Comment on DNS kicking my ass (Technitium and opnsense)
stratself@lemdro.id 3 weeks ago
Have you solved your problem? It seems like there are some issues with your setup:
TDNS is set to “allow recursion only for private networks” this means that if something external tried to resolve using my TDNS they’ll be refused, correct?
Correct. It only accept recursion queries from private networks and can do outbound requests to the internet as normal
10.2.0.1 turned out to be my vpn’s dns server
On the computer, you’re also using your VPN’s DNS service accessible within the VPN tunnel (hence the weird IP address). If you wanna use Technitium you should disable such service
I set NAT rules to force TDNS port 53 routing. TDNS is set to forward to quad9 and cloud flare externally. DNS blocking lists are set in TDNS.
Unable to reach external net when NAT rules active.
If you’re forcing every device to talk to TDNS, then your TDNS server is also talking to itself and cannot make queries to Cloudflare/Quad9 on port 53. You can either:
- Create an exception rule to allow your TDNS address to talk to Cloudflare/Quad9
- Use DNS-over-HTTPS/DNS-over-TLS as your TDNS forwarder protocols as they aren’t affected by rules on port 53 (recommended)
It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333.
Yes it’s expected, if you’re telling your clients to forward their queries to dnsmasq, and then let dnsmasq forward those queries to Technitium. If you want clients to talk directly to TDNS instead, set the DHCP option to advertise its address and don’t use your firewall’s address as a forwarder. I prefer the second option as it’ll give you correct client IPs in query logs and save some round trips.
I don’t really know what I’m doing with zones but I have a primary zone set with example.com. I set some static hosts records in this zone and enabled reverse lookup, expecting servicehost.example.com
If you can query the zone and its reverse PTR record in Technitium’s DNS client, then you’ve properly set it up. Remember you’ll have to tick the PTR options when setting up said record. Also you can open an issue on Technitium’s Github or their subreddit for assistance.
roundup5381@sh.itjust.works 2 weeks ago
thanks for taking the time to comment here, think I’ve gotten it mostly straightened out now!
one last thing I’m curious about, Id like to continue using a VPN for privacy concerns, would directing all my traffic through a vpn be the only way to benefit from VPN service while also benefiting from DoT and DNS self hosting.
stratself@lemdro.id 2 weeks ago
Glad to know you got it working.
When you use a VPN as a matter of privacy, I believe you should use their DNS service too to blend in with the crowd. Because of DNS leaks, websites would likely know which DNS server you’re querying from, so using a selfhosted one instead of a VPN’s can be a major uniqueness vector. On the contrary however, I’ve seen many do exactly that, so I guess it’s not as big of an issue. So it’s your choice ultimately.
Now, if you opt for commercial VPN’s DNS servers, be aware that don’t usually block any ads (if they do it’s likely a paid option), and you’d want to configure your own local zones too. To intercept DNS queries and forward only the approved ones to the VPN, I think you have 2 options:
roundup5381@sh.itjust.works 2 weeks ago
great answer, thanks for sharing the knowledge and taking the time to comment