OpenVPN works but no local DNS

john_galt · May 11, 2019, 12:35 PM

John I setup pfsense to use Quad9 DNS over TLS earlier this year. I can't find the URL for the instructions I used but will keep looking. In those instructions I was instructed to enable that feature.

I will come back when I can check over the VPN connection Monday.

In my initial request for help I posted a screen grab of the packet capture which you said showed the query being answered. I did that query using nslookup and explicitly setting the server to my pfsense IPv4 address. I did not get a name back using this method.

I will get wireshark and get that data but can't until Monday.

Thank you for your help.

Doug

Gertjan · May 11, 2019, 1:16 PM

Hi,

This is your tunnel :

so make the DNS 10.0.8.1 - change this :

also, check this :

This options seems very important to me. Read the comments.

IMHO these extra options are not needed :

john_galt · May 14, 2019, 3:41 PM

@Gertjan
@johnpoz
@KOM

I've made changes that you've pointed out that I should make which have yielded some success.
I have two client VPN profiles on the same client computer. One profile gives me local DNS queries and the other profile doesn't. I'm going to spend some time now reading up on what I'm doing rather
than, as @johnpoz put it "randomly clicking shit". Which was in fact what I was doing.

I have one question now though. If I make changes to the OpenVPN server and or on the OpenVPN Client Export page does that require exporting a new client config or are those changes pushed to the client on next connect?

I greatly appreciate your help and patience with me on this problem.

Doug

johnpoz · May 14, 2019, 4:28 PM

depends on what changes you made..

Here I am at work now... And using unbound on pfsense for my dns... So I can resolve stuff on my home network

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : local.lan
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, May 14, 2019 10:01:25 AM
   Lease Expires . . . . . . . . . . : Wednesday, May 13, 2020 10:01:25 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.0.8.254
   DNS Servers . . . . . . . . . . . : 192.168.9.253
                                       192.168.9.253
   NetBIOS over Tcpip. . . . . . . . : Enabled

You can see my vpn interface told to use pfsense lan IP for dns

If I ask for say a box on my local network..

C:\Windows\System32>nslookup nas.local.lan
Server:  sg4860.local.lan
Address:  192.168.9.253

Name:    nas.local.lan
Address:  192.168.9.10

x2rl · May 24, 2020, 10:14 PM

I know its an old post but Im having the very same problem. When openvpn is on my phone it does not use the dns ive set on pfsense. Also just plan ignores pfblocker-dev

Mr. Waste · Jun 1, 2020, 5:03 PM

@x3rl
Ipv4 Tunnel Network is set as: 10.0.1.0/24
Dns Server 1 is set as: 10.0.0.1

Change the dns server to 10.0.1.1

I am doing more complex vpns. Having 2 vpns together to get the most out of the filtering.
Home Pfsense (Connecting) to Cloud Remote Pfsense (Actual VPN) to DNS Server VPN (Actual VPN through the Cloud VPN)
Home = Cloud = DNS

Hope this helps.

x2rl · Jun 1, 2020, 5:03 PM

@Mr-Waste did not work pal pfbocker was not working when setting that dns

Mr. Waste · Jun 3, 2020, 8:21 PM

This post is deleted!

Mr. Waste · Jun 3, 2020, 8:25 PM

@x3rl

Go to Firewall/pfBlockerNG/IP
IP Interface/Rules Configuration:

Inbound Firewall Rules:
Wan

Outbound Firewall Rules:
Lan
OpenVpn Server interface

Make sure you have that interface highlighted. This might be the problem.
Make sure you have the dns resolver on as well. Local DNS Resolver to up stream DNS Server/ like cloud flare or google.

Make sure everything else are all GREEN/ ON or it will not work. - (Resolver)
pfb_dnsbl is down something isn't right. Like with the first picture. - (The interfaces)

Mr. Waste

x2rl · Jun 4, 2020, 2:58 PM

My dns is set to 127.0.0.1 I have all the rules and everything is active.

Gertjan · Jun 5, 2020, 6:29 AM

Side note :
@Mr-Waste :

x2rl · Jun 5, 2020, 8:24 AM

@Gertjan pfsense does the resloving.

Jochim · Jun 7, 2020, 2:08 AM

@x3rl
Try resetting everything to the way it was in your screenshot, then change the option "DNS Default Domain" to just "localdomain". Next add the tunnel network (10.0.1.0/24 in your case) to the DNS Resolver access list by going to Services > DNS Resolver > Access Lists and adding a new entry for the tunnel network.

Hopefully that solves the issue.

Jochim

x2rl · Jun 11, 2020, 9:25 AM

@Jochim nope still does not use piholes adblocker via pfsense DNS.

renegade · Jun 14, 2020, 10:01 PM

Same here.
It seems the set DNS Server is only used for the set domain name.
In my case it‘s home and everything ending with .home is resolved and available in my OpenVPN Split Tunnel. But other name resolution seems to happen with any other DNS Server (unknown).

soutruth · Nov 1, 2021, 7:32 AM

Had same issue. Unticked: "Provide a DNS server list to clients. Addresses may be IPv4 or IPv6."

Fixed :)

Byter · Sep 2, 2021, 12:11 AM

@john_galt

@john_galt said in OpenVPN works but no local DNS:

@johnpoz

I can now get local DNS over OpenVPN but I don't know why. I would like to if anyone can explain.

In Services > DNS Resolver > General Settings I changed the Network Interfaces from "All" to selecting all the interfaces and saving.

I've spent a lot of time trying to figure this out and really would like to understand why one setting
doesn't work but the other does when essentially they are both the same?

Thanks,

Doug

// Edit//

Here's the forum thread that gave me this fix.

Actually I had an issue using another router behind a PFsense, with full functionalities. I just wanted to have a separeted network without using VLAN and I wanted to preserve the reserved IP addresses, long sotry... Anyway, I couldn't figure out why on earth I can't get the clients behind the second router to properly resolve DNS. I used the same trick as you selecting every interface by hand rather than using the "ALL" option. IT SOLVED finally my issue. I definitely think there is a glitch somewhere.

nonyhaha · Nov 1, 2021, 7:32 AM

@soutruth how on earth did that go ok for you? What dns is your client using then?

Other than that, I am having the same issue and am trying to solve it.
the problem for me is that I am not even trying to user pfblockerng, only use the local acl to access local assets.

Allistah · Dec 4, 2021, 5:28 PM

@john_galt

I made an account here just to say that this resolved my issue as well. I am running pfSense 2.5.2-RELEASE (amd64) and I could connect to VPN without any trouble but any local DNS wouldn't work to the site I was connected to. Once I removed the DNS Resolver from "All" to manually choosing all of the IPv4 interfaces on the "Network Interfaces" and "Outgoing Network Interfaces" within the DNS Resolver, it just started to work as I would expect.

Maybe there is a bug or something there.

Thanks for listening - hope this can help improve pfSense!

Schuby · Dec 6, 2021, 7:41 PM

@john_galt This also worked for me. Very strange.