Results 1 to 4 of 4
  1. #1
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Question Internal Caching (non forwarding) DNS Server + Untangle Tunnel = blocked

    I setup my own bind9 / dns server that is on my lan. My setup is as follows:

    • I am using Untangle as a DHCP and DNS forwarded for internal clients.
    • Untangle WAN interface points to my internal DNS server (10.0.0.2)
    • My untangle device ip is 10.0.0.1
    • I setup an expressvpn tunnel
    • I tried setting forwarding on any interface and also wan interface in the tunnel setup in untangle
    • When my expressvpn tunnel is off, everything works perfectly as per above. All internal clients query my untangle box for DNS which in turn the untangle box queries my internal bind9 DNS server. Works perfectly.
    • When the expressvpn tunnel is on, my DNS server can't seem to resolve anything.
    • If I change the untangle DNS forwarding address from my internal to a public dns server such as opendns and the tunnel is active, everything works perfectly. However, I don't want to use a third party DNS server
    • I want my internal DNS to traverse my tunnel without leaking
    • My firewall rules are empty


    Any help on this would be greatly appreciated. I have been racking my brain for 2 days on this now. I have tried to search in the forums and read the wiki but not having much luck on this.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,015

    Default

    Probably the internal DNS server is not going through the tunnel since the DNS rule redirectly all to the internal server.

    I would use TCPdump to see where your internal DNS server request are going.
    Last edited by jcoffin; 09-30-2019 at 06:56 AM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,959

    Default

    If that forward is grabbing traffic from everything, and not exempting that server... no DNS should work ever...

    Screen grab that forward, because I think there's some destination specific logic that's making the difference.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    Quote Originally Posted by sky-knight View Post
    If that forward is grabbing traffic from everything, and not exempting that server... no DNS should work ever...

    Screen grab that forward, because I think there's some destination specific logic that's making the difference.
    Sky-knight, I don't want to exempt my dns server from my vpn. I want everything in the tunnel. DNS queries outside the tunnel provides all metadata to be exposed and don't want my ISP looking at it or transparently altering DNS traffic. I built a DNS resolver that does the iterative queries directly without forwarding to another DNS service. I am hosting two internal subnets that both point to the Untangle firewall for DNS. The Untangle firewall then points to my internal DNS server. This saves me from creating a firewall rule to pass DNS traffic through my internal network and run a single dns server.

    I did a bit of a work around and don't know why this works but I built a Pihole server. So when my tunnel is up on Untangle, all my internal clients use Untangle for DNS. (this is also handy for internal name resolution) The Untangle box then points to my pihole server. Lastly my pihole forwards requests to my internal bind9 server for outside resolution. For some reason now all traffic is going through the tunnel and I am passing all my leak tests. There is something happening when Untangle queries my bind9 server directly with the active tunnel and it's likely some stupid mistake I made somewhere. But in the end the Pihole approach is working right now so I am sticking with it. Thanks for responding guys.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2