Unfortunately, this is a bit of a multi-disciplinary question that has to be prefaced with some background.


I've got my connection to AirVPN set up on my pfSense box and am using the Resolver there in the default, non-forwarding mode.  That means for DNS lookups, pfSense (through Resolver) is supposed to directly query the top-level DNS servers for name resolution without using any specified, lower-level DNS servers.  In one sense, it seems to be working in that none of the leak-testing sites (like ipleak.net) show any DNS servers other than AirVPNs.  On the other hand, I don't understand how those sites even see those AirVPN DNS servers at all since pfSense isn't set up to use them.  Worse, I recently found out that DNS queries through Resolver in the default, non-forwarding mode do NOT get routed through the NAT/Firewall rules:  they're sent out the default gateway (my WAN, not my VPN tunnel).  So, theoretically, my DNS lookups are in the open instead of through AirVPN.


If that's true, why do places like ipleak.net not show a DNS leak?  How do they determine what DNS server I'm using?  Does it just ask my server what DNS is associated with it?  Or, does it look for the DNS requests coming from my system?  But, if Resolver is sending its own DNS requests over the WAN, then would places like ipleak.net even see them?

