PFSense Multi-WAN DNS

I’m trying to set up the PFSense DNS Resolver to use VPN gateways only (no WAN), with the ability to fail over to other gateways in the same gateway group in case of outage of 1 VPN. No matter what I’ve tried, I’m still seeing DNS Lookup getting responses from my DNS servers that are set to Gateway=none or WAN, but “No response” from any DNS Server that is tied to one of the VPN gateways. These VPN gateways are up & working for non-DNS traffic.

Is the expected behavior for DNS Lookup to see a response from each DNS server if properly configured? Ideas on why only the gateway=WAN/none would be responding?

I used these instructions for defining 1 unqiue DNS per WAN:

• Multiple WAN Connections — Interface and DNS Configuration | pfSense Documentation

Here are some other things I tried:

• Update DNS Resolver to bind to “All” for incoming & outgoing interfaces
• Add static routes to each DNS server, in addition to setting gateway for each DNS server
• Set PFSense default gateway to gateway group containing all VPN gateways
• Set PFSense default gateway to gateway group to single VPN

Your link is to a page outlining how to add a 2nd WAN presumably if you have a second line.

Can’t see how that helps as your VPN will go out your WAN. Or do you have a 2nd WAN and you want your VPN traffic to exit from there ? Not super clear on what you are trying to do.

Sorry, I may be using the wrong terminology. By ‘multi-WAN’, I’m referring to having multiple gateways:

1. WAN_DHCP - ISP connection
2. MAIN_VPN - primary vpn (I’d like to route all traffic, including dns, through this gateway)
3. BACKUP_VPN - secondary vpn to only use if primary is down or has high latency

It was my understanding that vpn interfaces are still considered ‘WAN interfaces’, so I was looking at the multi-WAN documentation since it seems like all of the same rules apply whether you have 2 ISPs, or just 1 ISP and multiple VPN interfaces.

I created a gateway group so that the backup vpn could be the failover gateway, and that works fine with normal traffic. The one area I’m having issues is getting the same thing to work for DNS.

My DNS Resolver has forwarding mode enabled, so that it uses the DNS servers configured under System > General Setup (here - pfsense Firewall Setup and Features in Depth Version 2.4 - YouTube). I configured a unique DNS server per gateway so that the DNS Resolver should be able to reach a DNS server regardless of which gateway is being used for outbound requests. However, I’m never able to get a response for any DNS server that has a VPN gateway configured (using Diagnostics > DNS Lookup). I only get responses for DNS servers with WAN_DHCP or none selected as the gateway.

Based on below post, it looks like DNS Resolver will always use the default gateway?

• https://www.reddit.com/r/PFSENSE/comments/mc54lq/dns_resolver_over_vpn_gateway_no_longer_working/

…So I tried updating the default gateway to my VPN gateway, but still see the same behavior.

Ok I think I follow what you are doing.

I have a gateway group for my VPN traffic, however it’s on a vlan, I’m also using the resolver for DNS.

In my set-up under the Resolver, I’ve selected my vpn vlans under Network Interfaces and the VPN WANs under Outgoing Network Interfaces.

But I have “DNS Query Forwarding” unchecked, this ensures I don’t have a DNS leak.

Perhaps if you check with a single VPN gateway if you have DNS leaks, it sounds to me like you should with your setup.

Thanks, I’ll try unchecking “DNS Query Forwarding” to see if things work better.

But I’m not sure I follow your statement: this ensures I don’t have a DNS leak

Shouldn’t it be possible to have forwarding enabled & still not have a DNS leak? My goal was to have all forwarded DNS queries go out the VPN gateway, in which case there should be no leak. Since I’m pointing to Cloudflare DNS servers, that also should allow me to enable DNSSEC & DNS over TLS. Those things, combined with the assumption that Cloudflare would be faster than querying DNS root servers (the default if “DNS Query Forwarding” is unchecked), is why I was trying to use DNS query forwarding.

I’m using AirVPN once I connect to their servers I use their DNS server, when I do a DNS check I see my VPN IP address.

I can see what you are trying to do, however, I’m uncertain how this can be accomplished to direct the DNS traffic down the VPN tunnel from Cloudflare, I’m sure that will cause a DNSleak but I could be wrong.

Oh, I think I see what you mean now. What I described probably would be considered a DNS leak since the requests are being “leaked” to Cloudflare (even though Cloudflare could only see the VPN ip address).

Since you said you have “DNS Query Forwarding” unchecked, I thought that would cause your DNS Resolver to send all requests to root DNS servers, not AirVPN DNS servers. AKA “Option 1” from this post:

• https://www.reddit.com/r/PFSENSE/comments/i8ogn7/upstream_dns_vs_directly_to_root_servers/

Some things are a bit grey for me, but when I connect to AirVPN it’s via an IP address, then a tunnel is created, I do believe all my traffic is routed through that tunnel. My leaktests come back OK.

What I couldn’t work out when I first configured pfSense was how to use DNS Resolver with both my ISP and VPN traffic. I ended up using DNS Forwarder for ISP and DNS Resolver for VPN.

Got it, thanks for the feedback!

My ultimate goal would be to have the DNS Resolver be used for all requests & route everything through VPN, whether or not the client is using the VPN. Will update if I make any progress on that