DNS Domain override not working between 2 pfSense boxes

soupdiver

I have 2 networks, each managed by a pfSense box.
The boxes are connected with a wireguard tunnel. All fine.

I added Domain Overrides on each box to forward dns queries for domains of the respective domain.

sitea.site
pf - 10.0.0.1
siteb.site
pf - 10.10.0.1

Domain override on site a for domain "siteb.site" should be forwarded to 10.10.0.1 and vice versa.

The issue is that it doesn't work. Doing a dns query using "dig" takes about 5s but doesn't return a IP. Querying the correct pf box directly works fine.
I have added 10.0.0.0/8 to the access list on both sides.

Any ideas?

keyser

@soupdiver I assume this is caused by the same problem as when attempting it using IPsec. Local PfSense services cannot by default query pfsense services on the remote box because when sending packets in that direction, it uses a wrong source address.
With IPsec this is resolved by creating a GATEWAY under SYSTEM -> ROUTING that is the Local LAN/Inside interface address on which the local DNS is running.
After that you create a static route with the remote LAN network (Where the remote DNS listens) using the new gateway.

soupdiver

@keyser

After that you create a static route with the remote LAN network (Where the remote DNS listens) using the new gateway.

But I already have a route for that network. Pointing to my wiregaurd gateway

johnpoz

@soupdiver said in DNS Domain override not working between 2 pfSense boxes:

I have added 10.0.0.0/8 to the access list on both sides.

But what do you have set for the interface for outbound in unbound? Is it set to all?

If football wasn't starting like now - I would setup wireguard connection between say my VM pfsense and my real pfsense and test this. Maybe halftime or before the night game..

soupdiver

@johnpoz said in DNS Domain override not working between 2 pfSense boxes:

But what do you have set for the interface for outbound in unbound? Is it set to all?

Yes on both ends

johnpoz

@soupdiver how exactly are these connected - with those 2 different networks - do you have a transit setup with routes?

Why would not just use the transit networks IPs?

edit: ah they are connected via wireguard, so that is the transit..

So when you setup the access list, what does the query look like its coming from - is it natted to the wireguard IP?

soupdiver

@johnpoz

ah they are connected via wireguard, so that is the transit..

yup

So when you setup the access list, what does the query look like its coming from - is it natted to the wireguard IP?

You mean on the wire or in theory?
I haven't checked with wireguard yet what excatly is being sent on the interfaces...

Network A is 10.0.0.0/16
Network B is 10.10.0.0/16
Wireguard Network is 10.251.0.0/16

I can access 10.10.0.1 from 10.0.0.1 directly without problems, no NAT happening there I think.