Pfsense....use DNS Resolver and Forwarder at the same time?

[Fingers]

I am currently using two different VPN connections and am using DNS resolver with pfblockerNG. The VPN's are located in different countries (UK & USA) and I need to configure seperate DNS servers that reside in the corresponding countries.
Is it possible to use DNS resolver for my UK VPN (and other clearnet traffic), and use forwarder soley for my USA VPN?
I understand I need a seperate port forward linking port53 in forwarder but I'm struggling with the correct rules to apply.

I should also mention that both VPN's and clearnet are running on seperate VLAN's

Any pointers would be greatly appreciated.

 

[Xentrk]

I am currently using two different VPN connections and am using DNS resolver with pfblockerNG. The VPN's are located in different countries (UK & USA) and I need to configure seperate DNS servers that reside in the corresponding countries.
Is it possible to use DNS resolver for my UK VPN (and other clearnet traffic), and use forwarder soley for my USA VPN?
I understand I need a seperate port forward linking port53 in forwarder but I'm struggling with the correct rules to apply.

I should also mention that both VPN's and clearnet are running on seperate VLAN's

Any pointers would be greatly appreciated.

On the DNS Resolver screen, I do not check the box to use DNS Forwarder. I set up my system so that all DNS queries use the VPN tunnels. This works with pfBlockerNG:

When performing a DNS leak test, it reports the Public IP address of each VPN tunnel. It would be nice if it only reported the server IP of the tunnel I am connected to! I read this post recently and it may be a fix for my situation. Skip to the last two posts in the thread. Something to look into once I finish my current project.

I have some links that may of help to you.

This resource may be applicable for your use case as it involves DNS routing over VLANS. His use case for DNS over the different VLANS is very interesting. Great resource.

This resource shows how I have DNS Resolver (Unbound) set-up. Specifics are in the DNS Leak Prevention: Method 2 section.

Hopefully, these links will be of help.

 

[Fingers]

Thanks once again Xentrk.
I have tried it like your set up and it does work, but I have issues with a few streaming providers that block as soon as a DNS from another country is detected.

I have tried to replicate whats in the nguvu link but without success. He does indeed have a finely tweaked machine.

I will start grinding the strong coffee beans and re read it all

 

[Xentrk]

Thanks once again Xentrk.
I have tried it like your set up and it does work, but I have issues with a few streaming providers that block as soon as a DNS from another country is detected.

I have tried to replicate whats in the nguvu link but without success. He does indeed have a finely tweaked machine.

I will start grinding the strong coffee beans and re read it all

Are you sure it is due to DNS leaking from another country? I know several streaming services block known VPN providers. And only a few are able to get around the issue. This is why I like my current provider and wrote about by experience here.

I have been able to perform out of country streaming, both with and without DNS leaking. However, I realize every region and network is different.

Does either ipleak.com or ipleak.net at least report the IP addresses of each VPN interface? I don't have any DNS servers listed on the System->General Setup page in the DNS section nor do I use DNS Forwarder.

Here is the official pfSense documentation site for DNS:
https://www.netgate.com/docs/pfsense/dns/index.html

I use a combination of pfBlockerNG and Firewall Alias rules to create my IPv4 or Domain Name lists. The routing rules are in the Firewall->LAN page.

 

[Fingers]

Im using a residential VPN so, I know it cant be IP related. My UK stuff is pretty easy going and doesnt really matter. but I have to be careful with the US based stuff. As a result I am exclusivly using US DNS servers as quick fix until I can get it set up properly. I will point DNS to both my VPN's and disable in 'General settings' as you have and see if it still works.

I believe its to do with the way some providers use the CDN. Checking your IP then matching it to the closest DNS to where it thinks your located. I think Akamai do this among others.

 

[Fingers]

I tried it and the US providers wouldn't stream. The problem I have is the UK Vpn is known as a server address so is blocked straight away.

 

[Xentrk]

I tried it and the US providers wouldn't stream. The problem I have is the UK Vpn is known as a server address so is blocked straight away.

I have been doing some development on Asus router using 5 OpenVPN clients with both Accept DNS Configuration = Exclusive and Strict recently. Strict causes a DNS leak to a DNS server I specified in USA using the "dhcp-option DNS 1.1.1." command in the Custom Config section (this can also be done on pfSense to override DNS pushed the provider). I can still watch a major streaming services in the USA and UK that block known VPN providers using my private or dedicated VPN IP addresses. I have had no issues with the streaming services even though the DNS is located in another country.

On the pfSense appliance, ipleak.net reports the IP addresses of my three VPN tunnels. Two of the three DNS servers ipleak.net reports are one private VPN server IP address and a shared VPN server IP address located in the USA. The other DNS server is my dedicated VPN server IP address in UK. That is why I think you have another issue. If it was DNS issue, then I would be getting blocked as well.

I tried it and the US providers wouldn't stream. The problem I have is the UK Vpn is known as a server address so is blocked straight away.

But one of my DNS servers is a also a known shared VPN server and I am not getting blocked! I use two services in US and one service in the UK that block known VPN providers. So that is why I do not think it is a DNS issue. I use the Firewall->Rules->LAN page to see the stats on the packets that are traversing the interfaces I assigned traffic to for my streaming services. Helps to confirm that the traffic is going where I told it to!

I don't want to sound like a commercial, but my provider has a seven-day free trial period and have good support. If you want to try them, the only thing I ask is that you please use the link in my blog post https://x3mtek.com/why-i-use-torguard-as-my-vpn-provider/ so you can also use the discount code. The discount code applies to renewals too. Anway, read the blog post for the details. If it does not work in the seven day period, you can cancel and get your money back.

I plan to do some blog posts on the DNS topic and selective routing with pfSense after I finish my current project. Please keep me posted on your progress and consider creating a thread on the pfSense forum in the OpenVPN section or a search as I don't see too many pfSense users on this forum site. But there are several of us around.

 

[Fingers]

Dear Xentrk,
I was perhaps overcomplicating my thinking, which was sending me in circles. I have reached a soloution to my problem, I have ran numerous DNS checks on VLANS and it appears to be working fine.

In resolver I specified just my main VPN for DNS to LAN and two of my VLAN's

In Forwarder I selected the USA traffic VLAN using port 5353

I set up a port forward 5353 --> 53

Also a rule in the VLAN

The USA VLAN now uses whatever DNS I enter in the general settings tab, so I can either do a DNS benchmark and find the fastest DNS or use the VPN.

Im sure this is a hamfisted way of acheiving the goal, but this does seem to work great. Everything on the USA VLAN now uses USA DNS and my main VLAN/VPN and clearnet traffic can use VPN or ISP DNS.

 

[Xentrk]

Dear Xentrk,
I was perhaps overcomplicating my thinking, which was sending me in circles. I have reached a soloution to my problem, I have ran numerous DNS checks on VLANS and it appears to be working fine.

Im sure this is a hamfisted way of acheiving the goal, but this does seem to work great. Everything on the USA VLAN now uses USA DNS and my main VLAN/VPN and clearnet traffic can use VPN or ISP DNS.

Good news! I think your approach is fine. Thanks for posting your solution.