Hi there,
I need some help regarding the following; I have set up a WG ProtonVPN tunnel, that works fine. So basically I followed the official docs, with one difference -> I'm not routing particular clients over the tunnel, but a whole VLAN.
Now, while browsing https://ip.me/ it shows the correct IP, but https://dnsleaktest.com/ tells me that DNS requests are answered by Cloudflare, not ProtonVPN.
opnSense's DNS is unbound, which is actually configured to use Cloudflares' 1.1.1.1 and 1.1.1.2, but unbound is not(!) listening on the affected VLAN.
KEA is serving as DHCP and offers 10.2.0.1 (ProtonVPNs' tunnel DNS) and 1.1.1.1 (because if I remove the latter, resolving doesn't work at all). I'm aware that DNS offerings are not sequential, but random.
What's even more curious is, that in the live view I can see DNS requests being made towards 10.2.0.1.
Can you point me into a direction where I could search for issues?
Thanks in advance!
You already said it, you are using 1.1.1.1. Also your Browser might use Cloudflare on its own via DoH. Maybe you can live with that "DNS-leak" towards Cloudflare. If you can't, you have to configure your Browser accordingly and remove 1.1.1.1 from the DNS-Servers.
Hi mate, of course I can live with CloudFlare as I've set them for DoT - just wanted to understand what's happening. In that matter, many thanks for your time and reply.
I got it working for my Guest VLAN (where I can run such tests w/o any interruption). In fact..
1) I provide a specific domain for all clients in that Guest VLAN (zzzguest)
2) I configured unbound to forward requests of that domain (zzzguest) towards the tunnel DNS IP of ProtonVPN
What I don't understand: in unbound, via DOT, I've two entries for CloudFlare (1.0.0.2 and 1.1.1.2). Currently, the domain is empty (what equals "fetch all domains"). If I set this to my standard domain (zzz), I can't resolve anything. Even after multiple dns-flushes.
Quote from: opn_minded on September 26, 2024, 12:03:50 PM
If I set this to my standard domain (zzz), I can't resolve anything. Even after multiple dns-flushes.
Your domain is your domain only, no wonder nothing else will work because no one is using your domain. google.com is not zzz.
OK, i understood it that way that all hosts of a certain internal domain (.zzz) are forwarded to a specific dns server. Thanks for clarification.
There is only one solution, if you really, really want no DNS-leak. And that is to only give an external DNS-Server to the clients (of that VLAN for example). Because with that, your OPNsense is not asked for DNS at all and that DNS-traffic will go out through the VPN-Provider, like any other traffic.
The only downside is that internal DNS-addresses for those clients will not work. But it is the "most secure" solution.