dns resolver does not resolve in my clients

mduque

Hi, I need help.
I have a server with pfsense (LAN and WAN) with openvpn (the network used by pfsense is: 10.25.0.0/20), everything connects and resolves dns fine, I pings between clients and servers (according to my configuration in the firewall) from correct way. Clients and servers have static IP addresses within the pfsense network, so I don't use DHCP.
The problem comes when a domain "domain.private.com" (IP 25.x.x.x) hosted on a server, points to an address of another VPN outside of this (that is, private). This in a client/server could be solved just by modifying the "hosts" file and pointing the domain to the new pfsense internal LAN IP where the "domain.private.com" client is configured.
But I've been reading about this, and I could modify where a domain points to with pfsense's "DNS resolver" in the "Host Overrides" section, but once I configure everything both clients and servers still use their own DNS and therefore, they resolve the domain naturally to "domain.private.com" (IP 25.xxx) ...

I show you a small slides of my setup.
System> General Settings> (dns settings)

CONFIGURATION OF THE "DNS RESOLVER"

You can see that the intention is that the domain "domain.private.com" points to an IP "10.25.x.x", and that would already work for me.

I have tried two NAT rules (just in case), to force DNS traffic.

Once the two previous NAT rules are added, two rules are added in the firewall like the following one in openvpn and LAN:

In VPN> OPENVPN> SERVERS> EDIT SERVER> (DNS part configuration):

In VPN> OPENVPN> Client Specific Overrides> (Client Static IP Configuration example):

Once the configuration is finished, I try from Diagnostics> DNS Search, if it solves well .. And if! It perfectly solves the domain I want!

The error comes now .. In a client (they all have static IP), I try to resolve to the same domain and they resolve their own DNS .. I cannot access the domain because it keeps resolving in 25.xxx instead of 10.25.xx which is where I want it to solve ..

Here I show the client, which cannot be resolved .. With the network TUN0 interface working correctly to the OpenVPN configured in Pfsense, but without resolving to that domain.

Any idea what I'm not doing right? Another alternative?
I hope that some hero can help me, since I have been reading documentation and testing configurations for several days and I can not find the trick ...
Thanks in advance, greetings community.

Gertjan

@mduque

The last image, the test on an ubuntu device, says :

so, there is a 'DNS' service on that unbuntu. It is listeing on 127.0.0.53:53 Is this a forwarder to pfSense ? Somewhere else ?

Normally, you wouldn't attribute static IP's to local LAN devices.
When using DHCP, the local router/DHCP server, pfSense, collects device info, like the relation between host names and IP's on the LAN.
If all local LAN devices are static, pfSense knows nothing. Exception : the ones listed in unbound's "Host Overrides" list.

Put your nslookup in debug mode. You would see who answers what.

mduque

@gertjan The ubuntu client has DNS by default, and has the openvpn client started on that server. The DNS resolver is located as shown in the images on the pfsense server itself (it is another server).

I need all clients to have static IPs to be able to control them with very strict firewall rules, and that they always have the same IP. I can solve all this by editing the / etc / hosts file, but could there be any other alternative? Am I doing something wrong? Or is it only feasible to fix it with DHCP mode?
Thanks for answering

Gertjan

@mduque said in dns resolver does not resolve in my clients:

The ubuntu client has DNS by default,

It has a DNS, right. But what is 'default' ?
If you set up a static IP for that Unbuntu, what has been set as the gateway ? (probably pfSense) and what did you set as the DNS ?
Example : if you used 8.8.4.4 as the DNS, the 8.8.4.4 answers .... and 8.8.4.4 doesn't know anything about your local network and local IP's.

@mduque said in dns resolver does not resolve in my clients:

and has the openvpn client started on that server

And the unbuntu (server) uses this VPN connection also for it's DNS purposes ?
So pfSense will never see any DNS requests from the ubuntu device. These will go over the tunnel to 'another DNS server', somewhere on the Internet.

jagradang

Why have you got 127.0.0.1 as one of the dns entries in general? I think that could be your problem. Remove that and test it?

mduque

@jagradang That is not the problem. It is one of the tests that I have done, because in the pfsense server itself it resolves the dns of the domain to the IP I want to point to.

@Gertjan I call default dns which is found by default on ubuntu 20.04 servers. On the pfsense server, it does correctly resolve domain A> IP granted (not IP by default).

I try to explain my problem again .. I have a pfsense server that acts as a vpn with openvpn. I add servers and clients with a static IP so that I can add firewall rules to my liking.

I try to explain my problem again .. I have a pfsense server that acts as a vpn with openvpn. I add servers and clients with a static IP so that I can add firewall rules to my liking. Everything connects well and they see each other through the protocols that I want (ssh, https, etc), the problem is when I want a client to access a specific domain that I have (domain1.site.com) and the client needs change the "hosts" file to be able to route it correctly to the internal IP that I have forced in pfsense.
Is there a way in the .ovpn file? Or some other of forcing the client to access that domain through a forced IP, instead of the one pointed to by the domain?
The operation is typical of the "hosts" file and it would solve all the problems, but I don't want my clients to have to go through this. Any ideas?
I'm sorry if I don't express myself well .. Greetings to all