DNS Resolver: Domain Override with OpenVPN

AaronTS

1. I don't know what it means to "check the states"
2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.

johnpoz

your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

So yeah unbound has acl..

If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

Soyokaze

@AaronTS:

1. I don't know what it means to "check the states"
2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.

Diagnostics -> States
This will show all 'live' traffic (not explicitly blocked or dropped)

AaronTS

@johnpoz:

your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

So yeah unbound has acl..

If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

Remote client 10.1.1.51 queries pfSense DNS Resolver at 10.1.1.1. This works for non-local domain names. Domain override points back to the HOME DNS at 192.168.9.3 (Windows Server 2012 DNS). When client 10.1.1.51 queries 10.1.1.1 for a host in the local domain, resolution fails.  10.1.1.51 can resolve local hostnames if it uses 192.168.9.3 as it's DNS server, but not if it uses 10.1.1.1.

The ACL is blank in the DNS Resolver at 10.1.1.1. Is it necessary for me to populate that list in order for the domain override to 192.168.9.3 to work correctly?

AaronTS

I have tried adding the networks to the unbound ACL but this has no effect. I'm still banging my head against the wall as the why the Unbound domain override works locally but not at the remote sites.

AaronTS

I installed Wireshark on the HOME DNS controller.

On the HOME LAN:
DNS query for a host in the domain override: a DNS query/response shows in wireshark

On the REMOTE LAN:
DNS query for a host in the domain override: nothing is displayed in wireshark

It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ??

MaxZZZ

Services / DNS Resolver / General Settings
Outgoing Network Interfaces
All - does not work
Select Localhost, WAN, LAN, OPT (OpenVPN)

logo78

Hi,
i have similar issues which hostname resolutions from the remote network.
@Aaron, any further progresses?

johnpoz

"It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ?"

That that server is working and he allows.. Did the traffic actually get there?  Sniff on the server to see if you see the query, etc.

darnoldvcs

I had this issue as well with DNS Domain Overrides to MS DNS over OpenVPN.

To fix I had to:

• Disable DNSSEC
• Select outbound Interfaces as ALL.

I originally had Outbound Interfaces it as WAN. It appears that OpenVPN interfaces are implicitly included under all. They cannot be explicitly selected.