Selective DNS on pfSense with VPN & pfBlocker

Does anyone know how to do selective DNS on PfSense (2.4.4)?

My problem:
I want the VLAN that has mobile devices to use the ExpressVPN DNS automatically, but my other VLANS (Like my PC) to continue using Cloudflare, which is not on the VPN.
So I only want the devices on the VPN use the VPN’s DNS & every other device use cloudfare.

I just switched from PIA to ExpressVPN:
-I setup OpenVPN
-I’m routing traffic

But I’m still connected to cloudflare’s DNS and want to use ExpressVPN’s DNS to have 0 leaks (I know cloudflare has no logs either)

To change this I went to Services / DNS resolver / General settings
-I set The Outgoing Network Interfaces to the ExpressVPN interfaces
-I registered DHCP leases in the DNS Resolver
-I disabled fowarding mode

This makes ALL traffic use the VPN’s DNS. How can I do this based on VLAN/network?

I am also running pfBlocker if that means anything.

The way I approached the same situation was the following you might want to adopt it:

  • DNS Resolver used by vlans traffic going out via VPN using AirVPN DNS
  • DNS Forwarder used for vlans going out via ISP with QUAD9 DNS
  • Allow guest vlan to overwrite DNS rules and use their own DNS

Did you set a custom option command under DNS resolver to do this?

Had a quick look, I’ve got the entry below

server:include: /var/unbound/pfb_dnsbl.*conf

however I think this relates to pfblocker, though I will admit I set this up 18m ago and am not sure if I had an entry when I configured pfsense, i suspect not.

I have that setup also for pfblocker, but I’m still confused how you manage to setup all VPN traffic to use the VPN’s DNS and other traffic to use another DNS (like cloudflare, quad9, etc)

I just don’t want any “leaks” with the traffic on the VPN

I think it might depend on your VPN provider actually. I use AirVPN, with them you have to enter the IP address of the server for the OpenVPN connection, hence no DNS resolution is required as such. Once the openVPN tunnel is up all traffic is resolved by AirVPNs DNS (whatever that might be), if the tunnel goes down no traffic can be resolved on the my vlans using AirVPN.

I do recall it took me ages to get it working but I kept no notes as I had to keep hacking away until I got it working.

I mean I got it to pull from the VPN’s DNS server automatically when I disabled forwarding mode in the resolver. My problem at that point was ALL traffic was using the VPN’s DNS. I didn’t want the traffic not on the VPN to use the VPN’s DNS.

(I only set the interface that the VPN was on as the outgoing connection)

Hmmm … in Resolver under “Network Interfaces” I’ve only selected my vlans which use the VPN. Under “Outgoing Network Interfaces” I’ve only selected my AirVPN WAN interfaces. Try that.

This is configured through the DHCP server. For each network (“vlan”), you can have the DHCP server suggest different DNS servers.

That’s a DNS leak I believe, don’t think you want to do that for paid VPN connections

If I set the DNS server for in the DHCP for my LAN it will bypass my pfblocker. But that will theoretically will work for the problem, but it just creates another.

And if I point the DNS to my Pfsense host ip ( it will just set the DNS back to the VPN’s DNS.

I need it to route through the router’s DNS so that it picks up the pfblocker rules, but also go to cloudflare instead of all the traffic using the VPN’s DNS

Let me try selecting multiple interfaces in the resolver other than the VLAN interface and see what happens.

Well selecting the VPN and LAN outgoing connections in the resolver just leaks my real ip along with the VPNs dns.

Here is an upload of my DNS resolver for reference.

I have it set to forwarding mode currently to just use cloudflare’s DNS
But when I turn it off it sets all traffic (even the traffic not on the VPN) to the VPN’s DNS

I need to keep pfblocker working, but allow the LAN interfaces to be directed to cloudflare’s DNS.

On my setup I done the following:

  • instead of All select your VPN vlan only under Network Intefaces
  • Uncheck DNS Query Forwarding
  • Uncheck OpenVPN Clients

My other vlans then use the DNS Forwarder.

My VPN doesn’t have any leaks when I run a test.

When I select the ExpressVPNATL interface for the Network Interface it says this error and doesn’t let me save the configuration.

"The following input errors were detected:

This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces."

I appreciate your help with this by the way.

Ah you’re right select Localhost too, mine is selected I didn’t scroll all the way to the bottom.

Hmm, when I try that nothing works…

Are your outgoing network interfaces just the ones for your VPN?

Could you post a screenshot of your resolver please?

With ExpressVPN, how do you establish a connection with their servers is it via a hostname or an IP address ?

Hostname. Just a basic OpenVPN connection.