pfSense / PIA - how to specify DNS Servers

Hi, I watched the awesome video on setting up pfSense and PIA with a Killswitch and have it up and running. However, in addition, I would like to set specific DNS servers to use depending if the host is going through the regular WAN interface or the PIA interface.

I tried setting up additional DNS Servers under System/General Setup and mapped the google servers 8.8.8.8 and 8.8.4.4.to the WAN Gateway and the PIA Servers 209.222.18.222 and 209.222.18.218 to the PIA Gateway, but when I run DNS lead test from a host that is going through VPN (as confirmed by the green Protected by PIA notification when I go to the PIA site), I am seeing the google DNS Servers come up. I also tried checking “Disable DNS Forwarder”, but that didn’t fix it. Any ideas on how I can fix this? Basically, I would like the setup to be:

WAN use 8.8.8.8 and 8.8.4.4
PIA use 209.222.18.222 and 209.222.18.218

Thank you!

Hammer

1 Like

I dont know if this helps, but i set the option in the DHCP server when splitting between VLANs before. It might be worth trying to set the DNS server you want when the devices get a DHCP lease from you.

1 Like

Thank you! I was hoping to not have to specify this at the host level since new machines can be added to the network. I’ve setup an alias that has all the machines that go through VPN. Do you know if there’s a way to specify DNS servers for an alias?

I agree with @Kalifornia909 that creating 2 DHCP groups or separate networks with specified DNS servers is be the cleanest way to do it.
As an alternative, you could set some NAT port forwarding that redirects traffic to the desired server. The only problem with this is that you can only specify a single server. AFAIK, round robin of multiple servers (ie 8.8.8.8 and 8.8.4.4) isn’t possible.
I have a rule (possibly inspired by @LTS_Tom) that take all traffic to dst port 53 and redirects it to router’s 127.0.0.1 port 53. Replace the 127.0.0.1 with your PIA DNS server and narrow down your source ip’s to the alias that you created.

Thank you…I think creating two networks is way beyond my capabilities! :slight_smile:

Hi, still trying to see if I can get this to work without 2 DHCP groups or networks…

What I find is that even though I am specifying the DNS servers to use by gateway, I see that those servers are not being used. I have 8.8.8.8 for the WAN gateway and 209.222.18.222 for the PIA gateway. However, when I check on a host that is going through the PIA gateway, I see that my ISP’s DNS server is being used. So it seems my DNS server entries on the System/General Setup page are not being used. Does anyone know why that would be the case? Thank you!

Check to make sure that your clients don’t have any DNS entries hard-coded on the client computers.

Also, when you mention ‘DNS server to use by gateway’ - do you mean the settings on System-> General Setup in pfsense web interface? Or under Services -> DHCP Server -> LAN ? It’s the settings under DHCP server that will actually propagate to the clients.

Thank you…I don’t have entries hard-coded on the clients. And ‘DNS server to use by gateway’ is under System/General Setup. If the setting here are not used, what are they for?

Under Services -> DHCP Server -> LAN, I have left the DNS Servers blank because there is a note which says “Leave blank to use the system default DNS servers: this interface’s IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.”

This is why I am puzzled why this is not working…

The DNS server traffic and assigning DNS servers don’t work the way you think it does. All of that assignment that you do under system->general setup is just for the benefit of the pfsense box itself. It then gets passed to the DHCP server which sends the server address to the clients. But it’s not smart enough to make the connection about certain clients getting certain DNS servers.

The more I think about this, the more I question why you’re trying to do this.
Are you worried about your ISP profiling your DNS queries and traffic?
If so, you have a couple alternative easier solutions:

  1. Run the internal unbound DNS server and use DNS over TLS to query google, cloudflare, or one of many public TLS-capable DNS servers.
  2. Run ALL of your DNS traffic through PIA. DNS isn’t particularly heavy-weight traffic and your VPN connection should be able to handle it all.

Thank you for all your help. My original setup used the PIA DNS servers for all traffic, but then I found that some things like Netflix did not work with that configuration. That’s why I wanted “regular” DNS servers like 8.8.8.8 for non-VPN traffic. Since I think what you describe as option 2 is what I initially tried, can you teach me how I can accomplish option 1? Thank you.

I think this is a full list, but you may need to tinker a bit.

  1. Add TLS-capable DNS servers to system->General Setup (I know that google 8.8.8.8 and cloudflare 1.1.1.1 are) if they’re no there already.
  2. On pfsense interface, go to: Services->DNS resolver
  3. Make sure that the DNS resolver is enabled (I think you mentioned disabling it).
  4. Scroll down to “DNS Query Forwarding”. Make sure that “Enable Forwarding Mode” and “Use SSL/TLS for outgoing DNS Queries to Forwarding Servers” are both checked.
  5. Click ‘Save’, and possibly restart the resolver if prompted to do so (I can’t remember if this is necessary).
  6. Run a packet capture and verify that your outbound DNS packets from the pfsense box to the external server are TCP port 853 and NOT UDP port 53.
  7. You may need to restart your client computers to refresh the DHCP records and get the updated local DNS (which should be your pfsense server).

Also, take a look at Tom’s video on this (though he made the video before DNS-over-TLS was finalized in the latest GUI). He provides great background and shows the testing as well. https://www.youtube.com/watch?v=7niY890CEUM
Here’s the DNS-SEC testing link that Tom suggested. https://dnssec.vs.uni-due.de/

Good luck.

1 Like

That worked perfectly…Thank you!

1 Like

I also put a rule to force DNS over VPN, if VPN goes down DNS does not work because I have a deny on the WAN.