DNS Default Domain

mloiterman · Jan 9, 2018, 11:29 PM

I have an OpenVPN setup with the DNS Default Domain option checked. I push my local default domain along with my pfSense IP adresss as the local DNS server to clients connecting via openvpn.

I’m running the DNS resolver and pfblockerng and with one exception everything works correctly.

Yesterday, the iOS openvpn client was updated from 1.2.4 to 1.2.5 and since that time I cannot resolve hostnames without manually adding my domain name.

For example I can resolve and ping “host.localdomain.net”, but I can’t ping just “host”.

In looking through the logs on my iPhone I can see:

2018-01-09 17:24:12 NIP: adding search domain localdomain.net
2018-01-09 17:24:12 NIP: adding DNS 192.168.1.1

I can ping the dns server and pfblockerng is correctly blocking. I can also connect with my IPSEC connection and it will resolve just the host name just fine.

This worked fine until yesterday.

Any ideas why I cannot revolve with just the host name any more?

steini · Jan 10, 2018, 8:43 PM

Same problem here. Stopped working yesterday on iOS. Fine in Arch

johnpoz · Jan 10, 2018, 9:47 PM

What does this have to do with pfsense?

Your IOS client updated, and now its not sending your search domain? Get with openvpn on their client you show that your phone got the search domain setting, etc..

What client are you using exactly on your phone that you believe it should use the search domain in the first place?

mloiterman · Jan 11, 2018, 2:40 AM

What does this have to do with pfsense?

Perhaps nothing now that someone else confirmed the same issue. But that wasn't the case when I posted. Also, maybe there is something that can be done on pfSense side to address the issue…?

The clients in question are Prompt 2 and Screens. Previously both clients could connect to machines with just the hostname. Now they both require the FQDN. I'm sure others are impacted too.

johnpoz · Jan 11, 2018, 9:09 AM

There is nothing to be done on pfsense if a fully query is not sent.. A fqdn has to be sent to dns if it is to resolve it.

As you can see in your logs the search domain was sent.. working with the windows client, etc.

steini · Jan 11, 2018, 10:37 AM

I confirmed since I updated the iOS client and pfsense on the same day and did not know on which side the change was made.

johnpoz · Jan 11, 2018, 4:32 PM

it not working just forces you to break a bad habit ;)

Its a bad habit to try and resolve host name and hope your search suffix gets you the answer your looking ;)

When trying to resolve something you should always use a fully qualified name.. But from windows client..

You can see it set via ipconfig, see my local.lan is setup for the connection specific dns suffix on my vpn interface when I connect to openvpn.


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local.lan
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.8.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 11, 2018 9:53:58 AM
   Lease Expires . . . . . . . . . . : Friday, January 11, 2019 9:53:58 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.0.8.254
   DNS Servers . . . . . . . . . . . : 192.168.9.253
   NetBIOS over Tcpip. . . . . . . . : Enabled

Now if your OS or application or tool adheres to that would be up to the OS, tool or application.. Simple check would be a sniff do you see it add the suffix? If not then its on the client side where the issue is..

steini · Feb 1, 2018, 8:09 AM

Well this was fixed in the latest OpenVPN connect client on iOS (1.2.7) so we can start our bad habits again