How do I fix a DNS leak?

[hushcoden]

Let's start with my OPNsense setup:

1. Unbound disabled

2. Raspi4 acting as DNS server (Quad9 servers) connected to another port of the appliance (LAN3)

3. Port forward for LAN interface

4. LAN rule for port 53 automatically created by the port forward

5. System -> Settings -> General -> DNS servers = 1.1.1.1 (I have to input a DNS server otherwise OPNsense cannot perform updates, even if I check the option "Allow DNS server list to be overridden by DHCP/PPP on WAN")

I've noticed that if System -> Settings -> General -> DNS servers list is empty then OPNsense cannot resolve any websites and ALL the LAN devices have no Internet access, hence I've added the Cloudflare server -> I've got a DNS leak as tested with this website from any device on my LAN i.e. I get two ISP as result, Quad9 and Cloudflare 

During the DNS leak test I was watching the live firewall output and noticed that the LAN rule to redirect the DNS requests is rightly triggered alongside another one labelled "let out anything from the firewall host itself" on LAN3 interface (that's where the Raspi4 is connected to).

For both rules the destination address is the one of the Raspi4.

Why the port forward doesn't suffice and the client is using both DNS servers to perform the test (DNS leak) ?

How do I instruct OPNsense to use the ISP DNS servers while the clients only using the Raspi4 servers as per the port forward?

Tia.

[xPliZit_xs]

Hi,

not a 100% answer to your question but more of a alternate solution for this scenario you got there.
Btw. i don't have DNS in Settings/General/ populated.

1. Enable unbound
2. Forward DNS requests to your RPI by adding your RPI IP and port into the menu Unbound/Query Forwarding (new port needed since 53 is already used by unbound e.g. use 5353, RPI needs to listen on that port also)
3. In DHCP server you give out the IP of OPNsense as LAN DNS (but unbound will send those requests to RPI in your network automatically)
This way you should not have a leak and your PI-hole with adblock is working, don't know if you need the aforementioned firewall rules anyways.

[axsdenied]

You may need to give this a read on the different types of DNS queries/transport options and where things can be impacted (i.e. browsers doing their own thing)

Port forwarding port 53 is not enough.

https://www.cloudflare.com/learning/dns/dns-over-tls/

[hushcoden]

Thanks you both. For now I don't want to enable Unbound, the investigation continues.

[newsense]

Unbound is a core service and should be left running with it's default settings at the very least.

Using DoT with 1.1.1.2 or 9.9.9.11 in Unbound would be a much better/secure/private avenue.

Forward the Pi queries to Unbound - saves you from doing encryption on the Pi4

[CJ]

I'll agree with newsense that DoT with Unbound would be a better solution, although I'm not sure why you need the pi in the first place.  If it's for pihole, you can do DNSBL with Unbound.

What browser are you testing with?  Firefox defaults to DoH using Cloudflare so that may be what you're seeing.