[SOLVED] "Leaking DNS servers" with Unbound, Adguard, and DNS over TLS

Started by roman6904, March 20, 2025, 06:15:53 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 20, 2025, 06:15:53 AM Last Edit: March 20, 2025, 02:01:48 PM by roman6904
I'm new to OPNSense but very excited. I've got Adguard and Unbound working together, and I'm trying to set up DNS over TLS. From what I can see it seems to be working, but when I load the Mullvad connection check page (https://mullvad.net/en/check), it says I'm still leaking DNS servers.

Here's what I think are the important parts from my setup so far:

My LAN interface uses 192.168.9.0/24. I've disabled IPv6 everywhere I can find it.

Adguard:
  • Listening on port 53
  • Upstream, Bootstrap, and Private reverse DNS servers are all set to 192.168.9.1:5353
  • "Use private reverse DNS resolvers" is checked.

Unbound:
  • Listening on port 5353
  • Listening to All network interfaces
  • DNSSec Support is enabled
  • Query Forwarding is empty
  • DNS over TLS has the following entries:

System > Settings > General doesn't have any DNS servers listed. "Allow DNS server list to be overridden" is unchecked, as is "Do not use the local DNS service as a nameserver for this system.

Services > ISC DHCPv4 > LAN doesn't have any DNS servers listed. Gateway, Domain name, and Domain search list are all blank.

I set up a firewall Floating rule on the LAN interface to block all outgoing traffic on port 53. I also set up a NAT Port Forward rule on the LAN interface to redirect any port 53 traffic to 127.0.0.1 (port 53).

If I increase my Unbound log verbosity it looks like things are going well -- I see lines like this if I search for 853:

Code Select
2025-03-19T23:55:34-05:00    Informational    unbound    [69136:3] info: reply from <.> 9.9.9.9#853
I don't see any similar lines when I look for "53" instead (obviously it finds the above lines, but nothing that looks like it's querying out on port 53).

I do have working internet, so my DNS settings are working, they're just not appropriately doing DNS over TLS. I used both https://mullvad.net/en/check and https://dnsleaktest.com/, both indicated I'm leaking DNS servers. I've run some ad testing sites, and they indicate Adguard is correctly filtering out ads, so I'm also confident that part is working.

Anyone have ideas of what I could have missed or done wrong? Thanks in advance for any advice!
March 20, 2025, 12:27:23 PM #1
> I don't see any similar lines when I look for "53" instead (obviously it finds the above lines, but nothing that looks like it's querying out on port 53).

>I do have working internet, so my DNS settings are working, they're just not appropriately doing DNS over TLS.
If you are not seeing #53 and only #853 on your outbound queries, you are appropriately doing DoT.
The tools from VPN providers usually only check if the user is using _their_ dns servers. If not, report a leak. See their notes https://mullvad.net/en/help/dns-leaks:
"If you have a DNS leak it means that you are using a DNS server that does not belong to Mullvad. This guide will tell you about the most common causes for this so you can prevent it."
March 20, 2025, 12:29:41 PM #2
mullvad is going to say your are leaking, because you are not using their servers.

to test quad 9 use this link:  https://on.quad9.net/

cloudflare:  https://one.one.one.one/help/

using 2 different "services" is going to give you mixed replies...

good luck with your setup
March 20, 2025, 02:01:05 PM #3
Ha! I can't believe that didn't occur to me. Thank you both very much, the world once again makes sense! The testers for quad9 and cloudflare indeed show I am using their services (after I isolate them to make sure I'm only using one). Thanks again!
March 20, 2025, 06:07:05 PM #4
Quote from: roman6904 on March 20, 2025, 02:01:05 PMHa! I can't believe that didn't occur to me. Thank you both very much, the world once again makes sense! The testers for quad9 and cloudflare indeed show I am using their services (after I isolate them to make sure I'm only using one). Thanks again!

Just another observation... unrelated to your actual question however.

You are using AGH as your primary resolver on Port 53 to forward your queries to Unbound which then again forwards your queries to upstream servers at 9.9.9.9/ 1.1.1.1

You maybe better off by specifying the upstream servers in AGH itself (and remove the extra Unbound hop) and achieve the same end result.

In AGH > Settings > DNS Settings

1) Upstream DNS servers:

Code Select
#Add or remove upstreams as appropriate
tls://one.one.one.one
https://dns.google/dns-query
https://cloudflare-dns.com/dns-query
quic://unfiltered.adguard-dns.com
# ————- #
# Local resolution via Unbound on Port 5353
[//]127.0.0.1:5353
[/use-application-dns.net/]127.0.0.1:5353
[/dns.resolver.arpa/]127.0.0.1:5353
[/in-addr.arpa/]127.0.0.1:5353

2) Private reverse DNS servers

Code Select
127.0.0.1:5353

3) Use private reverse DNS resolvers: Checked

4) Enable reverse resolving of clients' IP addresses: Checked

This helps you avoid the unnecessary Unbound hop for external dns resolution, but will use Unbound for local client resolution.


However, if your intent was to use Unbound as a recursive authoritative DNS server; then you should keep your setup as is, but remove the DNS TLS entries (9.9.9.9:853/1.1.1.1:853) in Unbound settings and let Unbound resolve the queries itself (without sending these upstream).


Hopefully, gives you some food for thought...
Print
Go Up Pages1
User actions