DNS Forwarding+upstream Proxy

Hello,

I run Ipfire in recursor mode for DNS.

The affected machine goes through the Squid proxy to the Internet. Squid is configured with an upstream proxy.
I use the firewall rule from the docs Redirecting Services to redirect all DNS query to Ipfire.

First I observed a DNS leak by the recursor mode (but even using a DNS Server) plus the DNS server upstream Proxy, but second one is not that serious. Without the DNS forwarding activated.

Is it possible to use the DNS forward option with upstream Proxy for internet domains without DNS Leaks ?
The doc say it can also be used for Geo un-blocking services, but this would not work if a DNS Leak appears.

Second I tried to resolve certain domains via 1.1.1.1 in the DNS forwading settings, but received the following error message from unbound:

error: SERVFAIL : all the configured stub or forward servers failed, at zone “internet domain” from 1.1.1.1 got SERVFAIL

This circumstance, that unbound outputs an error, simultaneously prevents the DNS leak of the Ipfire and by the DNS server of the upstream proxy, the page loads normally.
This is a working solution in my case, but this is not the desired result of DNS Forwading.

Why I get this error from unbound?

Btw, i use a FireFox Browser with configured ipfire squid Proxy and activated Option “Proxy DNS when using SOCKS v5”.

DNS forward and Squid upstream proxy are two distinct processes.
DNS does the resolution of URLs/FQDNs to IP addresses. Forwarding just defines some additional servers for distinct local devices.
Squid proxies the web access ( HTTP/HTTPS ), a part of the data traffic. Usually the destination is resolved yet to an IP. The upstream proxy just adds another proxy instance in the access path to a web server.

Could you elaborate your settings, please.

As I understand the instructions for DNS forwarding, you can use a separate DNS server for certain target addresses (FQDN) than the one distributed via the DHCP.

This is going to get wild, but without knowing the context, the error cannot be narrowed down to that extent.

Let’s leave the upstream proy out of the equation for now, but you can use it to prove that the routing is basically working.

Ipfire runs in forward block mode. Whitelist

DNS:
The Ipfire with unbound runs with the recursor mode and is the DNS server for all clients, all requests on port 53 are redirected to the ipfire using a firewall rule.
DNS requests from IPfire in TLS mode and striker Qname.
However, the problem also occurs when I select a DNS server. e.g. 5.9.164.112 (Digitalcourage)

DNS Forwarding:
I use “ipleak.net” and “browerleaks.com” as the destination address (FQDN) and for the DNS server “1.1.1.1”.

Client 1 is restricted with the Windows Firewall, which only allows two connections to the outside, a VPN exit whose port in the IPfire is only released to certain fixed IP addresses and access to the IPfire itself.
In multi-tab mode, the Firefox browser of client 1 has the option of specifying a separate proxy server for each group. Group 1 uses the Squid proxy of the Ipfire.
The DNS via Socks5 option in the proxy settings must be activated. I will also explain why.

Let’s assume I deactivate the DNS forwarding option and call the domain ipleak.net.
This provides me with my IP and the same IP as DNS because Ipfire itself is the DNS server.

If I now activate DNS Forwarding, I expect that my IP is still displayed, but the DNS server is 1.1.1.1 or one of cloudflare’s DNS servers.
Instead, Firefox can’t find the address and I get the error message in the unbound log mentioned in the initial post.
Under connections I also see Ipfire trying to connect on port 53 with 1.1.1.1.
I do not get an entry in the log that this call is blocked.

So where is the error?

How do I use this error and what does the upstream proxy enable?

If I now switch an upstream proxy in front of the Squid and deactivate DNS forwarding, call ipleak.net again, the so-called DNS leak occurs.
I am shown the IP of the upstream proxy and the corresponding DNS server plus the IP of the Ipfire. That’s not what I wanted.

If I now activate DNS Forwarding, unbound generates the same error message again BUT the page can be accessed and the IP of the IPfire has disappeared.
It only recognizes the IP of the UPstream proxy and its DNS server.

