DNS redirect issue

Networking & Firewalls
21

@jeff3820
Done a few tests, after I set google dns (8.8.8.8) in my network card properties. I don’t know whether there were some changes:

My DNS servers in my pfsense dashboard:
dns server

Firewall logs:
logs

nslookup on one of my clients prompt:
nslook

Rather hard for me to figure out if something has really changed.
By the way , must 127.0.0.1 still be there as dns server IP?
Thanks

22

For Pfsense to do DNS resolution you need to have the 127.0.0.1 entry OR click on the forwarder under DNS resolver.

Since you have been using nslookup, I would recommend doing an ipconfig /release. Then do an ipconfig /renew.

To confirm if you are redirecting, use the packet capture under Pfsense diagnostics. Use port 53, start the capture, then go to the computer in question and visit a few web sites, then come back to Pfsense and stop the capture and look up the results at the bottom. This is the best way to verify where the DNS requests are going.

23

@jeff3820

ok, the results of Packet capture:

19:08:52.023260 IP 192.168.5.10.55233 > 8.8.8.8.53: UDP, length 51
19:08:52.023681 IP 8.8.8.8.53 > 192.168.5.10.55233: UDP, length 115
19:08:52.026862 IP 192.168.5.10.54698 > 8.8.8.8.53: UDP, length 51
19:08:52.134167 IP 8.8.8.8.53 > 192.168.5.10.49267: UDP, length 147
19:08:52.138190 IP 192.168.5.10.61100 > 8.8.8.8.53: UDP, length 46
19:08:52.138548 IP 8.8.8.8.53 > 192.168.5.10.61100: UDP, length 110
19:08:52.148674 IP 8.8.8.8.53 > 192.168.5.10.54698: UDP, length 275
19:08:52.163086 IP 192.168.5.10.61706 > 8.8.8.8.53: UDP, length 46
19:08:52.428959 IP 8.8.8.8.53 > 192.168.5.10.61706: UDP, length 270
19:08:54.217707 IP 192.168.5.10.64141 > 8.8.8.8.53: UDP, length 30
19:08:54.355670 IP 8.8.8.8.53 > 192.168.5.10.64141: UDP, length 46
19:08:54.617131 IP 192.168.5.10.59700 > 8.8.8.8.53: UDP, length 33
19:08:54.782720 IP 8.8.8.8.53 > 192.168.5.10.59700: UDP, length 49
19:08:55.039194 IP 192.168.5.10.63682 > 8.8.8.8.53: UDP, length 31
19:08:55.215659 IP 8.8.8.8.53 > 192.168.5.10.63682: UDP, length 68
19:08:55.221458 IP 192.168.5.10.62767 > 8.8.8.8.53: UDP, length 35
19:08:55.221873 IP 8.8.8.8.53 > 192.168.5.10.62767: UDP, length 51
19:08:55.307024 IP 192.168.5.10.65409 > 8.8.8.8.53: UDP, length 37
19:08:55.372098 IP 8.8.8.8.53 > 192.168.5.10.65409: UDP, length 53
19:08:55.384138 IP 192.168.5.10.55704 > 8.8.8.8.53: UDP, length 33
19:08:55.384634 IP 8.8.8.8.53 > 192.168.5.10.55704: UDP, length 49
19:08:55.990430 IP 192.168.5.10.54949 > 8.8.8.8.53: UDP, length 33
19:08:56.083758 IP 192.168.5.10.57260 > 8.8.8.8.53: UDP, length 31
19:08:56.195274 IP 8.8.8.8.53 > 192.168.5.10.54949: UDP, length 70
19:08:56.198738 IP 192.168.5.10.61806 > 8.8.8.8.53: UDP, length 35
19:08:56.198900 IP 8.8.8.8.53 > 192.168.5.10.57260: UDP, length 47
19:08:56.199170 IP 8.8.8.8.53 > 192.168.5.10.61806: UDP, length 51
19:08:58.306585 IP 192.168.5.10.62114 > 8.8.8.8.53: UDP, length 39
19:08:58.431830 IP 8.8.8.8.53 > 192.168.5.10.62114: UDP, length 55
19:08:58.435488 IP 192.168.5.10.65170 > 8.8.8.8.53: UDP, length 39


Nothing seems to have changed for me.
Thanks

24

Again, seeing all of the rules and NAT rules as well as your DNS Resolver settings would really help. I just fired up a windows machine and everything is redirecting perfectly here.

