Feature request -- local dns option.

[dicepvp]

the ability to have the instance Ip forward to unbound as a dns server. or forward it to another local dns using unbound. the current issue is the WG instance ip will change from time to time meaning that you have to go and change all the configs regarding the dns constantly.

[dicepvp]

its also possible in the pia client. i wander if it would be possible to kind of reverse engineer that if it works by sending a request to the pia server.

[FingerlessGlov3s]

Can you please explain in more details what you are wanting or currently doing. I'm not 100% sure I understand what your trying to achieve.

[dicepvp]

of course i have a local dns so i can block specific domains like ads. Microsoft updates, trackers, malware, porn etc. as far as im aware the dns must be the same as the wg instance tunnel address otherwise it wont pass traffic correctly. the issue is from time to time the wg tunnel address changes which then breaks the config. in order for this to function currently i have adguardhome listening to the wireguard tunnel address i have created a port forward for the dns/tunnel address using port 53. i then use dhcpv4 to forward the dns/tunnel address on lan for all of my devices. my idea would be a way to update dhcpv4, firewall port forward and unbound/adguardhome with the new tunnel address each time it changes. or even better would be a way to specify a dns for pia to use. "im fine with using either adguardhome or unboud as they both can do what i want/need".

[FingerlessGlov3s]

I think your trying to say is you want to use PIA for outbound DNS lookups, while maintaining the DNS blocklists?

Are you using adguard home in forwarding mode or recursive mode? I'm not 100% familiar with adguard home but vary familiar with how DNS works.

I think we can simply the setup here, if your trying to do what I think your trying to do 🤔

[dicepvp]

how would i tell the difference between the two? never mind its recursive

[FingerlessGlov3s]

Does it need to be recursive or would using PIA or another DNS provider be ok? As it would really simplify the configuration to make this work without any intervention 😊

[dicepvp]

i believe it does need to be recursive for adguardhome to fully function sadly.

[FingerlessGlov3s]

Looks like you can set upstream DNS servers. What we could do is use quad9 or someone else, then use static routes on OPNsense to ensure all traffic going to the quad9 IPs use the PIA tunnel. Then issue you have would disappear 😊. Can just leave it listening on the LAN interface.

[dicepvp]

thanks i will give it a try. what about if i need to use a specific upstream?

[FingerlessGlov3s]

Since you already have the PIA gateway configured, you can go straight in to System: Routes: Configuration and create a route for each upstream DNS provider IPs

Example

[dicepvp]

alright thanks for your help

[FingerlessGlov3s]

No problem let me know how it goes 😊.

If you use quad9 you can use https://on.quad9.net/ to test if it's using quad9, then you can use the firewall logs to see if the traffic to quad9 left the right interface 😊

[bedub1]

You need to be really careful about this.

If you reboot your firewall, your VPN tunnel will be down. If you have your routes configured to send all DNS traffic over the VPN Then when the system tries to connect the VPN, it'll send a DNS query for the PIA endpoint....over a tunnel that doesn't exist. You'll never be able to resolve the PIA DNS entry, thus never connect the VPN tunnel.
You'll end up in a circular dependency situation.

[FingerlessGlov3s]

I would set opnsense itself to use the local DNS server as the first DNS server on the list and then set a different DNS service like 1.1.1.1 as the secondary. To remove that problem.