Jump to content
Not connected, Your IP: 18.188.132.71
farquaad

AirDNS default DNS for Gen2?

Recommended Posts

Hi all,

 

Now that I have my VPN connection running 'tls-crypt, tls1.2' on my pfSense, I am faced with a new problem that I am hoping someone has a solution to.

 

 

At the time, all I needed was 10.4.0.1 as my DNS Server and I'd be set. I was also able to ping 10.4.0.1.

 

Currently, I have a connection 10.7.114.4 so as 10.4.0.1 seems to be unavailable, I point to 10.7.114.1. The problem is that it's no longer a /24 but a /16 so each time the VPN connection is reset, I have to add a new entry in my 'DNS Resolver' or I am without DNS.

 

What am I missing? Is there a document somewhere on how to properly use a Gen2 server?

 

 

10.4.0.1 unreachable

$ dig @10.4.0.1 google.com

; <<>> DiG 9.10.6 <<>> @10.4.0.1 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
 

 

The entries I keep adding to the DNS Resolver

forward-addr: 10.7.102.1
forward-addr: 10.7.114.1
 

 

Thanks for your help.

 

Share this post


Link to post

Hello!

 

Accepting the DNS push is probably the best option. DNS server address is always the same address of the VPN default gateway for security reasons.

 

Anyway, 10.4.0.1 remains reachable for DNS queries and backward compatibility (but not for ping). The fact that you can't query it is unexpected, can you tell us the server(s) name(s) you experience this problem on?

 

Kind regards

Share this post


Link to post

Hi,

 

Thanks for helping. Currently, I'm connected to 'Alphirk'. I am able to query 10.7.114.1 but not 10.4.0.1 but that could simply be one of my firewall rules.

 

My bigest concern is getting DNS push to work. I have looked all over the net and I see tons of example on how to configure the server but what parameter does the client need to have for me to get the DNS? I am using pfSense and have the following extra parameters. What am I missing or should not have?

 

resolv-retry infinite;
persist-key;
persist-tun;
auth-nocache;
route-delay 5;
explicit-exit-notify 5;
push-peer-info;
setenv UV_IPV6 yes;
remote-cert-tls server;
mlock;
keepalive 5 30;
 

Thanks for your help.

Share this post


Link to post

Hi,

my english is not good but i have the same problem with my pfSense firewall, so now its not possible to make a dns lookup because 10.4.0.1 timed out at dns request.

i was using the howto on this site für secure pfSense step by step, and the last days there was no update to firewall or other changes, i also tried other airvpn servers but all the same.

thx!

Share this post


Link to post

Same here

 

I found if you are yousing

 

Don't pull routes = [✔] (CHECKED)

 

therès no way

Share this post


Link to post

My friends, I use pfsense as well and I can do dns lookups with 10.4.0.1.

 

 

nslookup www.google.com 10.4.0.1
Server:  UnKnown
Address:  10.4.0.1

Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:4000:812::2004
          216.58.194.36
 

Share this post


Link to post

My friends, I use pfsense as well and I can do dns lookups with 10.4.0.1.

 

Hi,

 

I don't think any of us are saying it doesn't work, we're just saying we can't get it to work. Would you care to share your setup so that we may all get it to work?

 

Thanks!

Share this post


Link to post

Same here

 

I found if you are yousing

 

Don't pull routes = [✔] (CHECKED)

 

therès no way

 

Hi,

I tried this. I enabled pulling routes (no check) and removed my forward-addr entries in  the DNS Resolver but after doing so, I have no DNS whatsoever.

 

Were you able to get it working with "pull routes". It does seem like the way to go if I understand the Staff's comment.

Share this post


Link to post

under the openvpn here is my configuration to the latest TLS servers

 

Type-of-Service
Set the TOS IP header value of tunnel packets to match the encapsulated packet value.
Don't pull routes= unchecked
Bars the server from adding routes to the client's routing table This option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.
Don't add/remove routes= unchecked
Don't add or remove routes automatically Do not execute operating system commands to install routes. Instead, pass routes to --route-up script using environmental variables.=unchecked

 

system > general =  only ip address I have is 10.4.0.1  and it works perfectly with NO leaks

 

 

for the resolver setup i followed this = https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144

Share this post


Link to post

Hi Air4141841,

 

Thanks for the feedback. If I set the DNS in System > General, I'm basically bypassing the VPN pushing the proper DNS. I got this working a while back but I am trying to have the DNS info pulled from the servers so I never have to worry again about DNS settings our legacy parameters being removed and leaving me in a bind (no pun intended).

 

I am still looking for a document that might help me understand how to set up my client properly. Anyone?

Share this post


Link to post

I am with you as well. I’ve followed several other write up for setting up a pfsense box. Each has their own little small differences

Share this post


Link to post

maybe you dont understand what i mean, i had a working setup without any changes for the last one and a half year and now its not working any more for dns resolving 10.4.0.1 - so i think tehrer must be anything on airvpn side which has been changed in approx. last 72 hours.

 

regards

Share this post


Link to post

under the openvpn here is my configuration to the latest TLS servers

 

Type-of-Service

Set the TOS IP header value of tunnel packets to match the encapsulated packet value.

 

Don't pull routes= uncheckedBars the server from adding routes to the client's routing table This option still allows the server to set the TCP/IP properties of the client's TUN/TAP interface.

 

Don't add/remove routes= unchecked Don't add or remove routes automatically Do not execute operating system commands to install routes. Instead, pass routes to --route-up script using environmental variables.=unchecked

 

 

system > general =  only ip address I have is 10.4.0.1  and it works perfectly with NO leaks

 

 

for the resolver setup i followed this = https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144

 

This works

Share this post


Link to post

 

My friends, I use pfsense as well and I can do dns lookups with 10.4.0.1.

