OPNsense Forum
English Forums => General Discussion => Topic started by: thereaper on July 06, 2018, 12:36:47 pm
-
Hi.
I would like to whitelist DNS queries coming from LAN to external resolver.
Aim is to block DNS leaks while using VPN on internal machines. I want internal machines be able to resolve only few DNS records - my VPN provider's endpoints.
Is it at all possible? Thanks !
-
Hopefully you have this completely under control now?
If not, the general method is to set the local Unbound DNS server to use your VPN's DNS (and only perform look-ups through the VPN interface), and then to employ port redirection (NAT) to force any attempt to reach external DNS servers (usually via port 53) to redirect back to your routers IP - in order to force the client to use the local Unbound server to resolve the address.
Look around for a full walk-through/howto. If you can't find one for OPNsense specifically, there are many for pfSense where this part of the usual VPN client setup wouldn't change too drastically...
-
@youngman your tip helped me fixed a related problem. Thanks
-
No probs. 8)
-
> only perform look-ups through the VPN interface
@youngman Maybe I was not clear, OPNsense gateway is not using any VPN, LAN clients do, and are set to resolve DNS via OPN box by DHCP.
Before they connect to <region>.myvpn.com, they use OPN box to DNS query us.myvpn.com through OPNsense box. All I want is that OPNsense box blocks all DNS queries except whitelisted queries. My whitelist is 'us.myvpn.com, au.myvpn.com, eu.myvpn.com' # names changed to hurt animals
More refined question. How do I whitelist DNS queries from my LAN clients on OPN box ? (forget VPN).
-
Is there a reason you would not make use of the integrated VPN functions within OPNsense - rather than running multiple separate instances? I'm aware of a few VPN providers that offer multiple connections on the same account, but within a single LAN it would still be more efficient to share a single router based VPN connection between LAN clients than to run them all independently.
I'm guessing one use case may be that you wish independent LAN clients to appear as though they are in various locations around the world - possibly to avoid geoblocking or whatever... but lets say you have a default VPN gateway set up on the router, you can use firewall/nat rules to push certain LAN clients out through to clearnet (and then run independent VPN clients on these) OR just set up multiple VPN interfaces on the router if the exit regions are consistent and direct to whatever ones you wish on a per client basis.
This link may be of interest (but won't give you what you want): https://www.unbound.net/pipermail/unbound-users/2010-May/001168.html
Here is a pfSense walk-through that might give you a few ideas. It details multiple DNS servers (forwarder & resolver AND clearnet bypass), along with how to port forward such that your LAN clients are forced to use particular DNS IPs: https://nguvu.org/pfsense/pfsense-baseline-setup/
-
More refined question. How do I whitelist DNS queries from my LAN clients on OPN box ? (forget VPN).
Another thought - have a look at using Dnsmasq DNS (the DNS forwarder in OPNsense, rather than Unbound resolver) - I have a feeling it may support whitelisting.
-
Is there a reason you would ... running multiple separate instances? I'm aware of a few VPN providers that offer multiple connections on the same account, but within a single LAN it would still be more efficient to share a single router based VPN connection between LAN clients than to run them all independently.
I just set all my Apple devices clicking one myvpn.mobileconfig file, a.k.a profile (IKEv2, PFS, EAP). So I don't have to worry when I'm not behind my home OPNsense box, it is always on (on demand). Stupidly simple, the way I like it. And in this use case whitelisting DNS queries makes little sense, so, sorry for the trouble, case dismissed :)
-
Ha! Good work! :)