I’d want to make sure that my LAN clients only use my pfsense firewall as a DNS resolver or any DNS server IP set on it. Anyway this setting here seems not to be working:
But if a client set any dns server Ip in network proprieties, my pfsense keeps it from browsing internet. I think that it is a bit overkilled, I’d just want to redirect it to pfsense’s dns whichever Ip it can ever set.
Could you help work this out please?
Thanks
I’ve never tried this before, but thought I would give it a go following the Netgate guide and apply it to my guest VLAN. Like you I found it blocked all dns traffic and did not redirect, result no internet access, even for machines outside of the guest VLAN, which was a bit odd. I followed the guide and set 127.0.0.1 as the ip to redirect to, if I changed it to the specific ip of pfSense for that VLAN it all started working. So it looks like something goes wrong if you use 127.0.0.1.
You don’t need the block rule. Just set the port 53 pass rule to a destination of 127.0.0.1…this firewall probably works too but I use 127.0.0.1. I use the redirect port 53 pass rule on all my networks including OpenVPN network. Works fine.
That works for me…all port 53 requests are mapped to the firewall to however you have setup your DNS. I use the DNS resolver to forward DNS and have enabled DOT. No issues at all
This is an interesting question. My input will probably add more woes rather than resolve your query but it might be useful.
I’ve setup my network to use 3 sets of DNS servers; my guest network uses Quad9 set in the DHCP server, my VPN network uses Air DNS servers in DNS Resolver so DNS queries stay in the VPN tunnel of my VPN provider and I use Cloudflare in DNS Forwarder for my other networks.
When I originally set up PfSense I am certain all DNS queries resolved as expected. Mainly I’m concerned that I don’t have any leaks on my VPN network for my Linux ISO downloads ;-). When I do a DNSleaktest it passes.
However, I later setup pfblocker and this made some changes which I have to admit I don’t fully understand, but I know queries go through this to block those IP addresses passing the ads. I need to investigate this further but it seems to work ok.
The way I approached the firewall rules was to block everything first, then add rules to achieve my objective. Going the other way I found was difficult to determine whether my network was secure or not.
The thing with PfSense that I have found is that in order to get 1 thing to work 3 other things have to be configured correctly. Trial and error is your friend !
" …my VPN network uses Air DNS servers in DNS Resolver"
I am kind of pfsense newbie user. I don’t think I got it.
Can you set DNS servers in DNS resolver? How?
Thanks
DOT is DNS over TLS. Let’s see all your rules including the NAT rules. I assume you have DNS IP address in System, General setup? Also, need screenshots of what you have in DNS resolver.
@jeff3820 I don’t have any DNS servers set in DNS Server Settings under General Setup. Pfsense DNS resolver asks root DNS directly…I guess. In the NAT settings, there is only the DNS rule above in “Port Forward”. Nothing else really.
Outbound is set on “Automatic”
As for DNS resolver I just disabled “Enable Forwarding Mode”.
Thanks again
Under System > Routing > Gateway set the DNS address (for AirVPN) in the Monitor IP field for the VPN Gateway on your VPN interface.
In DNS Resolver you select your VPN vlan in the Network Interfaces choices and select your earlier VPN gateway in the Outgoing Network Interfaces.
This is how I have set it up, there are probably 10 ways of doing everything but I must admit I was tweaking things until they worked but then kept on finding out new things
The key point for the VPN is to ensure you don’t have DNS leaking your IP address !
You can always test your DNS for your VPN is correctly figured at this site
My verbose point is, I doubt it matters what DNS you use on your vLANs but on your VPN vLAN it is critical, if I am correct then I doubt you have any major issues with this approach. You’ll just have to work out what suits you.
@neogrid One of my goals to force clients to go through pfsense dns resolver is to be able to better track their browsing and “stop” them just in case.
Can it be done differently? I mean, all the browsing would go through my firewall anyway if I set DNS Forwarded and be logged? I’ve never figure that out completely.
@jeff3820
I need to understand it.
You say to put DNS in general setting otherwise dns resolver can’t know where dns lookups should go, but I still can browse internet this way.
Again, DO I need to set dns server there to make my DNS NAT rule work?
Thanks
@jeff3820 is basically correct, from a clean install you have to enter your DNS servers, these will appear under general settings anyway if I recall correctly. Set up your routing however you like for your vLans. However, when you use AirVPN you MUST use their DNS servers, therefore I believe the problem you have to solve is how to use a 2nd DNS for your VPN vLAN only.
There may well be several ways of achieving this,once I got mine to work I stopped and went to the next problem
If you want to “stop” clients just in case, perhaps it’s a combination of setting the correct rules and using pfblocker. My approach with the firewall rules was to stop everything then go from there.
@jeff3820 oh, I didn’t notice that in the article. I thought that DNS resolver would answer queries on localhost even working without setting dns servers because it would ask root dns servers, wouldn’t it?
I’ll try it.Yes, I enabled dns resolver at the top of its setting page.
