Selective DNS on pfSense with VPN & pfBlocker

ByteTheIO · November 23, 2020, 11:46pm

Does anyone know how to do selective DNS on PfSense (2.4.4)?

My problem:
I want the VLAN that has mobile devices to use the ExpressVPN DNS automatically, but my other VLANS (Like my PC) to continue using Cloudflare, which is not on the VPN.
So I only want the devices on the VPN use the VPN’s DNS & every other device use cloudfare.

I just switched from PIA to ExpressVPN:
-I setup OpenVPN
-I’m routing traffic

But I’m still connected to cloudflare’s DNS and want to use ExpressVPN’s DNS to have 0 leaks (I know cloudflare has no logs either)

To change this I went to Services / DNS resolver / General settings
-I set The Outgoing Network Interfaces to the ExpressVPN interfaces
-I registered DHCP leases in the DNS Resolver
-I disabled fowarding mode

This makes ALL traffic use the VPN’s DNS. How can I do this based on VLAN/network?

I am also running pfBlocker if that means anything.

neogrid · November 23, 2020, 7:15pm

The way I approached the same situation was the following you might want to adopt it:

DNS Resolver used by vlans traffic going out via VPN using AirVPN DNS
DNS Forwarder used for vlans going out via ISP with QUAD9 DNS
Allow guest vlan to overwrite DNS rules and use their own DNS

ByteTheIO · November 23, 2020, 7:26pm

Did you set a custom option command under DNS resolver to do this?

neogrid · November 23, 2020, 7:33pm

Had a quick look, I’ve got the entry below

server:include: /var/unbound/pfb_dnsbl.*conf

however I think this relates to pfblocker, though I will admit I set this up 18m ago and am not sure if I had an entry when I configured pfsense, i suspect not.

ByteTheIO · November 23, 2020, 7:35pm

I have that setup also for pfblocker, but I’m still confused how you manage to setup all VPN traffic to use the VPN’s DNS and other traffic to use another DNS (like cloudflare, quad9, etc)

I just don’t want any “leaks” with the traffic on the VPN

neogrid · November 23, 2020, 7:44pm

I think it might depend on your VPN provider actually. I use AirVPN, with them you have to enter the IP address of the server for the OpenVPN connection, hence no DNS resolution is required as such. Once the openVPN tunnel is up all traffic is resolved by AirVPNs DNS (whatever that might be), if the tunnel goes down no traffic can be resolved on the my vlans using AirVPN.

I do recall it took me ages to get it working but I kept no notes as I had to keep hacking away until I got it working.

ByteTheIO · November 23, 2020, 7:47pm

I mean I got it to pull from the VPN’s DNS server automatically when I disabled forwarding mode in the resolver. My problem at that point was ALL traffic was using the VPN’s DNS. I didn’t want the traffic not on the VPN to use the VPN’s DNS.

(I only set the interface that the VPN was on as the outgoing connection)

neogrid · November 23, 2020, 7:52pm

Hmmm … in Resolver under “Network Interfaces” I’ve only selected my vlans which use the VPN. Under “Outgoing Network Interfaces” I’ve only selected my AirVPN WAN interfaces. Try that.

paolo · November 23, 2020, 8:02pm

This is configured through the DHCP server. For each network (“vlan”), you can have the DHCP server suggest different DNS servers.

neogrid · November 23, 2020, 8:09pm

That’s a DNS leak I believe, don’t think you want to do that for paid VPN connections

ByteTheIO · November 23, 2020, 8:10pm

If I set the DNS server for 1.1.1.1 in the DHCP for my LAN it will bypass my pfblocker. But that will theoretically will work for the problem, but it just creates another.

ByteTheIO · November 23, 2020, 8:16pm

And if I point the DNS to my Pfsense host ip (192.168.100.1) it will just set the DNS back to the VPN’s DNS.

I need it to route through the router’s DNS so that it picks up the pfblocker rules, but also go to cloudflare instead of all the traffic using the VPN’s DNS

Let me try selecting multiple interfaces in the resolver other than the VLAN interface and see what happens.

ByteTheIO · November 23, 2020, 8:33pm

Well selecting the VPN and LAN outgoing connections in the resolver just leaks my real ip along with the VPNs dns.

ByteTheIO · November 23, 2020, 8:38pm

Here is an upload of my DNS resolver for reference.

I have it set to forwarding mode currently to just use cloudflare’s DNS
But when I turn it off it sets all traffic (even the traffic not on the VPN) to the VPN’s DNS

I need to keep pfblocker working, but allow the LAN interfaces to be directed to cloudflare’s DNS.

neogrid · November 23, 2020, 9:00pm

On my setup I done the following:

instead of All select your VPN vlan only under Network Intefaces
Uncheck DNS Query Forwarding
Uncheck OpenVPN Clients

My other vlans then use the DNS Forwarder.

My VPN doesn’t have any leaks when I run a test.

ByteTheIO · November 23, 2020, 9:08pm

When I select the ExpressVPNATL interface for the Network Interface it says this error and doesn’t let me save the configuration.

"The following input errors were detected:

This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces."

I appreciate your help with this by the way.

neogrid · November 23, 2020, 9:11pm

Ah you’re right select Localhost too, mine is selected I didn’t scroll all the way to the bottom.

ByteTheIO · November 23, 2020, 9:23pm

Hmm, when I try that nothing works…

Are your outgoing network interfaces just the ones for your VPN?

Could you post a screenshot of your resolver please?

neogrid · November 23, 2020, 9:25pm

With ExpressVPN, how do you establish a connection with their servers is it via a hostname or an IP address ?

ByteTheIO · November 23, 2020, 9:26pm

Hostname. Just a basic OpenVPN connection.