According to this longstanding bug (https://github.com/opnsense/core/issues/7679), you have to either choose using your VPN's DNS and not having options for local overrides or use Unbound's recursive DNS resolution and leak your public IP address. I was wondering if any recent developments might have made a best of both worlds where I can use Unbound for recursive DNS and have its requests routed through my Wireguard VPN so that my public IP isn't leaked.
I have successfully gotten Dnsmasq to use the upstream DNS providers I choose but the moment I forward the requests to Unbound, my public IP is leaked. Setting firewall rules and setting the `Outgoing Network Interfaces` to be my VPN interface does not help.
I've been wracking my brain getting things working and today I was able to at least get Dnsmasq DNS resolution to work on all of my devices with a 3rd party upstream DNS service, whether they are included in the Wireguard VPN or not. This is great so that my overrides are respected. However still, the moment I try to use Unbound as my upstream provider for Dnsmasq my public IP is leaked. My setup isn't as similar to the linked post as I thought so I will describe it in more detail here.
I use https://mullvad.net/en/check to check and when using Dnsmasq, it says there's a "leak" but I confirm that the servers listed are my 3rd party service's and not my public IP. However the real leak is confirmed on this page when using Unbound.
My general setup is a Wireguard VPN - I use Mullvad and made sure to go through the steps to get an address without DNS hijacking. I just discovered this today so this was probably why my VPN devices weren't using the local DNS settings. https://schnerring.net/blog/use-custom-dns-servers-with-mullvad-and-any-wireguard-client/
I just nuked most of my legacy configs and followed the Wireguard Road Warrior for Mullvad guide https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html
I have every device routed through the VPN except one, excluded in the VPN hosts alias, which I run a VPN app on so that I can change the servers more fluidly.
I have Dnsmasq listening on port 53 and use the Domains tab to point it to my preferred 3rd party DNS resolver. In System > Settings > General, I cleared out the DNS servers list and have `Allow DNS server list to be overridden by DHCP/PPP on WAN ` unchecked. Dnsmasq settings are:
Interface: LAN, VPN
DNSSEC: Checked
No hosts lookup: Unchecked
Do not forward to system defined DNS servers: Checked (To ensure that my rules in Domains are respected)
When trying to get Unbound working, I have it listening on port 53053. I replace the rule in Dnsmasq's Domains tab with one pointing to 127.0.0.1 on port 53053 with the * wildcard as the domain. Looking at the Unbound statistics, the queries appear to be correctly forwarded. The issue being that my public IP is being leaked by Unbound now. My Unbound settings are:
Network Interfaces: LAN
Enable DNSSEC Support: Checked
Outgoing Network Interfaces: VPN
Overrides: None
Advanced:
Hide Identity: Checked
Hide Version: Checked
Blocklists: AdGuard List and Ads Blocklist
Query Forwarding: None, and `Use System Nameservers` unchecked.
Does anything stick out that would cause leaked DNS requests? I also tried making a firewall rule to block DNS requests outside of the VPN but I already have a VPN Killswitch rule that I believe should cover it so I'm not sure how the public IP is being leaked.
The full table of my firewall rules is:
enabled statetype sequence action quick interfacenot interface direction ipprotocol protocol source_net source_not source_port destination_net destination_not destination_port gateway allowopts tag tagged description
1 keep 51 pass 1 0 lan in inet any Mullvad_Default_Hosts 0 RFC1918_Networks 1 VPN_Default 0 NO_WAN_EGRESS From Wireguard Road Warrior
1 keep 26 reject 1 0 lan in inet any Internet_Blocked_Devices 0 lan 1 0 Block internet for specific devices
1 keep 351 pass 1 0 lan in inet any lan 0 any 0 0 Default allow LAN to any rule
1 keep 401 pass 1 0 lan in inet6 any lan 0 any 0 0 Default allow LAN IPv6 to any rule
1 keep 501 pass 0 0 out inet any opt1ip 0 opt1 1 1 From Wireguard Road Warrior
1 keep 88 block 1 0 wan out inet any any 0 any 0 0 NO_WAN_EGRESS Kill Switch From Wireguard Road Warrior
So I just figured out how to make Unbound my primary DNS resolver and Dnsmasq just for DHCP and can confirm that the moment I uncheck my DNS over TLS entry for my upstream provider in Unbound, making it recursive, my IP is leaked. Re-checking solves the leak.
That is just how it works and has nothing to do with any bug or something. You also don't seem to know much about DNS, Unbound or Dnsmasq, you are just brute-forcing some guides over another.
Quote from: opnsense1 on Today at 06:49:27 AMDnsmasq settings are:
DNSSEC: Checked
My Unbound settings are:
Enable DNSSEC Support: Checked
When you use Unbound as the Upstream DNS Provider it will do the DNSSEC stuff for you so there is no need to Enable it in your DNSmasqd config ;)