25

ok

NAT
NAT1178×248 64.4 KB

rules
rules1175×460 157 KB

DNS resolver:

res01
res011068×910 300 KB

res02
res021070×840 338 KB

General setup:

general
general1032×604 226 KB

Let me know if you need more information
Thanks again.

26

Turn off the last rule under LAN…looks to be a duplicate. The only other thing I would try as a test is to turn on the DNS forwarder under the DNS resolver.

If this fails, restart the DNS resolver as it may be confused when you didn’t have any DNS servers under general setup.

I use forwarding under the DNS resolver myself…

27

@jeff3820 I tried it too. Same result :pensive:

I’d like at least to set up DOT. Any suggestions about it?
Thanks

28

My suggestion to @msjohn is that you need to plan out your network first, I was in your shoes and found I had to suss out several things simultaneously before any one thing would work.

To me it looks like you are not using vLans, if you buy a switch it will really make your life easier further down the line.

If you manage to get your current set up to work, I will gurantee it will be hell to set up AirVPN. For sure if you stick with your setting of ALL on your Network Interfaces and Outgoing Network Interfaces, when you set up your VPN you will be using your Cloudflare DNS so your IP address will be leaked. However, I believe AirVPN will fail by design if you don’t use their DNS servers which is what you want.

My basic logic is anything going out via my ISP is insecure and anything via AirVPN is secure with respect to connecting back to my real IP address.

29

For DOT, go to the DNS Resolver, use the check boxes and turn on forwarding and SSL/TLS right below forwarding. Make sure the DNSvIP addresses under general setup support DOT. I use cloud flare and all works fine.

If you exclusively use cloudflare, you can check for proper operation by browsing to https://cloudflare-dns.com/help/. You can also check by using packet capture by looking at ports 53|853 (that is 53 pipe 853). Start a capture session and make sure everything goes out port 853

1 Like
30

@jeff3820. Ok, I’ll give it a go.
By teh way, how can I make sure that OpenVPN clients use it too?
Thanks

31

In openvpn, I just force all traffic thru the vpn

32

through the “redirect-gateway df1” option in the client’s configuration file?
That’s it?

Thanks

33

I’m not sure if your configuration…is this OpenVPN server or client?

34

client,
but there is also a redirect gateway option in pfSense openVPN wizard which should get the same job done.
Thanks

35

I don’t use the client at all. I have a server setup. My preference is I’d rather remotely log into my home network when traveling as I’ve got things real secure here. Works well

36

I don’t think I have understood.
you don’t use OpenVPN client on your, say, notebook when you want to log into you home network and are travelling?

37

I do use the client on phone and laptop. I use server on Pfsense. I so not use a 3rd party VPN company. When remote, I route everything back to my openvpn server running on pfsense and access the internet as if I was at home. I route all traffic so DNS is secured as if it was at home.

38

ah ok. I do the same. I though you were talking about something different.
Thanks

39

And then you have Firefox browser with its own DoH and it bypasses your DNS by using HTTPS to cloudflare (or other DoH DNS) via HTTPS.

Any of you blocking that?

40

Lol I’m trying to wrap my head around all these options to determine the optimal solution.
As I understand it PfSense can set the DNS used regardless of what DNS a client uses, that’s helpful at home and in enterprises. When using DoH that DNS request is encrypted, when combined with DNSSEC the returned resolution is legitimate. So that sounds good to me I have both privacy and security.
Right now it’s not clear to me what advantage I get with DoT and DNSSEC, is it marginal or the same but different.

If I’m correct about the above then if I connect to the free wifi in the pub, they can still control which DNS i will use regardless of DoH or DoT on the client. In this scenario the only secure way I know is to connect to a VPN via an IP address and let the VPN do DNS resolution.

Hence, on your own network it’s (DoT or DoH) probably ok, when away the only solution is a VPN. If I have to stay quarantined any longer I’ll crack it!