pfSense Support Subscription

Author Topic: DNS going thru my cable company after reboot?  (Read 152 times)

0 Members and 1 Guest are viewing this topic.

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
DNS going thru my cable company after reboot?
« on: November 30, 2017, 08:42:29 am »
I am trying to eliminate any DNS queries going thru my WAN for certain VLANs, however after a reboot all queries go out my WAN and thru my cable company and stay that way? I reboot my resolver and all quesries then go thru my VPN going forward....no problem(with periodic checks)

My setup is as follows:
* Using PIA
* "Don't pull routes" is checked in my OpenVPN client
* I only have my VPN Interface selected in my "Outgoing Network Interfaces" for Unbound
* "DNS Server Override" and "Disable DNS Forwarder" NOT checked and NO  "DNS Servers" assigned in System -> General Settings
* I have attached my rules for the interface (Basic internet alias ports are 80 and 443/RFC1918 alias is 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)

In effect I am trying to create a "Kill switch" for certain VLANs for everything to go thru VPN....

Thanks in advance,
V
 
(Edit made after posting for clarification)
« Last Edit: December 01, 2017, 07:15:42 am by V3lcr0 »

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
Re: DNS going thru my cable company after reboot?
« Reply #1 on: December 01, 2017, 12:59:31 pm »
I continue to dig into this more, sorry to reply to my original post but I didn't want to keep editing my original question.

I found another post with a similar question...a recommendation was to look at this link for a solution:

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

However in the link the rules are "Any/Any" with no reference to whether Unbound was being used and how Unbound was configured.

It had 2 suggested solutions, I think I had implemented the 2nd suggestion and checked "Skip rules when gateway is down" but I am a little fuzzy as to whether this should be checked or not checked?

Again any recommendation on how to create a "Kill switch" would be surely appreciated...thanks in advance.

V

Offline V3lcr0

  • Full Member
  • ***
  • Posts: 190
  • Karma: +7/-0
    • View Profile
I realized I never attached my rules on my original post so adding them now.

I tried shutting down my firewall a few times to replicate but I have struggled to replicate this issue in the last few days....

I have decided to test the "policy filtering" in what was detailed in this post below:

https://www.infotechwerx.com/blog/Prevent-Any-Traffic-VPN-Hosts-Egressing-WAN

I added a "mark" of  "NO_WAN_EGRESS"  to my rule #1 and rule #3 and a "Quick" floating rule with my outgoing WAN per the blog....

Beyond the "tin foil hat"/DNS leak/ISP monitoring concern (I admit I am one of those!) this seems like a possible attack path for a malicious actor. Simply attack and restart a vulnerable downstream modem(seems like a lot of them are already vulnerable), briefly shutdown the OpenVPN connection and then monitor the ongoing traffic of the unencrypted traffic after a modem restart that ensues(while the user thinks they are using a VPN)? The only reason I discovered my DNS was going through my Cable company was I happened to do a DNSleak test one morning....

I'll surely report back if this solution doesn't work....thank you pfSense you are the rock in my network!

Happy holidays,
V

« Last Edit: December 02, 2017, 10:58:06 am by V3lcr0 »