OpenVPN with unbound dns leak

Started by crt333, March 30, 2018, 05:11:20 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 30, 2018, 05:11:20 PM
I configured a Qotom q355g4 so that each of the LAN ports are separate OpenVPN client tunnels to different locations, and all devices to VPN from each LAN port. There is no routing between LAN ports, and I seem to have kill switches working so if any VPN goes down traffic does not go to WAN or some other VPN.

I configured freedns.zone nameservers, and when unbound is NOT running running dnsleaktest.com properly shows everything going to freedns.zone, as expected.

Whenever I enable unbound and then run dnsleaktest.com it shows my underlying ISP nameservers (which appear nowhere in my configuration). I've tried adding the unbound access list for the virtual VPN addresses with /24, I've tried blocking all DNS requests going outside of the LAN, I've tried a lot of things, but it always leaks.

As many say this works "out of the box" I'm wondering what I've done wrong.

I am running 18.1.5 with LibreSSL.
March 30, 2018, 09:26:39 PM #1
Which OpenVPN configuration options have you tried?  There are some that relate to DNS.

Don't know if still the case but in the past I had to use "block-outside-dns" in order to keep road warrior clients from using DNS of the local network they were on.

Maybe there is something similar for your situation.
March 31, 2018, 01:44:32 AM #2
I don't know that option, and when I googled it the result said it was Windows specific? If I add it then it seems that nothing works with unbound not running, which is a little inconvenient, since it is the only working config right now...

Another observation, if I run a DOS window in a connected Win10 computer:
- with unbound not running I get nslookup server as freedns.zone and resolving works fine
- with ubnound running I get nslookup server as 192.168.1.1 and resolving works fine

However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)

I tried to overide DNS in DHCP settings, in openvpn options, but somehow dnsleaktest shows ISP DNS whenever unbound is running.
March 31, 2018, 02:38:16 AM #3 Last Edit: March 31, 2018, 02:43:04 AM by NOYB
Quote from: crt333 on March 31, 2018, 01:44:32 AM
However, if I run dnsleaktest:
- with unbound not running I get clean results (freedns.zone lookups)
- with unbound running I get leaks (ISP nameserver lookups)

Maybe there is an unbound config option that needs to be adjusted.
I use local zone type static and custom options local-zone: "home" static where "home" would be your domain.  Don't know if relevant to your situation but maybe some things to research.

Also if the DNS Query Forwarding option is enabled, maybe try disabling.
April 01, 2018, 08:17:15 PM #4
Thanks again NOYB. I'll look into that, and BTW forwarding is disabled.
April 01, 2018, 08:20:19 PM #5
I seem to have the same problem.  I want to be able to use the Opnsense unbound so that I can reference local clients, but any requests for anything else I want to go to Google's DNS servers through the VPN connection.

I get the same behaviour though, which is...

* With unbound off all requests go through the VPN, no leak
* With unbound on local requests are resolved but everything else seems to go to through the WAN port, so there is a leak

I am finding it impossible to make unbound use the VPN connection when using its forwarding servers.

By the way crt333, if you set DNS servers in the System->General page then it will use those, but it will go through the WAN port nonetheless.  This is a bit better as it avoids sending DNS requests directly to your IP.  However, since those requests are still going through the WAN gateway in theory they could easily sniff them or even capture them and reply with fake results.

That page also has an option to select which gateway to use for the DNS requests but whenever I set it to use the VPN connection there it just stops working.
April 01, 2018, 10:00:21 PM #6
No leaks here, not one. This is true when performing the test from the LAN or from the OpenVPN client.

I do have forwarding enabled, but i forward to either OpenDNS or Quad9. Right now I'm using Quad9 with dnnsec.

But I use an internal DNS as main DNS server. That uses as upstream dns the OPNsense's Unbound, and that forwards to Quad9.

Maybe your ISP is hijacking your requests, it's not unheard of, actually it's quite common.
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
April 02, 2018, 11:15:13 AM #7
The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem.  I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.