 

Hi,

 

I don't think any of us are saying it doesn't work, we're just saying we can't get it to work. Would you care to share your setup so that we may all get it to work?

 

Thanks!

 

 

I don't use resolver or forwarder in pfsense.  I assign DNS to clients via DHCP (can be 10.4.0.1 or 1.1.1.1 or whatever) and enforce via port forwarding rules and firewall rules.

Share this post


Link to post

i used to disable the resolver and forwarder and setup static DNS servers under services >  DHCP server > servers.

 

but i could never get it to pass a dnssec resolver test so i turned it back on and set it up the way i posted

Share this post


Link to post

Well, well, it seems I'm not alone in having difficulties. We all have solutions, but none of them seem to take advantage of the DNS settings that are pushed to the client from the VPN Server.

 

Does AirVPN have a document that could help us or a friendly staff that could help us? I expect it's been thoroughly tested before being implemented so the knowledge is there...

 

Thank you all for trying to help by the way, I appreciate. I hope we can find the solution that will help us all have a getter config!

Share this post


Link to post

if you open command prompt from within pfsense.  and run IFCONFIG

 then execute.      under your interface ip/ interface.  it should list a DNS server for the server you are connected too ?

 

i found found the address and added it.  went to nslook up and it IS using the new address listed along with 10.4.0.1

Share this post


Link to post

The rule is that the default gateway is also the DNS and the DG is always X.X.X.1 so each time I get an IP in a new range, I just add it to the list in DNS Resolver but there has to be a better way. Our friendly staff above seems to think so.

 

Right now I have 10.7.110.X so I just add the DNS 10.7.110.1... There has to be a better way.

Share this post


Link to post

With a bit of a delay but the following is the answer I got from the AirVPN staff. I have not managed to get it working with pfSense but if/when I do, I will let you know.

 

The accessible DNS servers on every and each subnet have the following addresses:

- the VPN gateway address
- 10.4.0.1 unconditionally (reachable, but not ping-able, from every and each subnet)

To extract the first DNS server address you can either read the DNS push or the VPN default gateway.

An idea for something vaguely related (the user was looking for some ping-able address inside the VPN, but in that way you catch even the DNS address):
airvpn.org/topic/28793-monitor-ip/#entry75755

Otherwise, for more ideas on how to handle the DNS push, also have a look at this:
airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/

Share this post


Link to post

I huffed and I puffed but I never got it to work with 10.4.0.1.

 

I realise this might be a pfSense specific question but the results are odd and seem to show that there is a difference between 10.4.0.1 and the DNS found on each specific subnet.

 

In the pfSense DNS Resolver, under "Custom Options", I add the following line:

forward-addr: 10.4.0.1

I am unable to resolve any domain with that setting, but if I add the DNS of the VPN subnet I'm using, it works!

forward-addr: 10.7.126.1

 

Strangely, if I open up the firewall and query 10.4.0.1 directly (not through pfSense DNS Resolver), it responds as expected.

 

Am I missing the obvious? I am confused!

Share this post


Link to post

mine has worked with 10.4.0.1 since day one  it must be how your pfsense is setup differently some how.

  whos directions do you follow to setup your router?

 

i have started adding the gateway as well since i read this thread.  and under dnslookup.   both addresses are used and it resolves out.

 

 

its gotta be your setup some how

Share this post


Link to post

Over time I've done quite a few changes from the original guide I followed. Which guide did you use?

 

Currently, I have it set up the following way:

 

No DNS entry under System > General Setup > DNS Server settings

 

Under Services > DNS Resolver

 

Network Interfaces:

   LAN, WIFI, localhost

Outgoing Network Interface:

   VPN interfaces

Custom options:

   forward-addr: 10.4.0.1
   forward-addr: 10.7.126.1

 

Hi Air4141814

 

I also have firewall rules that allow all traffic to the firewall and Denies any other DNS traffic

   LAN net -> This firewall 53/UDP ACCEPT

   LAN net -> !This firewall 53/UDP DENY

 

If I only have 10.4.0.1 referenced in the DNS Resolver, it fails. If I add the DNS of the subnet, it works.

 

It's also worth noting I use multple VPN connections as a Gateway Group.

 

Any indication on how you got it setup would be nice. Thanks!

Share this post


Link to post

i have found when i have no DNS entry's under general > DNS my box fails to resolve fairly soon if not immediately

 

i have also followed the DNS to TLS post made by pfsense https://www.netgate.com/blog/dns-over-tls-with-pfsense.html

 

im happy to post screen shots but it will take some time

 

a minimum i have 10.4.0.1 and 9.9.9.9 set to NOTHING.  not wan OR my airvpn interface.  

Share this post


Link to post

Hi,

Don't worry about the screen shots, it would be way to time consuming. I'll give it a go and let you know. Thanks for your help!

Share this post


Link to post

I have started suffering from this as well the past 3 days, it has been working for years, since pfsense 2.1, and nothing has changed my end for months.

My setup replicates the guide in 
https://nguvu.org/pfsense/pfsense-baseline-setup/

 

To try and resolve this I have even upgraded to pfsense to 2.4.4, but the only thing which seems to work is to set the DNS server of the gateway I am on, on all clients.   Setting it in pfsense as the DNS forwarders does not seem to by pushed to the clients.?

 

I have not tried the DNS over TLS guide yet, as I really dont want to use DNS servers external to AIRVPN to avoid leaks.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...