How to get Unbound to go out over Wireguard only?

Started by grimelog, February 07, 2025, 05:02:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 07, 2025, 05:02:59 AM Last Edit: February 07, 2025, 08:45:33 AM by grimelog
Unbound has been leaking my DNS and think it is causing some reliability issues with which Gateway I go out on too. There's also the added concern of potential censorship on social media.

What I basically setup was for my firewall to use Unbound for most DNS queries, and for Unbound to forward a few queries to DNSMasq for the few sites I want going out over another Gateway. Redirecting all queries to Unbound is what's causing my DNS to leak. It did not leak, prior to redirecting all DNS queries to my local resolver.

If I bind the Outgoing Network Interface to only listen to WAN_Wireguard the internet completely breaks for me. If I bind it to WAN only everything works fine. I tried setting up a static route that connects to my VPN endpoint address and that did not work. How can I get this working?
February 07, 2025, 11:18:30 AM #1
Quote from: grimelog on February 07, 2025, 05:02:59 AMWAN_Wireguard
What is WAN_Wireguard? I guess, it should work that way unless WireGuard itself needs DNS for connecting the tunnel. If you use split-tunneling, there is no easy solution that works well. My advise, live with some DNS-Leak. And in subnets where you don't want any DNS-Leak at all, use external DNS-Servers und not DNS on OPNsense. 
February 08, 2025, 09:48:12 AM #2 Last Edit: February 08, 2025, 03:25:55 PM by grimelog
It's the gateway I setup for Wireguard on the Wireguard interface for my instance of Wireguard.

I believe I'm being impacted by the bug mentioned here. Trying to figure out if there is a workaround.

Solutions are mentioned here for DNS leaks from a local Unbound instance. I'm trying solution #1. Shouldn't setting Unbound's Outgoing Network Interface to the Wireguard interface accomplish that?

Got OpenVPN working, and the same behavior persists. There's really no way to setup a VPN tunnel (Maybe, using the ip address of the remote server) and have unbound go out through it for all of the DNS records?
February 09, 2025, 06:24:09 AM #3
So, my network is starting to get more complex requiring multiple switches to hook all of my devices up. I'm starting to move away from having devices connected directly into my Dec850. For subnets I don't want leaking would I just toss them all on one switch, and configure the firewall rules for that switch to use external DNS servers?

To make sure nothing leaks, while still using a local resolver it sounds like my network could get quite complicated. Eventually, I'm probably going to move away from a VPN, and rent a VPS to run my wireguard servers. The only problem is if i need to change the country I come out of it could get quite expensive.
Print
Go Up Pages1
User actions