I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here.  However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.
April 02, 2018, 11:56:05 AM #8
Quote from: omie48 on April 02, 2018, 11:15:13 AM
The only way the ISP could be hijacking the requests is if the requests are actually going out over the WAN gateway rather than the VPN gateway, which is pretty much the whole problem.  I can't seem to get unbound configured to forward the DNS requests it can't answer over the VPN gateway, it only seems to work when it's sending them over the WAN gateway.

I've switched the DNS from Google to the new 1.1.1.1, which actually seems slightly faster from here.  However, I'm still not happy that they are going out over the WAN interface as my ISP could easily see and hijack them like you say elektroinside.

Exactly, which means that the originating query might not be going through the tunnel, eg. the client is ignoring the config set by the server and not directing all the traffic over the tunnel. In this particular case, neither the OpenVPN server or Unbound is the cause of the leak.
OPNsense v18 | HW: Gigabyte Z370N-WIFI, i3-8100, 8GB RAM, 60GB SSD, | Controllers: 82575GB-quad, 82574, I221, I219-V | PPPoE: RDS Romania | Down: 980Mbit/s | Up: 500Mbit/s

Team Rebellion Member
April 02, 2018, 12:03:44 PM #9
No, in this case the clients are behaving as expected.  I want the clients to ask the OPNsense box for DNS resolution as there are a lot of local devices and I use their local names frequently.  However, when unbound on the OPNsense box can't resolve a client (because it's not local) it must forward the request.  At this point I want unbound to forward the request over the VPN connection.

However, the issue is that I can't get unbound to forward requests over the VPN.  Unbound only seems to want to forward requests over the WAN gateway.  If I set the gateway for the DNS servers in System->Settings->General to anything other than the WAN gateway then it fails.

Yes, if I set the clients to use DNS servers other than the OPNsense box either manually or by setting them in what's handed out by DHCP then there are no leaks on the clients.  However, obviously they can't then resolve other local devices.  So what I'm after is that clients do query the OPNsense box, which does answer for local devices it knows about, but that the OPNsense box forwards queries through the VPN for those it can't answer.  For whatever reason, I'm stuck with unbound forwarding queries through the WAN gateway instead.
April 03, 2018, 06:30:45 PM #10
To omie48: I do have DNS servers set in the System->General (freedns.zone), whether unbound is turned on or off.

When unbound is off these servers are the only ones seen when running dnsleaktest, but when unbound is on dnsleaktest reports the ISP DNS server is used, and these DNS servers do not appear anywhere in the OpnSense config.
April 03, 2018, 07:14:07 PM #11
crt333, in Systems->General also make sure the two DNS options...

Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the DNS Forwarder/Resolver as a DNS server for the firewall

...are unchecked.  I think that should fix it so that it doesn't use your ISPs servers.
April 04, 2018, 04:45:31 PM #12
Thanks omie48

Both items have  always been unchecked
April 05, 2018, 02:41:33 AM #13
How are you performing the DNS leak test? 
If unbound is configured as a resolver then it should do a recursive query so the ISPs DNS would be bypassed completely. 
Have you tried running a drill from the OPNsense console/ssh terminal to see the name resolution?  If your ISP is hijacking DNS then it should show up here.
If you are using Windows 8.1 and above for running the DNS leak test then Windows by default is configured to bypass VPN due to SMHNR being always on and cannot be easily disabled.   This can Skew your results.


April 05, 2018, 09:36:25 AM #14
@bigops Well, every leak tester shows a leak.  Another way to look at this problem would be to forget about the leak and just ask...

Why does DNS forwarding from the opnSense box work over the WAN connection but not over the VPN connection?

If in General->Settings->System I put in a DNS server and select the gateway as WAN then it works.  However, if I select the VPN gateway then it does not work.  The VPN is definitely connected and working as all other traffic is going over the VPN, so why won't the DNS requests go through the VPN gateway?
Print
Go Up Pages1 2
User actions