DNS Resolver: Domain Override with OpenVPN



  • I have DNS Resolver set up at REMOTE site which connects back to HOME site via OpenVPN. At REMOTE site there is a Domain Override in place for DNS Resolver which points to a DNS server on the REMOTE LAN. We are removing this old DNS server on the REMOTE LAN, so I need to change the IP for the Domain Overrride to an IP on the HOME LAN (on the other side of the VPN).

    When I make this change to point the Domain Override to the DNS server on the HOME LAN, all hostname resolution for the Override Domain completely stops working. DNS Resolver is still working ok because all other domain names still resolve OK. I checked the firewall log and nothing is blocking port 53. In firewall rules, any/any traffic is permitted over the VPN to any/any. What could be the cause of this broken Domain Override?

    When I change the Domain Override at REMOTE site back to the old DNS server on the REMOTE LAN, everything works fine. It only breaks for the domain when the Domain Override points to an IP which is on the HOME LAN. What is blocking this?


  • Rebel Alliance Global Moderator

    Can you query this dns directly and it works?

    My guess would be your resolver is not using your interface to be able to query this server..




  • Yes, I can query the DNS on HOME LAN directly and it works. It is manually entered into several machines. That is why I was confused, I don't know why DNS Resolver won't work with it.

    I tried several options for Outgoing Network Interfaces (All, LAN, local VLAN, WAN, etc) but that does not have an effect. External domain resolution is working ok, but anything from the Domain Override field will not resolve.



  • The setting that I am most unsure about is the "System Domain Local Zone Type". The default is Transparent.

    The DNS server on the HOME LAN is Windows Server 2012. Do I have to use a specific "System Domain Local Zone Type" for it to work with my DNS server?


  • Rebel Alliance Global Moderator

    Did you set your ACL??  Your coming from another network, your going to have to edit the ACL to allow them to query it.

    You can change it from transparent, not a fan of that default mode either.  Mine is set to static..  Transparent will try and resolve, so for example if I try and resolve something.local.lan that does not exist I don't want it trying to resolve that.  Since I know for sure there is no .lan tld no reason to even send that query.  This also stops any bad suffix search like something.local.lan.local.lan from going out.

    I wold assume you have to edit your acl for your other network and then you can query.



  • As far as I can tell, Windows Server 2012 DNS server does not have ACLs for who can make a query. Also, we already have another site where all clients query this remote DNS server directly and we did not set up any ACLs for these remote clients. Yes, some of them are domain members but many of them are not, for example printers and iPhones that are successfully making DNS queries from this remote network. This is why I don't understand what is stopping DNS resolver. If other devices can use the remote DNS server, why can't DNS Resolver make queries?



    1. Check the states at REMOTE pfsense, at least you will know on which interface your dns resolver sends packets for HOME DNS.
    2. is pfsense at HOME is default gateway for DNS server?


    1. I don't know what it means to "check the states"
    2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.

  • Rebel Alliance Global Moderator

    your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

    So yeah unbound has acl..

    If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

    Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?



  • @AaronTS:

    1. I don't know what it means to "check the states"
    2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.

    Diagnostics -> States
    This will show all 'live' traffic (not explicitly blocked or dropped)



  • @johnpoz:

    your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

    So yeah unbound has acl..

    If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

    Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

    Remote client 10.1.1.51 queries pfSense DNS Resolver at 10.1.1.1. This works for non-local domain names. Domain override points back to the HOME DNS at 192.168.9.3 (Windows Server 2012 DNS). When client 10.1.1.51 queries 10.1.1.1 for a host in the local domain, resolution fails.  10.1.1.51 can resolve local hostnames if it uses 192.168.9.3 as it's DNS server, but not if it uses 10.1.1.1.

    The ACL is blank in the DNS Resolver at 10.1.1.1. Is it necessary for me to populate that list in order for the domain override to 192.168.9.3 to work correctly?



  • I have tried adding the networks to the unbound ACL but this has no effect. I'm still banging my head against the wall as the why the Unbound domain override works locally but not at the remote sites.



  • I installed Wireshark on the HOME DNS controller.

    On the HOME LAN:
    DNS query for a host in the domain override: a DNS query/response shows in wireshark

    On the REMOTE LAN:
    DNS query for a host in the domain override: nothing is displayed in wireshark

    It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ??



  • Services / DNS Resolver / General Settings
    Outgoing Network Interfaces
    All - does not work
    Select Localhost, WAN, LAN, OPT (OpenVPN)



  • Hi,
    i have similar issues which hostname resolutions from the remote network.
    @Aaron, any further progresses?


  • Rebel Alliance Global Moderator

    "It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ?"

    That that server is working and he allows.. Did the traffic actually get there?  Sniff on the server to see if you see the query, etc.