Hi, I watched the awesome video on setting up pfSense and PIA with a Killswitch and have it up and running. However, in addition, I would like to set specific DNS servers to use depending if the host is going through the regular WAN interface or the PIA interface.
I tried setting up additional DNS Servers under System/General Setup and mapped the google servers 8.8.8.8 and 8.8.4.4.to the WAN Gateway and the PIA Servers 209.222.18.222 and 209.222.18.218 to the PIA Gateway, but when I run DNS lead test from a host that is going through VPN (as confirmed by the green Protected by PIA notification when I go to the PIA site), I am seeing the google DNS Servers come up. I also tried checking âDisable DNS Forwarderâ, but that didnât fix it. Any ideas on how I can fix this? Basically, I would like the setup to be:
WAN use 8.8.8.8 and 8.8.4.4
PIA use 209.222.18.222 and 209.222.18.218
I dont know if this helps, but i set the option in the DHCP server when splitting between VLANs before. It might be worth trying to set the DNS server you want when the devices get a DHCP lease from you.
Thank you! I was hoping to not have to specify this at the host level since new machines can be added to the network. Iâve setup an alias that has all the machines that go through VPN. Do you know if thereâs a way to specify DNS servers for an alias?
I agree with @Kalifornia909 that creating 2 DHCP groups or separate networks with specified DNS servers is be the cleanest way to do it.
As an alternative, you could set some NAT port forwarding that redirects traffic to the desired server. The only problem with this is that you can only specify a single server. AFAIK, round robin of multiple servers (ie 8.8.8.8 and 8.8.4.4) isnât possible.
I have a rule (possibly inspired by @LTS_Tom) that take all traffic to dst port 53 and redirects it to routerâs 127.0.0.1 port 53. Replace the 127.0.0.1 with your PIA DNS server and narrow down your source ipâs to the alias that you created.
Hi, still trying to see if I can get this to work without 2 DHCP groups or networksâŚ
What I find is that even though I am specifying the DNS servers to use by gateway, I see that those servers are not being used. I have 8.8.8.8 for the WAN gateway and 209.222.18.222 for the PIA gateway. However, when I check on a host that is going through the PIA gateway, I see that my ISPâs DNS server is being used. So it seems my DNS server entries on the System/General Setup page are not being used. Does anyone know why that would be the case? Thank you!
Check to make sure that your clients donât have any DNS entries hard-coded on the client computers.
Also, when you mention âDNS server to use by gatewayâ - do you mean the settings on System-> General Setup in pfsense web interface? Or under Services -> DHCP Server -> LAN ? Itâs the settings under DHCP server that will actually propagate to the clients.
Thank youâŚI donât have entries hard-coded on the clients. And âDNS server to use by gatewayâ is under System/General Setup. If the setting here are not used, what are they for?
Under Services -> DHCP Server -> LAN, I have left the DNS Servers blank because there is a note which says âLeave blank to use the system default DNS servers: this interfaceâs IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.â
This is why I am puzzled why this is not workingâŚ
The DNS server traffic and assigning DNS servers donât work the way you think it does. All of that assignment that you do under system->general setup is just for the benefit of the pfsense box itself. It then gets passed to the DHCP server which sends the server address to the clients. But itâs not smart enough to make the connection about certain clients getting certain DNS servers.
The more I think about this, the more I question why youâre trying to do this.
Are you worried about your ISP profiling your DNS queries and traffic?
If so, you have a couple alternative easier solutions:
Run the internal unbound DNS server and use DNS over TLS to query google, cloudflare, or one of many public TLS-capable DNS servers.
Run ALL of your DNS traffic through PIA. DNS isnât particularly heavy-weight traffic and your VPN connection should be able to handle it all.
Thank you for all your help. My original setup used the PIA DNS servers for all traffic, but then I found that some things like Netflix did not work with that configuration. Thatâs why I wanted âregularâ DNS servers like 8.8.8.8 for non-VPN traffic. Since I think what you describe as option 2 is what I initially tried, can you teach me how I can accomplish option 1? Thank you.
I think this is a full list, but you may need to tinker a bit.
Add TLS-capable DNS servers to system->General Setup (I know that google 8.8.8.8 and cloudflare 1.1.1.1 are) if theyâre no there already.
On pfsense interface, go to: Services->DNS resolver
Make sure that the DNS resolver is enabled (I think you mentioned disabling it).
Scroll down to âDNS Query Forwardingâ. Make sure that âEnable Forwarding Modeâ and âUse SSL/TLS for outgoing DNS Queries to Forwarding Serversâ are both checked.
Click âSaveâ, and possibly restart the resolver if prompted to do so (I canât remember if this is necessary).
Run a packet capture and verify that your outbound DNS packets from the pfsense box to the external server are TCP port 853 and NOT UDP port 53.
You may need to restart your client computers to refresh the DHCP records and get the updated local DNS (which should be your pfsense server).
Also, take a look at Tomâs video on this (though he made the video before DNS-over-TLS was finalized in the latest GUI). He provides great background and shows the testing as well. https://www.youtube.com/watch?v=7niY890CEUM
Hereâs the DNS-SEC testing link that Tom suggested. https://dnssec.vs.uni-due.de/
