Discussion:
[pfSense] Mastering DNS Resolver and tweaking behaviour with VPN
Antonio
2018-05-06 02:30:32 UTC
Permalink
Hi,

I've just come across the excellent tutorial videos of Mark Furneaux
<https://www.youtube.com/channel/UCRDQEDxAVuxcsyeEoOpSoRA> on Youtube. I
did the DNS video where he covered unbound. There are a couple of things
I can't still workout and that are not in the pfSense book:

a) *DNS Query Forwarding* - what was the purpose of Mark covering
namebench to measure DNS performance (even going to the length of
filling int he results in the General Setup page) if the DNS servers you
put in this page are only used when you tick this feature? (which I
understand you shouldn't do anyway as its less secure ...?)


b) *OpenVPN Clients* - this seems to be a new option that wasn't covered
in Marks video. Nor is there reference to this in the pfSense book. Is
this the magic setting that forces DNS resolver to route DNS querries
through the VPN tunnel?**Although from the description in pfSense this
doesn't look like what I'm after.*
*


I'm still trying to understand why I get DNS leaks and I'm wondering
whether the resolver is getting the ISP DNS server from the modem and
then using it to resolve DNS queries. Is this possible? I think I need
to understand how to get the DNS resolver to pass the DNS requests
through the VPN tunnel when this is up but I just can't figure out how.


I look forward to hearing from you pfSense experts.


Thanks
--
Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Antonio
2018-05-06 08:47:17 UTC
Permalink
Hi Lorenz,

I can across that website yesteday and although I have pfSense 2.4.3
installed (I believe it ships OpenVPN 2.4.4), I get that the option is
not supported although it could be that the server onthe other end is
not supporting it?

"Options error: Unrecognized option or missing or extra parameter(s) in
/var/etc/openvpn/client1.conf:46: block-outside-dns (2.4.4)"

Cheers

Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Hi,
Only covering b).
On Sun, 6 May 2018 03:30:32 +0100
Post by Antonio
b) *OpenVPN Clients* - this seems to be a new option that wasn't
covered in Marks video. Nor is there reference to this in the pfSense
book.
https://redmine.pfsense.org/issues/6847
It basically makes it easy to connect to OpenVPN clients in the field
from your LAN using the name from their client certificate. This is the
exact opposite most people are doing with their VPNs.
Post by Antonio
Is this the magic setting that forces DNS resolver to route DNS
querries through the VPN tunnel?
**Although from the description in
pfSense this doesn't look like what I'm after.**
There is actually a magic feature in OpenVPN >= 2.3.9
See: https://dnsleaktest.com/how-to-fix-a-dns-leak.html
Not sure whether this works for every client OS though. I recommend to
test this thoroughly if your security / security of your clients depends
on it.
Cheers,
Lorenz
Antonio
2018-05-06 22:08:20 UTC
Permalink
Correct, no windows for me.

Respect your privacy and that of others, don't give your data to big corporations.
Use alternatives like Signal (https://whispersystems.org/) for your messaging or
Diaspora* (https://joindiaspora.com/) for your social networking.
Hi,
On Sun, 6 May 2018 09:47:17 +0100
Post by Antonio
I can across that website yesteday and although I have pfSense 2.4.3
installed (I believe it ships OpenVPN 2.4.4), I get that the option is
not supported although it could be that the server onthe other end is
not supporting it?
"Options error: Unrecognized option or missing or extra parameter(s)
in /var/etc/openvpn/client1.conf:46: block-outside-dns (2.4.4)"
I should have mentioned that this is a windows-specific option and you
should push it to your clients (unless of course you do not have any
windows clients).
Cheers,
Lorenz
Loading...