Controlling outbound routing of DNS forwards from opnsense box

[CosmicRay]

Hi,

I have a VPN that, when up, I want all traffic to flow over.  When the VPN is down, traffic should flow across the WAN like usual.

I achieve this normally with a Gateway Group.  It works fine for the NAT traffic from the LAN.

However, with unbound, it's a challenge.  It wants to send traffic out the WAN interface.  I can specify multiple nameservers, but it will always send queries to each one, creating a data leak when the VPN is up.

How can I force the DNS queries out the VPN - but only when it's up?  I've tried various rules and none of them have done the right thing.

Thanks!

[Koldnitz]

CosmicRay,

Have you gotten anywhere with this?

I want to do something similar; make all getdns / stubby requests to port 853 (DNS over TLS) be forced through a vpn gateway, and I was wondering if you had had any luck.

I followed the instructions provided by Nilss in this post:

https://forum.opnsense.org/index.php?topic=4979.msg25066#msg25066

and I have it so that all traffic from a certain range of IPs goes to the DNS servers provided by my VPN.

I also have it set up that every LAN request to port 53 is forwarded to unbound (which in turn uses stubby)

I am just worried that I will end up breaking everything because sometimes I do not get all the nuances of firewall rules.

I will post once I figure out the best way to go about this, but if you have any success please let me know.  It is so much easier learning from someone else rather than reinventing the wheel.

Cheers,