DNS settings of pfSense firewall

A VPN provider told me to change the DNS via
Services → DHCP Server
Then changing DNS Server 1 & 2

But I already got DNS under the:
System→General Settings tab

Do these extra DHCP Server DNS settings from the VPN even matter?

1 Like

They matter, but to the extent varying on your intentions with the VPN, where your DNS requests are being “leaked” to, and your requirements for internal resolution.

But let’s just clarify a few things:

  • If you’re running either the DNS Resolver or Forwarder on pfSense the DHCP Server will by default provide the local firewall interface address as the only DNS server to all DHCP clients.
    • DNS Resolver (unbound) will (in default resolver mode) attempt to resolve names on it’s own by making use of root and authoritative DNS servers in the wild. In this mode the DNS servers under System → General are ignored.
    • DNS Forwarder (bind) will however make use of the servers under Sytem → General.
  • Both DNS Servers will also, if configured, resolve local DHCP hosts and of course any hosts and domain overrides you might require locally.
    • Specifying alternate DNS servers (by means of DHCP) will bypass your local DNS Server, and any local configuration you might have applied.

Myriads of ways to design around this, again depending on your intentions:

  • DHCP options can be Server, Range or Host specific - meaning you could apply different conditions to specific hosts.
  • DNS Resolver can also be run in Forwarding mode, which then will use those System → General → DNS Servers.
  • @LTS_Tom has got some videos on forcing all DNS requests traversing the firewall to a specified server.

Oh, and don’t mention DoH! :rofl:

1 Like

If the OpenVPN is NOT set to “Pull DNS, “Add Server Provided DNS”” under Tunnel settings, does it even consult those DHCP DNS settings?

IMO, if your paying for a VPN, then you should probably use their DNS servers. Your paying for anonymity and supposedly no logs, then why wouldn’t you use their dns servers also instead of free public ones? That way you don’t have any dns leaks. It just directs back to the same id’s as the VPN.

Gotcha okay that makes sense.
The issue is that I’m switching between different VPNs and having to change the interface, openVPN, and then the DHCP DNS settings makes it extremely burdensome to do 5-6 times a day

More than likely you can use the same dns configs on alternate vpn connections, might be a good idea try out, if works just leave the same when switching.

From a privacy perspective you’re putting faith in either vpn company from a no logging view, so could be easier to choose one set of dns configs for both

I would just use one set of VPN DNS servers (The one you trust the most (chuckle)), or you can add all the VPN DNS servers, as backup, if you really wanted to and just leave them. I wouldn’t switch back and forth for VPN DNS servers.

You can set up different VPN profiles to different IP addresses, or on the same computer just turn them on/off from the Gui dashboard. Have all the different VPN profiles set up in the GUI, turning the one you want to use on/off. Make sure you refresh the pfSense dashboard and double check to make sure the CORRECT VPN IP is active. If you don’t double check you could be on your native IP and not even realize it, thinking your going through your VPN.

https://ipchicken.com/ and What's My IP Address? | Online Privacy and Security Tool are the two I use to confirm which VPN and which IP address is active.

The correct way to turn the different VPNs on and off is by having each one as a separate interface? Because it won’t let me disable an OpenVPN while it’s interface is also on

Someone mentioned a gateway group method to do this, but I’m confused

Why not roll your own VPN server on say Linode or Digital Ocean, using Open VPN?

Wouldn’t I be the only person using this then? It’s not very anonymous

Not sure of what you are trying to accomplish. Are the users you talk about inside or outside users wanting access to your network. Point to point or remote access.?

A single user inside a pfSense firewall, wants to toggle between multiple VPNs with different DNS settings, for the purpose of being anonymous.

Try TOR. If you are connecting from a static location you will not be anonymous no matter what. the best you can do is use a VPN and TOR. Stop, think it through.

I’m running everything through a VPN at AES-256-GCM/SHA512. I have an Intel QAT card. I just run wan and lan interfaces. I’m not running separate OpenVPN interfaces so I don’t have that problem of disabling them. I’m able to switch Openvpn profiles by just turning them on/off at the gui. I think I have 56 different VPN profiles set up. You are able to switch your exit IP at will, within a minute, at the router level, from the gui, by pressing the start/stop button. You can set up multiple computers, through their IP’s, to connect to different VPN servers so each computer can have an exit IP from a different county from the same VPN.

I like AirVPN.org. I’m not sure if they have changed but they used to allow you to send in cash to pay for their VPN. It was paid to the VPN ID. So, it was the most untraceable. Just the postmark on the envelope. Most VPN’s have done away with cash and gift card purchases and just gone to cryptocurrencies.

So, toggling between different VPNs set up at the pfSense router level is easy. Different DNS settings is going to be hard because pfSense was not set up that way unless you change them each time.

For what your trying to do, you might need to use the different VPN application on your computer instead of at the router level to do switch back and forth between VPN with DNS settings without manual inputs. Then you are using the VPNs app on your computer instead of just a OpenVPN setting at the router level but it will allow you to use that particular VPN with their DNS settings. If your trying to stay anonymous then installing additional applications on your computer would seem to break that protocol.

If the govt. wants to find you they will be able to. You are not anonymous on the internet. Every device has a MAC address that can be traced. It’s just how much work it takes to find you. At some point you had to pay to gain access to the internet (the crypto used, the gift card, or the cash used) and that can be correlated and used to find you. Someone will know what IP’s you visited. You leave a trail. The US govt runs a data storage center in Utah? So they can capture all communcations and can go back in time and trace them back if need be. 60 minutes did story on it when it was being built.

TOR is not as secure as it used to be. Governments have figured out, and set up entry/exit TOR nodes so it’s plausible to trace you now.

The best you can do is encrypt your transmissions, to provide privacy, not necessarily security.

“Nothing is perfectly safe. If you are looking for something perfectly safe, I recommend going back to Ben Franklin’s opsec, which advised that a secret is safe among three, if two of them are dead. And I believe Ben was averse to using the Internet. :wink:

1 Like

Hey man I appreciate your thoughts on the DNS settings and such. But is there a way to do this through Gateway Groups?

Sorry don’t use that. Might want to post on the netgate forums?

1 Like