Actually it would have been enough for me that the IP of the Ipfire disappears as DNS and 1.1.1.1 is displayed.
Due to the errors in unbound I played around a bit and got the same result even without recursor mode.

Why does the DNS over Socks Proxy option have to be activated for this? The Firefox APi unfortunately has the strange habit of sending a DNS query to everything and everyone else, which then ensures that all DNS servers used are displayed, including those of the VPN connection from Windows or those of the other socks proxy connections that are defined in multitab mode.

So why I get this unbound errors with DNS Forwarding?

P.s. Same results with browserleaks.com, but dnsleaktest.com or dnstools.check do not show the DNS leaks so not recommend for this tests.

Here are a few more results from the console of the Ipfire, which show that DNS forward should work in principle, but it just doesn’t work as described.
With DNS forwarding activated, I cannot access the address with the default DNS, but there is no automatic redirection either.
However, if I use the entered address manually, I get a response even with DNSSEC support.

cat /etc/resolv.conf
search localdomain
nameserver 127.0.0.1
options edns0 trust-ad

host google.com
google.com has address 216.58.206.78
google.com has IPv6 address 2a00:1450:4001:81d::200e
google.com mail is handled by 10 smtp.google.com

With DNS forwarding activated

host ipleak.net
Host ipleak.net not found: 2(SERVFAIL)

With DNS forwarding disabled

host ipleak.net
ipleak.net has address 95.85.16.212
ipleak.net has IPv6 address 2a03:b0c0:0:1010::509:d001
ipleak.net mail is handled by 10 mx.airvpn.org.

With DNS forwarding activated

host ipleak.net 1.1.1.1
Using domain server:
Name: 1.1.1.1
Address: 1.1.1.1#53
Aliases:
ipleak.net has address 95.85.16.212
ipleak.net has IPv6 address 2a03:b0c0:0:1010::509:d001
ipleak.net mail is handled by 10 mx.airvpn.org.

dig google.com +dnssec +short @192.168.1.1
216.58.206.78
dig google.com +dnssec +short @1.1.1.1
;; communications error to 1.1.1.1#53: timed out
216.58.212.142

With DNS forwarding disabled

dig google.com +dnssec +short @1.1.1.1
216.58.206.46

dig ipleak.net +dnssec +short @1.1.1.1
95.85.16.212

With DNS forwarding activated

dig ipleak.net +dnssec @1.1.1.1
; <<>> DiG 9.20.1 <<>> ipleak.net +dnssec @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63674
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;ipleak.net. IN A

;; ANSWER SECTION:
ipleak.net. 86400 IN A 95.85.16.212

;; Query time: 48 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Nov 01 15:14:34 CET 2024
;; MSG SIZE rcvd: 55

dig ipleak.net +dnssec

; <<>> DiG 9.20.1 <<>> ipleak.net +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11845
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;ipleak.net. IN A

;; Query time: 113 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Nov 01 15:18:12 CET 2024
;; MSG SIZE rcvd: 39

The solution I have found so far protects me from an unnecessary DNS leak from my ISP. I have changed two things, I have moved away from recursor mode and use a different DNS server, the Quad9 servers are now entered in Ipfire.
Funnily enough, this is practically also a system-wide DNS forward, except that no errors are shown in the log, I suspect the first DNS server generates errors during DNSSEC verification.
But why a fallback and thus a DNS leak occurs in the interaction of Recursor mode and DNS Forward, I unfortunately cannot answer and would call it a bug, since geo-localization would not work with this behavior.

@bbitsch

leaving aside the topic described above for the moment.
These are my settings for unbound and the upstream proxy.

Screenshot (1036)1165×553 29.7 KB

Screenshot (1037)1099×154 17.6 KB

Screenshot (1038)1120×127 13.8 KB

The DNS of the upstream proxy has the same IP as the proxy.
The validation errors in the log only appear when the upstream proxy is running; otherwise, only the block message appears.

my browser is forced to use the Ipfire Proxy, so i get no block messages for.
The address 127.0.0.1 is shown under connections, but nothing will block here.