Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    May 2022
    Location
    Dubai
    Posts
    2

    Angry PIA over VPN Tunnel is leaking DNS

    Hello Untaglers,

    Im new here, recently moved from PFsense.

    EVERYTHING about untangle for now is far better and easier and im very happy.... except the last (
    VERY important feature for me in my region) - VPN tunnel

    I have tried EVERYTHING from what i have read on this and other forums but i still have DNS leaks when using untangle.

    Setup:
    3 interfaces (physical)
    WAN
    Local (local ip 10.10.20.0/24)
    VPN (VPN ip 10.10.50.0/24)

    All connections from VPN interface are routed over the tunnel (confirmed)

    When i setup a VPN tunnel with PIA i get Leaks (dnsleaktest)

    Whats Strange is i have used the SAME PIA config file on a mobile app (openVPN) and my unraid server and there is no leak... meaning it has to be untangle...

    The DNS server it displays is still from my ISP (i live in a country where i need to bypass this sometimes)

    I have tried over writing the DNS server on the interface level
    VPN interface>DHCP configuration
    DNS override 209.222.18.218
    No success! still ISP DNS

    I have followed other post suggestions and did a port forward rule - no success...
    Portforward
    Protocol IS TCP AND UDP
    Destination pot IS 53
    Source Interface IS "VPN interface"

    I have tried other small work around without success and i want to understand the issue before i just start doing random bad practices.

    I can see many others have had the same issue but i dont see a proper fix for this, everything seems to have "put a band-aid on the broken leg"

    Guys be gentle on me, im by no means a networking guru... advanced home enthusiast at best

    Thanks for the help gents.
    Attached Images Attached Images

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,518

    Default

    This always happens, and it happens for a very simple reason... DNS doesn't work the way you think it does! It works exactly as it's configured, an no amount of tunnel tomfoolery is going to change it!

    Your workstations are using a DHCP assignment to get online correct? This assignment by default makes Untangle the DNS server for them. Untangle is configured to use whatever DNS lands on its External interface for resolution.

    So, you spin up your tunnel, and traffic goes over it. But name resolution is happening in accordance with the above, that is to say DNSMasq on Untangle itself is handling the resolution, and it's doing so via the only mechanism it has... direct.

    If you want a specific client to use a DNS server over the tunnel you have to configure that specific client to USE a DNS server over the tunnel. There are several ways to do this, but all of them result in one problem... no DNS at all when the tunnel is down.

    Now you must have some grasp of all this, or you wouldn't be attempting to create a dedicated network to handle devices that need to behave this way. Which is a great idea I might add! And, you've configured things correctly from what I can see. You're overriding DHCP to hand out a specific DNS server, so the clients can use that!

    You're then backing that up with a port forward rule that enforces DNS resolution to that same address. That's also good.

    The problem? TCP and UDP 52 is indeed DNS, but it's not DoH or DoT. Worse... some things are hard coded to get home no matter what you do.

    But, I'd start with inspecting the IP configuration of a device on that VPN Connections network of yours, and make sure it's actually getting the expected DNS address.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler
    Join Date
    Apr 2020
    Location
    United Kingdom
    Posts
    132

    Default

    Hi and welcome!

    I had a similar thing a while ago... https://forums.untangle.com/tunnel-v...l-vpn-dns.html

    My issue was that even when I put my VPN's DNS server address on the WAN interface (ie what Untangle would use for resolution) I still had a DNS leak. Only when the host had a manually configured DNS did it not leak. My only assumption was that somewhere along the line, if DNS requests went outside the tunnel, even if they pointed to the VPNs servers, maybe they were being re-written by an ISP etc.

    I haven't got a separate LAN just for VPN clients, I use Untangle to tag devices that need to go over the VPN. I then use this tag as the basis for a port-forward to re-write the DNS request. It's a bit hacky and doesn't solve the issues Rob has pointed out, but it works for me.

    What happens if you put the 209.222.18.218 address into the host's network settings? Does it still leak?

    Screenshot 2022-05-16 at 20.25.27.png
    dashpuppy likes this.

  4. #4
    Newbie
    Join Date
    May 2022
    Location
    Dubai
    Posts
    2

    Default

    Hello Guys,

    Thanks both of you for your comments... @sky-night i see you have been interacting with so many peoples post on this DNS thing and can see so many people have the same or very similar issues... without a... complete solution...

    I tried again for another couple hours without success but with armshouse comments ill dig into it again.... im not giving up and have decided to stay with untangle.

    Ill write back when i get success - if others have comments please keep em coming

    P.S. and FYI, i actually have 4 interfaces:
    LAN/LOCAL (all local devices and "friendly" WIFI devices)
    IoT devices (wifi) - i have this interface so my IoT devices dont connect to outsound world (open the ports i open) Cameras, air purifiers, vacuum...etc
    VPN - connected to Switzerland - in my mouse i have min 2 or 4 Lan ports in each room... 1 being local and other being VPN... this means i never have to manually setup VPN connections... just switch the cable... or in some cases like my NAS server... i use double NICs.

    Thanks again.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,518

    Default

    There is a complete solution, but it requires you to control DNS, and that means understanding the various mechanisms involved.

    Untangle itself is all but impossible to control which DNS server is being used, so you cannot allow a VPN bound system to use Untangle for DNS. Untangle must have DNS on each WAN interface, including the tunnel or it cannot do its job! BUT anything asking Untangle for an answer will get one, but from any of the above connections. Which again must be or Untangle cannot work. This is however "a leak".

    When you're trying to limit yourself to one virtual WAN, you have no choice but to use the firewall enforce client use of specific DNS, access rules to prevent improper access to Untangle's DNS service, AND a certain amount of content control to try to get the stuff that's leaking over TLS or HTTPs.

    None of this is easy! And I'm not certain it ever will be. But dedicating an interface to define a special network that will operate by these rules, that also hands out via DHCP the correct DNS server, and then backs that up with a property formatted port forward rule to try to catch the rest should be sufficient to catch most leaks. Which is exactly what the OP has apparently done given the screen shots. So short of getting onto the network in question, attaching a station to the protected network, and then testing the DNS resolution chain I'm not sure what else to suggest. After all, saying it's leaking isn't good enough, you need to determine WHAT is leaking, and how...
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2