OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: crt333 on March 30, 2018, 05:11:20 pm
-
I configured a Qotom q355g4 so that each of the LAN ports are separate OpenVPN client tunnels to different locations, and all devices to VPN from each LAN port. There is no routing between LAN ports, and I seem to have kill switches working so if any VPN goes down traffic does not go to WAN or some other VPN.
I configured freedns.zone nameservers, and when unbound is NOT running running dnsleaktest.com properly shows everything going to freedns.zone, as expected.
Whenever I enable unbound and then run dnsleaktest.com it shows my underlying ISP nameservers (which appear nowhere in my configuration). I've tried adding the unbound access list for the virtual VPN addresses with /24, I've tried blocking all DNS requests going outside of the LAN, I've tried a lot of things, but it always leaks.
As many say this works "out of the box" I'm wondering what I've done wrong.
I am running 18.1.5 with LibreSSL.
-
Which OpenVPN configuration options have you tried? There are some that relate to DNS.
Don't know if still the case but in the past I had to use "block-outside-dns" in order to keep road warrior clients from using DNS of the local network they were on.
Maybe there is something similar for your situation.
-
I don't know that option, and when I googled it the result said it was Windows specific? If I add it then it seems that nothing works with unbound not running, which is a little inconvenient, since it is the only working config right now...
Another observation, if I run a DOS window in a connected Win10 computer:
- with unbound not running I get nslookup server as freedns.zone and resolving works fine
- with ubnound running I get nslookup server as 192.168.1.1 and resolving works fine
However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)
I tried to overide DNS in DHCP settings, in openvpn options, but somehow dnsleaktest shows ISP DNS whenever unbound is running.
-
However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)
Maybe there is an unbound config option that needs to be adjusted.
I use local zone type static and custom options local-zone: "home" static where "home" would be your domain. Don't know if relevant to your situation but maybe some things to research.
Also if the DNS Query Forwarding option is enabled, maybe try disabling.
-
Thanks again NOYB. I'll look into that, and BTW forwarding is disabled.
-
I seem to have the same problem. I want to be able to use the Opnsense unbound so that I can reference local clients, but any requests for anything else I want to go to Google's DNS servers through the VPN connection.
I get the same behaviour though, which is...
* With unbound off all requests go through the VPN, no leak
* With unbound on local requests are resolved but everything else seems to go to through the WAN port, so there is a leak
I am finding it impossible to make unbound use the VPN connection when using its forwarding servers.
By the way crt333, if you set DNS servers in the System->General page then it will use those, but it will go through the WAN port nonetheless. This is a bit better as it avoids sending DNS requests directly to your IP. However, since those requests are still going through the WAN gateway in theory they could easily sniff them or even capture them and reply with fake results.
That page also has an option to select which gateway to use for the DNS requests but whenever I set it to use the VPN connection there it just stops working.
-
No leaks here, not one. This is true when performing the test from the LAN or from the OpenVPN client.
I do have forwarding enabled, but i forward to either OpenDNS or Quad9. Right now I'm using Quad9 with dnnsec.
But I use an internal DNS as main DNS server. That uses as upstream dns the OPNsense's Unbound, and that forwards to Quad9.
Maybe your ISP is hijacking your requests, it's not unheard of, actually it's quite common.
-
The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem. I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.
I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here. However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.
-
The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem. I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.
I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here. However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.
Exactly, which means that the originating query might not be going through the tunnel, eg. the client is ignoring the config set by the server and not directing all the traffic over the tunnel. In this particular case, neither the OpenVPN server or Unbound is the cause of the leak.
-
No, in this case the clients are behaving as expected. I want the clients to ask the OPNsense box for DNS resolution as there are a lot of local devices and I use their local names frequently. However, when unbound on the OPNsense box can't resolve a client (because it's not local) it must forward the request. At this point I want unbound to forward the request over the VPN connection.
However, the issue is that I can't get unbound to forward requests over the VPN. Unbound only seems to want to forward requests over the WAN gateway. If I set the gateway for the DNS servers in System->Settings->General to anything other than the WAN gateway then it fails.
Yes, if I set the clients to use DNS servers other than the OPNsense box either manually or by setting them in what's handed out by DHCP then there are no leaks on the clients. However, obviously they can't then resolve other local devices. So what I'm after is that clients do query the OPNsense box, which does answer for local devices it knows about, but that the OPNsense box forwards queries through the VPN for those it can't answer. For whatever reason, I'm stuck with unbound forwarding queries through the WAN gateway instead.
-
To omie48: I do have DNS servers set in the System->General (freedns.zone), whether unbound is turned on or off.
When unbound is off these servers are the only ones seen when running dnsleaktest, but when unbound is on dnsleaktest reports the ISP DNS server is used, and these DNS servers do not appear anywhere in the OpnSense config.
-
crt333, in Systems->General also make sure the two DNS options...
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the DNS Forwarder/Resolver as a DNS server for the firewall
...are unchecked. I think that should fix it so that it doesn't use your ISPs servers.
-
Thanks omie48
Both items have always been unchecked
-
How are you performing the DNS leak test?
If unbound is configured as a resolver then it should do a recursive query so the ISPs DNS would be bypassed completely.
Have you tried running a drill from the OPNsense console/ssh terminal to see the name resolution? If your ISP is hijacking DNS then it should show up here.
If you are using Windows 8.1 and above for running the DNS leak test then Windows by default is configured to bypass VPN due to SMHNR being always on and cannot be easily disabled. This can Skew your results.
