Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarding over VPN

    DHCP and DNS
    4
    8
    13.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brianmills
      last edited by

      Hi, I've been using pfSense for a a couple of months now, and it has been nothing but fantastic. So Thanks to all involved.

      I'm mainly using it as a gateway on small networks to provide VPN access, as well as DNS/DHCP and as a Certificate manager too.

      However I'm starting to create it as a VPN client on a network, where I want a remote domain accessible to the local users.
      I have OpenVPN setup (routing mode) to the remote site, and I can ping servers in the IP range on that network.
      So now I've added a domain override in the DNS Forwarder to that remote network (as I have for the local domain too).
      So pfSense forwards
      domain.local > local IP of dns server
      domain.remote > remote IP of DNS server on remote network

      The first one works well.
      The second one get's no response.
      An NSlookup on the client PC gives "DNS request timed out" ie:

      nslookup host.domain.remote
      Server:  pfsense.domain.local
      Address:  10.20.1.7

      DNS request timed out.
          timeout was 2 seconds.
      DNS request timed out.
          timeout was 2 seconds.
      *** Request to pfsense.poli.local timed-out

      Can anyone suggest what could be wrong? or how to debug it?
      Ping on the PFSense box itself works to the remote network, but on the dns names. (Like this)

      /root(7): nslookup dc1.domain.remote
      Server:        127.0.0.1
      Address:        127.0.0.1#53

      ** server can't find dc1.domain.remote: NXDOMAIN

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by

        Does your pfSense box have a route to your remote DNS server? Does the remote DNS server have  route back to your pfSense box?

        1 Reply Last reply Reply Quote 0
        • B
          brianmills
          last edited by

          Which address would the remote DNS server need a route back to.

          I can successfully ping from clientA (on domain.local) to ServerB (on domain.remote) through pfsense, over the vpn and back.
          So the server does have a route back to 10.20.1.0/24 network.

          Would it be the VPN ip range?

          1 Reply Last reply Reply Quote 0
          • P
            phil.davis
            last edited by

            By default, the DNS request will be sent with source IP = the IP of your OpenVPN site-to-site link. The remote DNS server would need to know how to route back to that. It can be a nuisance to get all the routes in your internal network to/from the various OpenVPN link subnets known correctly everywhere.
            To fix it: in domain overrides, enter Source IP = n.n.n.n where n.n.n.n is your pfSense LAN IP address.
            Then the requests will come from the LAN IP address, which everything already knows how to route back to.
            PS: It would be handy to be able to use a preconfigured alias in this field - then I could select "LAN address" and it would automatically update itself whenever the LAN address is changed. At the moment, there is data duplication, and if I change the LAN address, I have to also find duplicate places like this and change them also to match.

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by

              @brianmills:

              Which address would the remote DNS server need a route back to.

              The IP address of the system originating the DNS request.Since you are using DNS forwarder, normally the IP address of the pfSense openVPN interface.

              @brianmills:

              I can successfully ping from clientA (on domain.local) to ServerB (on domain.remote) through pfsense, over the vpn and back.
              So the server does have a route back to 10.20.1.0/24 network.

              Is the server here the "remote DNS server"?

              It is a necessary condition there be a path and suitable routes for two systems to communicate. It is not a sufficient condition in that an intervening firewall might block particular traffic (for example, allow http but block ftp), the server application might block/ignore requests from particular IP addresses etc. Is the "remote DNS server" configured to accept DNS requests? Packet capture can be a useful tool to verify specific traffic gets to a particular host and that host generates an appropriate response.

              1 Reply Last reply Reply Quote 0
              • B
                brianmills
                last edited by

                I think it's a routing issue. My route's seem to not be in place as I expect (even though pinging from client a to server remote works).

                The DNS server is remote.

                If I was to enter Source IP = n.n.n.n in DNS forwarder, where do I enter that? into the advanced options?

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  Put it your pfSense LAN IP in the source IP field of the Edit Domain Override screen - see screenshot example.
                  (The screenshot is from a 2.1 system - I hope the field exists on 2.0.n!)

                  EditDomainOverride.png
                  EditDomainOverride.png_thumb

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The source address field was added on 2.1, but you can get the same effect using advanced options and removing the current domain override. Make sure to remove the current domain override, so the advanced option one will take effect.

                    server=/domain.com/x.x.x.x@y.y.y.y

                    domain.com is the domain to override, x.x.x.x is the DNS SERVER IP, and y.y.y.y is your LOCAL source IP.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.