm that this is true? I never tested it, but it would be nice to get a confirm. I had an issue, similar to what Antonio is trying to do, that required something like this in the past. Also, are not the firewall rules ingress only, what would be the relationship between the DNS resolver being on an ingress interface instead of egrees? How does it 'set it self up' on this interface? On Mon, May 7, 2018 at 4:36 AM, Stephane Bouvardwrote: > Hi, > > Try this : > > - Create a gateway group (System / Routing / Gateway Groups) with VPN > Gateway as Tier 1 and WAN Gateway as Tier 2 > > - Use this gateway group as outgoing gateway (in my config, i use a LAN > Firewall rule with the created gateway group, and i use LAN as outgoing > interface for my DNS Resolver). > > In any case, if you configure your DNS Resolver to use the LAN interface as > outgoing interface, the DNS Resolver should use the same routing than your > computer, VPN or not. > > > > > Le 07-05-18 à 01:09, Antonio a écrit : >> >> After messing around for much of the weekend and reading a bit here and >> there I have made one small step to achieving my goal. Basically, I am >> able to bound the DNS Resolver to the VPN interface by selecting it >> under "Outgoing Network Interfaces". This all traffic goes through the >> VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com, >> I do not have any leaks and this is very positive. >> >> The only problem is that when the VPN link fails, then I cannot resolve >> DNS queries anymore on my LAN devices. So, what I need to do now, is >> understand how I can achieve this automatically, i.e. when the VPN link >> comes up, it tells the DNS Resolver to route through the VPN tunnel; >> when the VPN link is down, it tells the DNS Resolver to route the DBS >> queries through the LAN interface. Any suggestions? > > -- > Bien à vous... > > _ Envie de vous concentrer sur votre coeur de métier ? > (_'Nous gérons et surveillons vos serveurs pour vous > ,_)téphane Bouvard http://www.myown.eu > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS configurazione under VPN
Hi, Try this : - Create a gateway group (System / Routing / Gateway Groups) with VPN Gateway as Tier 1 and WAN Gateway as Tier 2 - Use this gateway group as outgoing gateway (in my config, i use a LAN Firewall rule with the created gateway group, and i use LAN as outgoing interface for my DNS Resolver). In any case, if you configure your DNS Resolver to use the LAN interface as outgoing interface, the DNS Resolver should use the same routing than your computer, VPN or not. Le 07-05-18 à 01:09, Antonio a écrit : After messing around for much of the weekend and reading a bit here and there I have made one small step to achieving my goal. Basically, I am able to bound the DNS Resolver to the VPN interface by selecting it under "Outgoing Network Interfaces". This all traffic goes through the VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com, I do not have any leaks and this is very positive. The only problem is that when the VPN link fails, then I cannot resolve DNS queries anymore on my LAN devices. So, what I need to do now, is understand how I can achieve this automatically, i.e. when the VPN link comes up, it tells the DNS Resolver to route through the VPN tunnel; when the VPN link is down, it tells the DNS Resolver to route the DBS queries through the LAN interface. Any suggestions? -- Bien à vous... _ Envie de vous concentrer sur votre coeur de métier ? (_'Nous gérons et surveillons vos serveurs pour vous ,_)téphane Bouvard http://www.myown.eu ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS configurazione under VPN
After messing around for much of the weekend and reading a bit here and there I have made one small step to achieving my goal. Basically, I am able to bound the DNS Resolver to the VPN interface by selecting it under "Outgoing Network Interfaces". This all traffic goes through the VPN tunnel, including DNS queries. Infact, when I go on dnsleaktest.com, I do not have any leaks and this is very positive. The only problem is that when the VPN link fails, then I cannot resolve DNS queries anymore on my LAN devices. So, what I need to do now, is understand how I can achieve this automatically, i.e. when the VPN link comes up, it tells the DNS Resolver to route through the VPN tunnel; when