Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
How do I fix a DNS leak?
« previous
next »
Print
Pages: [
1
]
Author
Topic: How do I fix a DNS leak? (Read 1988 times)
hushcoden
Hero Member
Posts: 544
Karma: 23
How do I fix a DNS leak?
«
on:
September 15, 2023, 07:36:21 pm »
Let's start with my OPNsense setup:
1. Unbound disabled
2. Raspi4 acting as DNS server (Quad9 servers) connected to another port of the appliance (LAN3)
3. Port forward for LAN interface
4. LAN rule for port 53 automatically created by the port forward
5. System -> Settings -> General -> DNS servers = 1.1.1.1 (I have to input a DNS server otherwise OPNsense cannot perform updates, even if I check the option "Allow DNS server list to be overridden by DHCP/PPP on WAN")
I've noticed that if System -> Settings -> General -> DNS servers list is empty then OPNsense cannot resolve any websites and
ALL
the LAN devices have no Internet access, hence I've added the Cloudflare server -> I've got a DNS leak as tested with this
website
from any device on my LAN i.e. I get two ISP as result, Quad9 and Cloudflare
During the DNS leak test I was watching the live firewall output and noticed that the LAN rule to redirect the DNS requests is rightly triggered
alongside
another one labelled "let out anything from the firewall host itself" on LAN3 interface (that's where the Raspi4 is connected to).
For both rules the destination address is the one of the Raspi4.
Why the port forward doesn't suffice and the client is using both DNS servers to perform the test (DNS leak) ?
How do I instruct OPNsense to use the ISP DNS servers while the clients only using the Raspi4 servers as per the port forward?
Tia.
«
Last Edit: September 15, 2023, 08:35:44 pm by hushcoden
»
Logged
xPliZit_xs
Newbie
Posts: 19
Karma: 0
Re: How do I fix a DNS leak?
«
Reply #1 on:
September 15, 2023, 08:17:34 pm »
Hi,
not a 100% answer to your question but more of a alternate solution for this scenario you got there.
Btw. i don't have DNS in Settings/General/ populated.
1. Enable unbound
2. Forward DNS requests to your RPI by adding your RPI IP and port into the menu Unbound/Query Forwarding (new port needed since 53 is already used by unbound e.g. use 5353, RPI needs to listen on that port also)
3. In DHCP server you give out the IP of OPNsense as LAN DNS (but unbound will send those requests to RPI in your network automatically)
This way you should not have a leak and your PI-hole with adblock is working, don't know if you need the aforementioned firewall rules anyways.
Logged
axsdenied
Full Member
Posts: 199
Karma: 9
Re: How do I fix a DNS leak?
«
Reply #2 on:
September 16, 2023, 12:19:35 am »
You may need to give this a read on the different types of DNS queries/transport options and where things can be impacted (i.e. browsers doing their own thing)
Port forwarding port 53 is not enough.
https://www.cloudflare.com/learning/dns/dns-over-tls/
Logged
OPNsense 24.7.7 running on:
Dell Optiplex 3050
Intel I5-7600 @ 3.5Ghz (4 Cores)
Intel I350-T4 Nic
8G DDR4
256G SSD
hushcoden
Hero Member
Posts: 544
Karma: 23
Re: How do I fix a DNS leak?
«
Reply #3 on:
September 16, 2023, 01:36:52 pm »
Thanks you both. For now I don't want to enable Unbound, the investigation continues.
Logged
newsense
Hero Member
Posts: 1036
Karma: 77
Re: How do I fix a DNS leak?
«
Reply #4 on:
September 16, 2023, 03:47:16 pm »
Unbound is a core service and should be left running with it's default settings at the very least.
Using DoT with 1.1.1.2 or 9.9.9.11 in Unbound would be a much better/secure/private avenue.
Forward the Pi queries to Unbound - saves you from doing encryption on the Pi4
Logged
CJ
Hero Member
Posts: 832
Karma: 30
Re: How do I fix a DNS leak?
«
Reply #5 on:
September 20, 2023, 04:02:02 pm »
I'll agree with newsense that DoT with Unbound would be a better solution, although I'm not sure why you need the pi in the first place. If it's for pihole, you can do DNSBL with Unbound.
What browser are you testing with? Firefox defaults to DoH using Cloudflare so that may be what you're seeing.
Logged
Have Answer, Will Blog
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
How do I fix a DNS leak?