-
@bigops Well, every leak tester shows a leak. Another way to look at this problem would be to forget about the leak and just ask...
Why does DNS forwarding from the opnSense box work over the WAN connection but not over the VPN connection?
If in General->Settings->System I put in a DNS server and select the gateway as WAN then it works. However, if I select the VPN gateway then it does not work. The VPN is definitely connected and working as all other traffic is going over the VPN, so why won't the DNS requests go through the VPN gateway?
-
Hmmmm, well here's an interesting finding. If I use DNSMasq instead of Unbound then I can use the VPN gateway and of course then the leak is gone. So this definitely seems like a problem with Unbound to me.
-
Whenever I enable unbound and then run dnsleaktest.com it shows my underlying ISP nameservers
Did you double check? When running unbound as a resolver, dnsleaktest.com should show your own public IP address. Of course it shows your ISP's name, because this is where you get your IP address from. (If you don't have a public IP address (CGNAT), then it will show an IP address of your ISP's NAT gateway.)
- If you don't need to resolve internal hostnames, just disable unbound and use external DNS servers. Since your clients query these servers directly, traffic will always go through the VPN tunnel(s).
- If you need to resolve internal hostnames and have one VPN tunnel, make unbound send all queries through the VPN tunnel. You can specify Outgoing Network Interfaces in Unbound DNS / General / Advanced, but I don't know if this works for VPN connections. If it doesn't, enable forwarding in unbound and create static routes to your specified external DNS servers, using your VPN gateway as next-hop.
- If you need to resolve internal hostnames and have multiple VPN tunnels and need unbound to send queries through a specific VPN tunnel depending on what LAN interface the request is coming from... you're out of luck. You would need multiple instances of unbound running. This won't work with OPNsense.
-
@Maurice. I don't think that's completely accurate about it showing your ISP name, although I may be wrong. When sending traffic through the VPN and running unbound with unbound set to forward to say Google's 8.8.8.8 then when I run a leak test I don't see my ISP anywhere. As I would expect, I see the VPN public IP, and I see Google's DNS servers. This is still a leak because it means my DNS requests went over my WAN connection. My ISP could have looked at them or hijacked them without me knowing.
As far as your second bullet, this is pretty much spot on and is what I was trying to achieve. However, unbound doesn't seem to want to forward requests through the VPN. Whenever I tried setting unbound to use the VPN tunnel it failed. However, dnsmasq with exactly the same set up does seem to work and does forward its requests over the VPN tunnel without complaint. So at least for me, the solution has been to turn off unbound and switch back to using dnsmasq.
I don't know if the issue with unbound not using the VPN for forwarding is a bug, planned behavior, or a configuration issue. If it is planned then the general settings should be changed so that anything but the WAN gateway is not an option when using unbound.
-
I don't think that's completely accurate about it showing your ISP name, although I may be wrong.
I quoted crt333 who didn't enable forwarding in unbound and didn't configure anything to make unbound use a VPN. My comment was meant to be specifically for this situation. crt333 stated that dnsleaktest.com showed the IP address(es) of the ISP's name servers. That's not supposed to happen and would mean something very fishy is going on. It should show the WAN IP address of OPNsense.
However, unbound doesn't seem to want to forward requests through the VPN. Whenever I tried setting unbound to use the VPN tunnel it failed.
Unbound (with forwarding enabled) not using the gateways specified in System / Settings / General indeed seems to be a bug. I would try disabling forwarding and using the Outgoing Network Interfaces option in the unbound settings. If this doesn't work for VPN connections then you could still try the second option (enable forwarding in unbound and create a static route to the external DNS server).
-
As he described, my situation is a little different than omie48.
I am running the resolver, no forwarding. I use dnsleaktest.com (I ran the extended test) to test leaks. With unbound disabled it is clean (using my specified DNS servers), but with unbound enabled it reports my ISP DNS servers are used, even though they don't appear anywhere in my config. I ran the extended test.
For most people this seems to work as expected, for me it produces a surprise.
-
I didn't see Maurice' post before responding, but that makes sense. I'll look into it.
-
An interesting turn of events.... Some good news and some bad news (good news first)
So in system I changed my namservers to 1.1.1.1 and 1.0.0.1 (cloudflare)
I also noticed this: https://forum.opnsense.org/index.php?topic=7811.0
so I tried it out, with selections as described (forwarding unchecked is a little odd...)
and used unbound advanced custom options:
ssl-upstream: yes
forward-zone:
name: "."
forward-addr: 1.1.1.1@853 #Cloudflare ip4
forward-addr: 1.0.0.1@853 #Cloudflare ip4
and the leaktest is clean (all cloudflare) and as an added bonus when I watch the logs all dns requests go to cloudflare port 853 (DNS TLS)
On the downside... unbound shuts down about 10 minutes (log entries below) and nothing works, but this seems like a promising new direction once things get ironed out (they did say it was experimental...)
from log:
Apr 11 15:14:17 unbound: [87750:0] notice: ssl handshake failed 1.0.0.1 port 853
Apr 11 15:14:17 unbound: [87750:0] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available
-
sorry wrong thread
-
Just to update on my previous post... Using 18.1.7 (openssl) and the quad9 DNS TLS setup referred to in an earlier link my setup has now been working for days. It passes any DNS leak test, uses unbound, and is encrypted as a bonus. I'm all good now.