DNS Resolver: OpenVPN client can't query the DNS Resolver

bschapendonk · Dec 11, 2014, 9:27 AM

Yesterday I upgraded from 2.1.5 to 2.2 RC, everything works (Good job people).

But today I discovered that OpenVPN clients can't query the DNS resolver.
Disclaimer, I was already using Unbound as my DNS Resolver in 2.1.5 (configured access lists to allow my OpenVPN clients query access to the resolver)

I can access the management interface just fine by IP from an OpenVPN client.

What am I missing?

jimp · Dec 11, 2014, 1:03 PM

Add an entry for their subnet(s) under the Access Lists tab and set them to Allow

bschapendonk · Dec 11, 2014, 2:05 PM

These are my current settings

phil.davis · Dec 11, 2014, 5:28 PM

I have tried this this evening, connecting in on OpenVPN "Road Warrior" to the office that I upgraded today. I setup the same domain overrides for Unbound as were in dnsmasq and switched over to DNS Resolver (Unbound). Interface selections are both set to "All".
I added Allow ACLs to cover the OpenVPN tunnel subnets.
Turn Logging level to 2.
From home I try to ping names in the internal office network, the name does not resolve. But in the Resolver log on pfSense I see entries showing it is looking up the name I just asked for, like:

Dec 11 23:01:52 	unbound: [85549:1] info: query response was ANSWER
Dec 11 23:01:52 	unbound: [85549:1] info: reply from <aaa.bbb.ccc.org.>10.49.80.2#53
Dec 11 23:01:52 	unbound: [85549:1] info: response for rt-01.aaa.bbb.ccc.org. A IN
Dec 11 23:01:52 	unbound: [85549:1] info: use stub aaa.bbb.ccc.org. NS IN
Dec 11 23:01:52 	unbound: [85549:1] info: resolving rt-01.aaa.bbb.ccc.org. A IN</aaa.bbb.ccc.org.>

10.49.80.2 is the real internal DNS server that is specified in the Domain Override for aaa.bbb.ccc.org
So Unbound is getting the request from me, the Road Warrior user, and looking it up. But somehow I never get the answer back to my laptop across the OpenVPN link.
If I switch back to DNS Forwarder then it works.

Time for sleep now - maybe someone will have an idea about what to specify next.

bschapendonk · Dec 12, 2014, 12:29 PM

Changing Network Interfaces = ALL to LAN + localhost solved my issue.

# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0

# Interface IP(s) to bind to
interface: 10.8.1.1
interface: 127.0.0.1
interface: ::1

Now vpn clients can use 10.8.1.1 as their dns resolver

cmb · Dec 13, 2014, 7:00 PM

@bschapendonk:

Changing Network Interfaces = ALL to LAN + localhost solved my issue.

Now vpn clients can use 10.8.1.1 as their dns resolver

Is 10.8.1.1 your LAN IP? Looks like it, but just confirming.

cmb · Dec 13, 2014, 7:27 PM

The issue here is in how Unbound replies to requests in that circumstance. When you bind it to the LAN IP, or a specific list of IPs that doesn't include the OpenVPN tun interface IP, it replies back via the correct source. When you bind to everything, it replies back using the source IP closest to the destination in question, in the OpenVPN case, its tun IP. So you end up with something like this from dig:

;; reply from unexpected source: <tun ip="">#53, expected <lan ip="">#53

I just committed a fix for the circumstance where you're binding all interfaces. More info here:
https://redmine.pfsense.org/issues/4111</lan></tun>