OpenVPN works but no local DNS

johnpoz

yeah that is where you set the acls on who can query unbound.

john_galt

@johnpoz

Isn't it set by that entry?

The client is 10.0.8.2 and that is in the ACL.

Doug

johnpoz

yeah that should allow it yes.. So you just created it, or that was there already? Do you have automatic set? Not sure if when you have automatic if it reads what you set?

I have always turned off automatic and done my own acls..

I looked closer and sure looks like your getting answers in your packet capture..

Oh your dns on your client is just pointing to loopback??

That kind of broken... should be pointing to pfsense lan IP for dns would be how I would set it up..

john_galt

@johnpoz

No I didn't just create it. It's been there probably since I setup OpenVPN.

I haven't disabled auto-added list.

From that packet capture I thought so as well but I still can't get host resolution. Why I'm at a loss.

Doug

johnpoz

your client is asking itself for dns... So how would that get sent down the tunnel to unbound on pfsense?

john_galt

@johnpoz

I thought so as well John. I had that set to my pfSense IP before a recent pfBlockerNG devel release.
BBcan177 did some "tinkering". I will ping him on this.

Doug

john_galt

@johnpoz

I can now get local DNS over OpenVPN but I don't know why. I would like to if anyone can explain.

In Services > DNS Resolver > General Settings I changed the Network Interfaces from "All" to selecting all the interfaces and saving.

I've spent a lot of time trying to figure this out and really would like to understand why one setting
doesn't work but the other does when essentially they are both the same?

Thanks,

Doug

// Edit//

Here's the forum thread that gave me this fix.

johnpoz

So your clients are using doing ssl/tls queries? over a VPN? WTF???

john_galt

@johnpoz

I’m not even sure how to answer that John. I’ll let it go as it seems to have struck a nerve.

Thanks for your help.

KOM

@john_galt said in OpenVPN works but no local DNS:

I've spent a lot of time trying to figure this out and really would like to understand why one setting
doesn't work but the other does when essentially they are both the same?

That looks like some sort of glitch to me. There may not be any sense to be made about it other than 'bug'.

johnpoz

@john_galt

Dude why would you do dns over tls over your own vpn? Complete nonsense and extra overhead

Did you fix your client from pointing to loop back? Dude I use this every day there is no “bug”

john_galt

@KOM

KOM,

Someone in the old forum article I referenced mentioned something about committing a fix but that was years ago.

Like I tried to explain I know enough about networking to get myself into trouble. But I'm willing to learn.

Thank you for your assistance.

Doug

john_galt

@johnpoz

John,

My name is Doug. It's in my messages. I give you the respect of using your name.

I did fix the loopback.

I really don't understand why you are taking this request for help and my stated lack of
knowledge so personally. I have no idea that I'm doing DNS over TLS over my own VPN.
All I wanted to do was VPN into my home network from my work location and be able
to access assets by name.

If you wish to help I will listen and respect you for it. If you wish to berate then please
don't help.

Doug

KOM

Check your DHCP server to see what it's pushing to clients for DNS.

john_galt

@KOM

KOM,

I will check when I get back to work Monday morning.

It's working now though since I made that change. I don't know why
and that bothers me. I will continue my research.

Thank you for your help.

johnpoz

If you do not understand what dns over tls is then why would you set it??

Fixing your issue does not come from just randomly clicking shit..

Come back when you have your client actually pointing to the IP for dns that is your pfsense box on your vpn connection which was pointed out to you back in the beginning of this thread.

Do a simple query from your client using your fav dns tool, nslookup, dig, host, etc..

Does it respond - yes or no?

You show an answer in your packet capture to your query to 53 - what was that query, what was the answer... download that packet capture in wireshark.

It's working now though since I made that change

You changed from ALL to manually selecting "all" that is not a fix that is not even different.. So how would that "fix" anything..

john_galt

@johnpoz

John I setup pfsense to use Quad9 DNS over TLS earlier this year. I can't find the URL for the instructions I used but will keep looking. In those instructions I was instructed to enable that feature.

I will come back when I can check over the VPN connection Monday.

In my initial request for help I posted a screen grab of the packet capture which you said showed the query being answered. I did that query using nslookup and explicitly setting the server to my pfsense IPv4 address. I did not get a name back using this method.

I will get wireshark and get that data but can't until Monday.

Thank you for your help.

Doug

Gertjan

Hi,

This is your tunnel :

so make the DNS 10.0.8.1 - change this :

also, check this :

This options seems very important to me. Read the comments.

IMHO these extra options are not needed :

john_galt

@Gertjan
@johnpoz
@KOM

I've made changes that you've pointed out that I should make which have yielded some success.
I have two client VPN profiles on the same client computer. One profile gives me local DNS queries and the other profile doesn't. I'm going to spend some time now reading up on what I'm doing rather
than, as @johnpoz put it "randomly clicking shit". Which was in fact what I was doing.

I have one question now though. If I make changes to the OpenVPN server and or on the OpenVPN Client Export page does that require exporting a new client config or are those changes pushed to the client on next connect?

I greatly appreciate your help and patience with me on this problem.

Doug

johnpoz

depends on what changes you made..

Here I am at work now... And using unbound on pfsense for my dns... So I can resolve stuff on my home network

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local.lan
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, May 14, 2019 10:01:25 AM
   Lease Expires . . . . . . . . . . : Wednesday, May 13, 2020 10:01:25 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.0.8.254
   DNS Servers . . . . . . . . . . . : 192.168.9.253
                                       192.168.9.253
   NetBIOS over Tcpip. . . . . . . . : Enabled

You can see my vpn interface told to use pfsense lan IP for dns

If I ask for say a box on my local network..

C:\Windows\System32>nslookup nas.local.lan
Server:  sg4860.local.lan
Address:  192.168.9.253

Name:    nas.local.lan
Address:  192.168.9.10