Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

DNS not resolved via VPN when forced, in case of more than one policy per device

Follow
Avatar
Yoav freiberger
  • Edited

after a lot of unexplained, issues have been coming up with remote Geo restricted connections, I discovered that force DNS through VPN does not work in policy, routing.  either there’s something really wrong with my box, or people may be missing this, because the correct IP address appears but with geo restrictions, there must not be any leaks, and that is a different story.  

So, unless  I route all traffic to the Internet from a given device/group/network to a single VPN client connection in route,  I can forget about forcing resolution of DNS  traffic through the specific, vpn tunnel  for the location, and it will be resolved locally or leak locally (to either VPN, which is defined as all Internet traffic from the device going through it, alternatively, DOH for unbound, if those are configured, if not, it will follow the local lab DNS,, and if none are set up, then the actual ISP wan will get exposed.  .

  For example: route 1: traffic from iPhone group to internet  through VPNlocal, traffic’s to thr US (either as category or specific donains), going through VPNUS, traffic to UK going through VPNUK.

in case I run leaktest.com which is part of the VPNUS category (part of list), I will see my US address correctly, but the leak test will expose my local VPN provider server in my own country as the the one that all the rest of the Internet, is it supposed to go to.

alternatively, in a scenario where the default route to the Internet is not the VPN interfaces, and assuming  that unbound and DOH are switched off, that the lan of the iPhone group does not have a DNS other than its gateway configured,, and that I’m even turning off turbo DNS (makes no difference but just to show how are you switch off everything else).

Still, In this case, if I go to dnsleaktest.com.the IP  that I see is correct for my VPN US route, and no reason to look any further.


however, when things like HBO Max, stop working, I run the leak test and see my owner SP as the DNS provider I’m attaching some screenshots to illustrate..

PS screenshots are not great but they shows three scenarios 1 only routing all traffic to the Internet through the correct us VPN tunnels does not leak 2, nouw the us vpn tunnel/rule is secondary to a default all the rest of the Internet rule, which creates DNS leak, 3. Only one VPN routing rule to thr  US but it’s enough that. DNS  traffic may that  only supposed to be resolved from VP and US leaks my wan isp DNS https://drive.google.com/file/d/18J2Un3ESQVQW19__93AN9ikvospvZsoU/view?usp=drivesdk

To summarizeWhether something has gone completely wacko with my Firewalla box or it’s a major bug. I really can use some help on tanyway, I can get it. Thanks in advance

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Support

    Thanks for the feedback.

    The problem here is the DNS queries do not honor the country-based route rule. It is still a TODO item on our side. For a specific domain, it's hard to tell if it definitely belongs to a specific country. The same domain may have different servers around the world, so it may be ambiguous to tell if a domain is in a country.

    Currently, the country-based rules are purely based on IP, so the DNS queries before the actual IP traffic cannot be forwarded to different upstream DNS servers based on the country due to the ambiguity of a domain's country.

    0
    Comment actions Permalink
  • Avatar
    Yoav freiberger

    Thank you for the swift response. However, the problem is not that Firewalla does not categorize the website: dnsleaktest.com as being US or not. Instead, the problem is that it does not force the DNS queries for VPN tunnels set in routes to the DNS of  that  particular VPN tunnel. On the surface, you don’t see it because he get the correct IP, but DNS used or the DNS exposed is the one that is configured for all Internet traffic and not the one for the specific route being applied to the specific traffic in this case to DNSleaktest the site , or US the country. in the attached video. Example I configured a policy route that specifically sends all the traffic for dnsleaktest.com and the US in general to go through the US VPN tunnel. All other traffic goes according to the WAN DNS configuration, as both DOH and unbound are off, and there is no DNS setting for the subnet (Ie DNS is the gateway). I see the correct  US VPN IP when browsing dnsleaktest, but running the test exposes, my WAN ISP, dns. I realize this was happening before because I use VPN policy routing for my byoassing geo restrictions, and ran into being blocked by sites that were positively getting the right IP. The problem is that DNS traffic is not forced through VPN, except for when the policy is all Internet traffic. I provided more detail in a ticket about this, but it doesn’t been addressed. Watch the video to see how it happens and thanks againhttps://drive.google.com/file/d/1017PUp8Zk6JOd2qZi3tqYpbnzDFKe72O/view?usp=drivesdk 

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post