Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31
  1. #1
    Master Untangler
    Join Date
    Jun 2015
    Posts
    163

    Default How to force all DNS lookups thru Tunnel VPN?

    When my clients behind Untangle NGFW 14 are accessing the internet, would like ALL DNS requests to be routed thru my Tunnel VPN thus eliminating any DNS leaking.

    Is there a guide in this forum on how to do this? I've tried blocking traffic to destination port 53 UDP completely in my Firewall app. Then tried to make a rule in Tunnel VPN app so that any traffic to destination port 53 UDP goes to any available tunnel. Doesn't seem to work.

    Thanks.

  2. #2
    Master Untangler
    Join Date
    Jun 2015
    Posts
    163

    Default

    Currently setup a FIREWALL my first firewall rule in the list to be:

    Destination Interface is Any Wan
    Destination Port is 53
    Protocol is UDP
    Destination Address is: ISP DNS1, ISP DNS2
    Action Type Block

    Then in Tunnel VPN I've set first rule as:
    Source Interface is Any
    Destination port is 53
    Protocol is UDP
    Destination tunnel is My Tunnel

    I've confirmed my VPN provider has dns

    Despite these rules, my DNS traffic is not exiting via Tunnel VPN app.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,441

    Default

    Two problems, this configuration is the lack of TCP. DNS operates on UDP AND TCP on port 53. While most resolution will be done via UDP, TCP is still valid and possible.

    Then there's the default DHCP configuration of Untangle, which pushes the clients to use Untangle as their DNS server. Untangle will have DNS that works via your ISP, or the tunnel cannot be connected to start with. And Untangle will use whatever DNS it has to resolve client queries.

    So, if you want your clients to not "leak" you need to override your DHCP service to hand out the DNS IP of your VPN provider. Then you can use a simple firewall rule to block anything destined to port 53 and destined to your ISP WAN. This rule will not impact Untangle, and will prevent clients from resolving directly.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Jun 2015
    Posts
    163

    Default

    Quote Originally Posted by sky-knight View Post
    Two problems, this configuration is the lack of TCP. DNS operates on UDP AND TCP on port 53. While most resolution will be done via UDP, TCP is still valid and possible.

    Then there's the default DHCP configuration of Untangle, which pushes the clients to use Untangle as their DNS server. Untangle will have DNS that works via your ISP, or the tunnel cannot be connected to start with. And Untangle will use whatever DNS it has to resolve client queries.

    So, if you want your clients to not "leak" you need to override your DHCP service to hand out the DNS IP of your VPN provider. Then you can use a simple firewall rule to block anything destined to port 53 and destined to your ISP WAN. This rule will not impact Untangle, and will prevent clients from resolving directly.
    Thank you, Sky. Per your guidance, I've updated both rules to include both the UDP AND TCP protocols. Updated rules are now as follows.

    Destination Interface is External (my single WAN connection)
    Destination Port is 53
    Protocol is UDP, TCP
    Action Type Block

    Then in Tunnel VPN I've set first rule as:
    Destination port is 53
    Protocol is UDP, TCP
    Destination tunnel is My Tunnel

    Lastly, I've entered my VPN provider's DNS servers into my Config > Network > Interfaces > under the Primary and Secondary servers.

    Please let me know if I've overlooked anything. And, more importantly, thank you for always being one of the most responsive users in these forums AND happy holidays to you and your family.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,441

    Default

    Quote Originally Posted by miles267 View Post
    Thank you, Sky. Per your guidance, I've updated both rules to include both the UDP AND TCP protocols. Updated rules are now as follows.

    Destination Interface is External (my single WAN connection)
    Destination Port is 53
    Protocol is UDP, TCP
    Action Type Block

    Then in Tunnel VPN I've set first rule as:
    Destination port is 53
    Protocol is UDP, TCP
    Destination tunnel is My Tunnel

    Lastly, I've entered my VPN provider's DNS servers into my Config > Network > Interfaces > under the Primary and Secondary servers.

    Please let me know if I've overlooked anything. And, more importantly, thank you for always being one of the most responsive users in these forums AND happy holidays to you and your family.
    If you edited your external interface to include the DNS of your VPN provider you misunderstood me, that's a great way to not have any Internet connectivity at all. Which means you might just have problems seeing this post. External needs to have your ISP DNS, it must always work with or without any other dependencies or Untangle will have issues.

    What you edit is the DNS override field, of the DHCP configuration tab, on your LAN interface. But beware, this means all DHCP clients will need the tunnel or they won't work.

    You have to pick a path... and there's nothing to stop a client from manually using Untangle for DNS and also bypassing the tunnel. That's what access rules are for, but seriously be careful because all of this is a great way to lock yourself out of everything.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Master Untangler
    Join Date
    Jun 2015
    Posts
    163

    Default

    I actually did edit my external interface with my VPN provider’s DNS servers. It seems they’re unavailable unless by request of a registered user. Now all DNS reqs from my WAN use their DNS which seems to be working.

    No matter what I tried, I couldn’t get my WAN to use OpenDNS servers in the external interface for example, except for when a VPN tunnel was established between Untangle and the VPN provider. Not sure where I was going wrong.

  7. #7
    Untanglit
    Join Date
    Dec 2018
    Posts
    22

    Default

    I too am having trouble with this. My VPN provider requires you're logged in in order to use their DNS. On pfSense, I've connected using the OpenVPN client and this works fine, but doesn't seem to work when using Tunnel VPN on Untangle. When I change my DHCP Configuration to hand out my VPN's DNS server, I simply can't reach any sites so it seems Tunnel VPN does not allow for this quite yet.

  8. #8
    Master Untangler
    Join Date
    Jun 2015
    Posts
    163

    Default

    Quote Originally Posted by rnatalli View Post
    I too am having trouble with this. My VPN provider requires you're logged in in order to use their DNS. On pfSense, I've connected using the OpenVPN client and this works fine, but doesn't seem to work when using Tunnel VPN on Untangle. When I change my DHCP Configuration to hand out my VPN's DNS server, I simply can't reach any sites so it seems Tunnel VPN does not allow for this quite yet.
    My VPN provider requires you to register your IP before you can use their DNS servers. However Iíve found, even then, their DNS servers are simply a bit too slow. The latency is quite noticeable even when web browsing. As a result, Iíve reverted back to public DNS for the time being.


    Sent from my iPhone using Tapatalk

  9. #9
    Untanglit
    Join Date
    Dec 2018
    Posts
    22

    Default

    Does Untangle support DNS over TLS? If so, using public server would be fine.


    Sent from my iPhone using Tapatalk
    miles267 likes this.

  10. #10
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,932

    Default

    Quote Originally Posted by rnatalli View Post
    Does Untangle support DNS over TLS? If so, using public server would be fine.
    Not at this time.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Page 1 of 4 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2