the VPN link is down, it tells the DNS Resolver to route the DBS queries through the LAN interface. Any suggestions? Thanks Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. Il 03/05/2018 20:29, Antonio ha scritto: > Hi folks, > > I'm trying to understand why I get DNS leaks. I am connecting to VPN > italian server from UK and when I go to www.dnsleaktest.com, the main > page says I'm connecting from Italy but then, when I do the advanced or > standard tests, these say I'm located in the UK. > > I have: > > 2.4.3-RELEASE (amd64) > built on Mon Mar 26 18:02:04 CDT 2018 > FreeBSD 11.1-RELEASE-p7 > > Installed on a mini PC that is connected via WAN on a DLS modem (setup > in pass through mode, not router mode). pfSense is acting as a DNS > Resolver even though I have have OpenDNS set in the GENERAL tab (I > believe these are not being used because I'm connected via DNS > Resolver). Would it be best to configure pfSense as DNS FOrwarder? > ALthough I'm not sure that this is going to resolve my DNS leak problem. > All clients are confirgured with a DNS set to the IP of the pfSEnse > machine. Any suggestions on what is the best way to configure DNS on > pfSense where occasionally I fire up my OpenVPN connection? > > Many thanks > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] DNS configurazione under VPN
I'm not sure I understand how a web page can tell where DNS responses to the OS are coming from, but I suspect what you may want is the DNS Resolver checkbox for "Enable Forwarding Mode" which will force pfSense to forward the query on, rather than try to resolve the query against the root servers. Then it would use your OpenDNS servers, and where those servers are is up to OpenDNS. I assume they're big enough to have them worldwide...? -- Steve Yates ITS, Inc. -Original Message- From: List <list-boun...@lists.pfsense.org> On Behalf Of Antonio Sent: Thursday, May 3, 2018 2:29 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] DNS configurazione under VPN Hi folks, I'm trying to understand why I get DNS leaks. I am connecting to VPN italian server from UK and when I go to www.dnsleaktest.com, the main page says I'm connecting from Italy but then, when I do the advanced or standard tests, these say I'm located in the UK. I have: 2.4.3-RELEASE (amd64) built on Mon Mar 26 18:02:04 CDT 2018 FreeBSD 11.1-RELEASE-p7 Installed on a mini PC that is connected via WAN on a DLS modem (setup in pass through mode, not router mode). pfSense is acting as a DNS Resolver even though I have have OpenDNS set in the GENERAL tab (I believe these are not being used because I'm connected via DNS Resolver). Would it be best to configure pfSense as DNS FOrwarder? ALthough I'm not sure that this is going to resolve my DNS leak problem. All clients are confirgured with a DNS set to the IP of the pfSEnse machine. Any suggestions on what is the best way to configure DNS on pfSense where occasionally I fire up my OpenVPN connection? Many thanks -- Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] DNS configurazione under VPN
Hi folks, I'm trying to understand why I get DNS leaks. I am connecting to VPN italian server from UK and when I go to www.dnsleaktest.com, the main page says I'm connecting from Italy but then, when I do the advanced or standard tests, these say I'm located in the UK. I have: 2.4.3-RELEASE (amd64) built on Mon Mar 26 18:02:04 CDT 2018 FreeBSD 11.1-RELEASE-p7 Installed on a mini PC that is connected via WAN on a DLS modem (setup in pass through mode, not router mode). pfSense is acting as a DNS Resolver even though I have have OpenDNS set in the GENERAL tab (I believe these are not being used because I'm connected via DNS Resolver). Would it be best to configure pfSense as DNS FOrwarder? ALthough I'm not sure that this is going to resolve my DNS leak problem. All clients are confirgured with a DNS set to the IP of the pfSEnse machine. Any suggestions on what is the best way to configure DNS on pfSense where occasionally I fire up my OpenVPN connection? Many thanks -- Respect your privacy and that of others, don't give your data to big corporations. Use alternatives like Signal (https://whispersystems.org/) for your messaging or Diaspora* (https://joindiaspora.com/) for your social networking. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold