Unbound DNS Leaking Public IP Instead of Routing Requests Through Wireguard VPN

Started by opnsense1, Today at 02:52:33 AM

Previous topic - Next topic
According to this longstanding bug, you have to either choose using your VPN's DNS and not having options for local overrides or use Unbound's recursive DNS resolution and leak your public IP address. I was wondering if any recent developments might have made a best of both worlds where I can use Unbound for recursive DNS and have its requests routed through my Wireguard VPN so that my public IP isn't leaked.

I have successfully gotten Dnsmasq to use the upstream DNS providers I choose but the moment I forward the requests to Unbound, my public IP is leaked. Setting firewall rules and setting the `Outgoing Network Interfaces` to be my VPN interface does not help.

I've been wracking my brain getting things working and today I was able to at least get Dnsmasq DNS resolution to work on all of my devices with a 3rd party upstream DNS service, whether they are included in the Wireguard VPN or not. This is great so that my overrides are respected. However still, the moment I try to use Unbound as my upstream provider for Dnsmasq my public IP is leaked. My setup isn't as similar to the linked post as I thought so I will describe it in more detail here.

I use https://mullvad.net/en/check to check and when using Dnsmasq, it says there's a "leak" but I confirm that the servers listed are my 3rd party service's and not my public IP. However the real leak is confirmed on this page when using Unbound.

My general setup is a Wireguard VPN - I use Mullvad and made sure to go through the steps to get an address without DNS hijacking. I just discovered this today so this was probably why my VPN devices weren't using the local DNS settings. https://schnerring.net/blog/use-custom-dns-servers-with-mullvad-and-any-wireguard-client/

I just nuked most of my legacy configs and followed the Wireguard Road Warrior for Mullvad guide https://docs.opnsense.org/manual/how-tos/wireguard-client-mullvad.html

I have every device routed through the VPN except one, excluded in the VPN hosts alias, which I run a VPN app on so that I can change the servers more fluidly.

I have Dnsmasq listening on port 53 and use the Domains tab to point it to my preferred 3rd party DNS resolver. In System > Settings > General, I cleared out the DNS servers list and have `Allow DNS server list to be overridden by DHCP/PPP on WAN ` unchecked. Dnsmasq settings are:
Interface: LAN, VPN
DNSSEC: Checked
No hosts lookup: Unchecked
Do not forward to system defined DNS servers: Checked (To ensure that my rules in Domains are respected)

When trying to get Unbound working, I have it listening on port 53053. I replace the rule in Dnsmasq's Domains tab with one pointing to 127.0.0.1 on port 53053 with the * wildcard as the domain. Looking at the Unbound statistics, the queries appear to be correctly forwarded. The issue being that my public IP is being leaked by Unbound now. My Unbound settings are:
Network Interfaces: LAN
Enable DNSSEC Support: Checked
Outgoing Network Interfaces: VPN
Overrides: None
Advanced:
Hide Identity: Checked
Hide Version: Checked
Blocklists: AdGuard List and Ads Blocklist
Query Forwarding: None, and `Use System Nameservers` unchecked.

Does anything stick out that would cause leaked DNS requests? I also tried making a firewall rule to block DNS requests outside of the VPN but I already have a VPN Killswitch rule that I believe should cover it so I'm not sure how the public IP is being leaked.
The full table of my firewall rules is:
enabled   statetype   sequence   action   quick   interfacenot   interface   direction   ipprotocol   protocol   source_net   source_not   source_port   destination_net   destination_not   destination_port   gateway   allowopts   tag   tagged   description
1   keep   51   pass   1   0   lan   in   inet   any   Mullvad_Default_Hosts   0      RFC1918_Networks   1      VPN_Default   0   NO_WAN_EGRESS      From Wireguard Road Warrior
1   keep   26   reject   1   0   lan   in   inet   any   Internet_Blocked_Devices   0      lan   1         0         Block internet for specific devices
1   keep   351   pass   1   0   lan   in   inet   any   lan   0      any   0         0         Default allow LAN to any rule
1   keep   401   pass   1   0   lan   in   inet6   any   lan   0      any   0         0         Default allow LAN IPv6 to any rule
1   keep   501   pass   0   0      out   inet   any   opt1ip   0      opt1   1         1         From Wireguard Road Warrior
1   keep   88   block   1   0   wan   out   inet   any   any   0      any   0         0      NO_WAN_EGRESS   Kill Switch From Wireguard Road Warrior

So I just figured out how to make Unbound my primary DNS resolver and Dnsmasq just for DHCP and can confirm that the moment I uncheck my DNS over TLS entry for my upstream provider in Unbound, making it recursive, my IP is leaked. Re-checking solves the leak.

That is just how it works and has nothing to do with any bug or something. You also don't seem to know much about DNS, Unbound or Dnsmasq, you are just brute-forcing some guides over another.

Quote from: opnsense1 on Today at 06:49:27 AMDnsmasq settings are:
DNSSEC: Checked

My Unbound settings are:
Enable DNSSEC Support: Checked
When you use Unbound as the Upstream DNS Provider it will do the DNSSEC stuff for you so there is no need to Enable it in your DNSmasqd config ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)