OpenVPN with unbound dns leak

[omie48]

Hmmmm, well here's an interesting finding.  If I use DNSMasq instead of Unbound then I can use the VPN gateway and of course then the leak is gone.  So this definitely seems like a problem with Unbound to me.

[Maurice]

Whenever I enable unbound and then run dnsleaktest.com it shows my underlying ISP nameservers

Did you double check? When running unbound as a resolver, dnsleaktest.com should show your own public IP address. Of course it shows your ISP's name, because this is where you get your IP address from. (If you don't have a public IP address (CGNAT), then it will show an IP address of your ISP's NAT gateway.)

• If you don't need to resolve internal hostnames, just disable unbound and use external DNS servers. Since your clients query these servers directly, traffic will always go through the VPN tunnel(s).
• If you need to resolve internal hostnames and have one VPN tunnel, make unbound send all queries through the VPN tunnel. You can specify Outgoing Network Interfaces in Unbound DNS / General / Advanced, but I don't know if this works for VPN connections. If it doesn't, enable forwarding in unbound and create static routes to your specified external DNS servers, using your VPN gateway as next-hop.
• If you need to resolve internal hostnames and have multiple VPN tunnels and need unbound to send queries through a specific VPN tunnel depending on what LAN interface the request is coming from... you're out of luck. You would need multiple instances of unbound running. This won't work with OPNsense.

[omie48]

@Maurice.  I don't think that's completely accurate about it showing your ISP name, although I may be wrong.  When sending traffic through the VPN and running unbound with unbound set to forward to say Google's 8.8.8.8 then when I run a leak test I don't see my ISP anywhere.  As I would expect, I see the VPN public IP, and I see Google's DNS servers.  This is still a leak because it means my DNS requests went over my WAN connection.  My ISP could have looked at them or hijacked them without me knowing.

As far as your second bullet, this is pretty much spot on and is what I was trying to achieve.  However, unbound doesn't seem to want to forward requests through the VPN.  Whenever I tried setting unbound to use the VPN tunnel it failed.  However, dnsmasq with exactly the same set up does seem to work and does forward its requests over the VPN tunnel without complaint.  So at least for me, the solution has been to turn off unbound and switch back to using dnsmasq.

I don't know if the issue with unbound not using the VPN for forwarding is a bug, planned behavior, or a configuration issue.  If it is planned then the general settings should be changed so that anything but the WAN gateway is not an option when using unbound.

[Maurice]

I don't think that's completely accurate about it showing your ISP name, although I may be wrong.

I quoted crt333 who didn't enable forwarding in unbound and didn't configure anything to make unbound use a VPN. My comment was meant to be specifically for this situation. crt333 stated that dnsleaktest.com showed the IP address(es) of the ISP's name servers. That's not supposed to happen and would mean something very fishy is going on. It should show the WAN IP address of OPNsense.

However, unbound doesn't seem to want to forward requests through the VPN. Whenever I tried setting unbound to use the VPN tunnel it failed.

Unbound (with forwarding enabled) not using the gateways specified in System / Settings / General indeed seems to be a bug. I would try disabling forwarding and using the Outgoing Network Interfaces option in the unbound settings. If this doesn't work for VPN connections then you could still try the second option (enable forwarding in unbound and create a static route to the external DNS server).

[crt333]

As he described, my situation is a little different than omie48.

I am running the resolver, no forwarding. I use dnsleaktest.com (I ran the extended test) to test leaks. With unbound disabled it is clean (using my specified DNS servers), but with unbound enabled it reports my ISP DNS servers are used, even though they don't appear anywhere in my config. I ran the extended test.

For most people this seems to work as expected, for me it produces a surprise.

[crt333]

I didn't see Maurice' post before responding, but that makes sense. I'll look into it.

[crt333]

An interesting turn of events.... Some good news and some bad news (good news first)

So in system I changed my namservers to 1.1.1.1 and 1.0.0.1 (cloudflare)

I also noticed this: https://forum.opnsense.org/index.php?topic=7811.0

so I tried it out, with selections as described (forwarding unchecked is a little odd...)

and used unbound advanced custom options:
  ssl-upstream: yes
  forward-zone:
  name: "."
  forward-addr: 1.1.1.1@853 #Cloudflare ip4
  forward-addr: 1.0.0.1@853 #Cloudflare ip4

and the leaktest is clean (all cloudflare) and as an added bonus when I watch the logs all dns requests go to cloudflare port 853 (DNS TLS)

On the downside... unbound shuts down about 10 minutes (log entries below) and nothing works, but this seems like a promising new direction once things get ironed out (they did say it was experimental...)

from log:
Apr 11 15:14:17   unbound: [87750:0] notice: ssl handshake failed 1.0.0.1 port 853
Apr 11 15:14:17   unbound: [87750:0] error: ssl handshake failed crypto error:140020B5:SSL routines:CONNECT_CW_CLNT_HELLO:no ciphers available

[kanstin]

sorry wrong thread

[crt333]

Just to update on my previous post... Using 18.1.7 (openssl) and the quad9 DNS TLS setup referred to in an earlier link my setup has now been working for days. It passes any DNS leak test, uses unbound, and is encrypted as a bonus. I'm all good now.