OpenVPN with unbound dns leak

[crt333]

I configured a Qotom q355g4 so that each of the LAN ports are separate OpenVPN client tunnels to different locations, and all devices to VPN from each LAN port. There is no routing between LAN ports, and I seem to have kill switches working so if any VPN goes down traffic does not go to WAN or some other VPN.

I configured freedns.zone nameservers, and when unbound is NOT running running dnsleaktest.com properly shows everything going to freedns.zone, as expected.

Whenever I enable unbound and then run dnsleaktest.com it shows my underlying ISP nameservers (which appear nowhere in my configuration). I've tried adding the unbound access list for the virtual VPN addresses with /24, I've tried blocking all DNS requests going outside of the LAN, I've tried a lot of things, but it always leaks.

As many say this works "out of the box" I'm wondering what I've done wrong.

I am running 18.1.5 with LibreSSL.

[NOYB]

Which OpenVPN configuration options have you tried?  There are some that relate to DNS.

Don't know if still the case but in the past I had to use "block-outside-dns" in order to keep road warrior clients from using DNS of the local network they were on.

Maybe there is something similar for your situation.

[crt333]

I don't know that option, and when I googled it the result said it was Windows specific? If I add it then it seems that nothing works with unbound not running, which is a little inconvenient, since it is the only working config right now...

Another observation, if I run a DOS window in a connected Win10 computer:
- with unbound not running I get nslookup server as freedns.zone and resolving works fine
- with ubnound running I get nslookup server as 192.168.1.1 and resolving works fine

However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)

I tried to overide DNS in DHCP settings, in openvpn options, but somehow dnsleaktest shows ISP DNS whenever unbound is running.

[NOYB]

However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)

Maybe there is an unbound config option that needs to be adjusted.
I use local zone type static and custom options local-zone: "home" static where "home" would be your domain.  Don't know if relevant to your situation but maybe some things to research.

Also if the DNS Query Forwarding option is enabled, maybe try disabling.

[crt333]

Thanks again NOYB. I'll look into that, and BTW forwarding is disabled.

[omie48]

I seem to have the same problem.  I want to be able to use the Opnsense unbound so that I can reference local clients, but any requests for anything else I want to go to Google's DNS servers through the VPN connection.

I get the same behaviour though, which is...

* With unbound off all requests go through the VPN, no leak
* With unbound on local requests are resolved but everything else seems to go to through the WAN port, so there is a leak

I am finding it impossible to make unbound use the VPN connection when using its forwarding servers.

By the way crt333, if you set DNS servers in the System->General page then it will use those, but it will go through the WAN port nonetheless.  This is a bit better as it avoids sending DNS requests directly to your IP.  However, since those requests are still going through the WAN gateway in theory they could easily sniff them or even capture them and reply with fake results.

That page also has an option to select which gateway to use for the DNS requests but whenever I set it to use the VPN connection there it just stops working.

[elektroinside]

No leaks here, not one. This is true when performing the test from the LAN or from the OpenVPN client.

I do have forwarding enabled, but i forward to either OpenDNS or Quad9. Right now I'm using Quad9 with dnnsec.

But I use an internal DNS as main DNS server. That uses as upstream dns the OPNsense's Unbound, and that forwards to Quad9.

Maybe your ISP is hijacking your requests, it's not unheard of, actually it's quite common.

[omie48]

The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem.  I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.

I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here.  However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.

[elektroinside]

The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem.  I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.

I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here.  However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.

Exactly, which means that the originating query might not be going through the tunnel, eg. the client is ignoring the config set by the server and not directing all the traffic over the tunnel. In this particular case, neither the OpenVPN server or Unbound is the cause of the leak.

[omie48]

No, in this case the clients are behaving as expected.  I want the clients to ask the OPNsense box for DNS resolution as there are a lot of local devices and I use their local names frequently.  However, when unbound on the OPNsense box can't resolve a client (because it's not local) it must forward the request.  At this point I want unbound to forward the request over the VPN connection.

However, the issue is that I can't get unbound to forward requests over the VPN.  Unbound only seems to want to forward requests over the WAN gateway.  If I set the gateway for the DNS servers in System->Settings->General to anything other than the WAN gateway then it fails.

Yes, if I set the clients to use DNS servers other than the OPNsense box either manually or by setting them in what's handed out by DHCP then there are no leaks on the clients.  However, obviously they can't then resolve other local devices.  So what I'm after is that clients do query the OPNsense box, which does answer for local devices it knows about, but that the OPNsense box forwards queries through the VPN for those it can't answer.  For whatever reason, I'm stuck with unbound forwarding queries through the WAN gateway instead.

[crt333]

To omie48: I do have DNS servers set in the System->General (freedns.zone), whether unbound is turned on or off.

When unbound is off these servers are the only ones seen when running dnsleaktest, but when unbound is on dnsleaktest reports the ISP DNS server is used, and these DNS servers do not appear anywhere in the OpnSense config.

[omie48]

crt333, in Systems->General also make sure the two DNS options...

 Allow DNS server list to be overridden by DHCP/PPP on WAN
 Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

...are unchecked.  I think that should fix it so that it doesn't use your ISPs servers.

[crt333]

Thanks omie48

Both items have  always been unchecked

[bigops]

How are you performing the DNS leak test? 
If unbound is configured as a resolver then it should do a recursive query so the ISPs DNS would be bypassed completely. 
Have you tried running a drill from the OPNsense console/ssh terminal to see the name resolution?  If your ISP is hijacking DNS then it should show up here.
If you are using Windows 8.1 and above for running the DNS leak test then Windows by default is configured to bypass VPN due to SMHNR being always on and cannot be easily disabled.   This can Skew your results.


 

[omie48]

@bigops Well, every leak tester shows a leak.  Another way to look at this problem would be to forget about the leak and just ask...

Why does DNS forwarding from the opnSense box work over the WAN connection but not over the VPN connection?

If in General->Settings->System I put in a DNS server and select the gateway as WAN then it works.  However, if I select the VPN gateway then it does not work.  The VPN is definitely connected and working as all other traffic is going over the VPN, so why won't the DNS requests go through the VPN gateway?