OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Oxygen61 on February 21, 2018, 12:39:24 am

Title: Dnsmasq - outgoing interface / advanced option?
Post by: Oxygen61 on February 21, 2018, 12:39:24 am
Hi guys,

i have another question about DNSmasq. :) I have some pretty weird DNS configurations,
which made it possible to strictly separate VPN traffic and "normal" traffic.

Let's assume i have 5 VLAN Interfaces (A,B,C,D and E)
A-D for VPN Traffic and E for normal traffic

- Unbound DNS is bound to Interfaces A,B,C and D via Port 53
   and is using OpenVPN Gateways as "outgoing interfaces"
- DNSmasq DNS is bound to Interface E via Port 1053 (+ Port Forward 53 --> 1053 for Interface E DNS Traffic)

My Outbound NAT Configuration is doing NAT via VPN-Interface for the Subnets A,B,C and D
and one additional manual NAT Rule for WAN Traffic for the interface Subnet E.

Here is the Problem:
If Traffic goes out of Interface A,B,C or D I see my abroad VPN IP-address and the DNS Servers,
which got routed through the VPN Tunnel
--> no problem, thats how i wanted it to be :)

BUT.... ;D

If Traffic goes out of Interface E i see my local WAN IP, which is good and 3 DNS Servers, which i configured in System -> Settings -> General. But i also see the DNS Servers from the abroad VPN tunnel. So there are 6+ DNS Servers for 1 connection. :(

Is there any way to use the advanced settings of Dnsmasq to force him to only use the WAN_DHCP Gateway as outgoing Interface, like the Unbound DNS? Or is there any way to force Dnsmasq to only use some specific external DNS Servers (The ones configured in Settings- > General) like 8.8.8.8 for example?

I hope i didn't confused anyone. :D
Thank you very much in advance. :)

Best regards,
Oxy
Title: Re: Dnsmasq - outgoing interface / advanced option?
Post by: hutiucip on February 21, 2018, 02:01:18 pm

Is there any way to use the advanced settings of Dnsmasq to force him to only use the WAN_DHCP Gateway as outgoing Interface, like the Unbound DNS? Or is there any way to force Dnsmasq to only use some specific external DNS Servers (The ones configured in Settings- > General) like 8.8.8.8 for example?

I hope i didn't confused anyone. :D
Thank you very much in advance. :)

Best regards,
Oxy

Curious enough is the fact that you are asking for something that should be the default behavior.

Be completely sure you don't have "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" && "Allow DNS server list to be overridden by DHCP/PPP on WAN" (in [System: Settings: General]): VLANs A - D will go strictly by the "Unbound DNS", since bounded to their interfaces. But, if you don't have "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall", DNS Forwarder being DNSMask DNS and DNS Resolver being Unbound DNS, the system/ firewall will pull DNS servers from "Unbound", and your DNSMask DNS will ask simultaneously any and every DNS server/ forwarder in the system ([System: Settings: General] + from Unbound).

Come back with details, as it's tricky!
Title: Re: Dnsmasq - outgoing interface / advanced option?
Post by: Oxygen61 on February 21, 2018, 08:33:52 pm
Hi hutiucip,

you were perfectly right with "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall"! :)

This setting and "Allow DNS server list to be overridden by DHCP/PPP on WAN" were both NOT ticked.
I misread the option because i thought it would disable both the resolver and the forwarder. I then read the hint and thought to myself "am i disabling the Unbound resolver caching when enabling this option?"

I also double checked the DNSmasq log file and indeed saw the DNS-Server used for my VLAN E Subnet + 127.0.0.1#53 ....... localhost....
Localhost always VPN tunneled my DNS traffic so that VLAN E traffic always used all DNS Servers configured anywhere.

Here starts the tricky part... There is no localhost "interface" marked neither for unbound or dnsmasq to listen to when resolving any traffic... still i am able to check for updates without any problem.

Questions:
1. After enabling the "Do not use the DNS Forwarder/Resolver as a DNS server for the firewall" option...
is caching still used by Unbound and/or DNSmasq for my Port 53 VLAN_A B C and D traffic for faster resolving?
2. Am i still tunneling localhost traffic by any means or is it impossible to force localhost to use the tunnel when asking for DNS resolving? I am a little scared that i loose control over my localhost traffic and that i can't force it to not leak without me knowing about it. :( For example: "Click to check for updates." How do i know if these checks or other pure localhost traffic is not leaking out of my VPN Traffic?
--> Not a single Alias has "localhost or 127.0.0.1" included anywhere. How is localhost traffic leaving my WAN Interface? From my point of view i don't see a way for it to escape my NAT settings. :(

Here is my Unbound config:
Network Interfaces: VLAN_A , VLAN_B , VLAN_C , VLAN_D // localhost is not ticked
DNS Query Forwarding: [X] Enable Forwarding Mode
Outgoing Network Interfaces: VPN_Interface_1 , VPN_Interface_2 , VPN_Interface_3

Here is my DNSmasq config:
Listen Port: 1053
Interfaces: VLAN_E // localhost is not ticked
[X] Strict Interface Binding

System: Settings: General
DNS servers: 8.8.8.8 , 8.8.4.4
Use gateway: none for both
[  ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[X] Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

My Outbound NAT Settings:
Rule 1: Interface VPN_Interface_1 Source VPN_LOCAL_NETs Alias (VLAN A,B,C and D)
Source Port * Destination !Dontroute Alias (Reverse reserved IP addresses) Destination Port * NAT Address Interface address NAT Port *

Rule 2: Interface WAN Source NOT_VPN_LOCAL_NETs Alias (VLAN E)
Source Port * Destination !Dontroute Alias (Reverse reserved IP addresses) Destination Port * NAT Address Interface address NAT Port *

Best regards,
Oxy