Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Resolver: Domain Override with OpenVPN

    DHCP and DNS
    6
    17
    6219
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AaronTS last edited by

      I have DNS Resolver set up at REMOTE site which connects back to HOME site via OpenVPN. At REMOTE site there is a Domain Override in place for DNS Resolver which points to a DNS server on the REMOTE LAN. We are removing this old DNS server on the REMOTE LAN, so I need to change the IP for the Domain Overrride to an IP on the HOME LAN (on the other side of the VPN).

      When I make this change to point the Domain Override to the DNS server on the HOME LAN, all hostname resolution for the Override Domain completely stops working. DNS Resolver is still working ok because all other domain names still resolve OK. I checked the firewall log and nothing is blocking port 53. In firewall rules, any/any traffic is permitted over the VPN to any/any. What could be the cause of this broken Domain Override?

      When I change the Domain Override at REMOTE site back to the old DNS server on the REMOTE LAN, everything works fine. It only breaks for the domain when the Domain Override points to an IP which is on the HOME LAN. What is blocking this?

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Can you query this dns directly and it works?

        My guess would be your resolver is not using your interface to be able to query this server..


        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.01 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • A
          AaronTS last edited by

          Yes, I can query the DNS on HOME LAN directly and it works. It is manually entered into several machines. That is why I was confused, I don't know why DNS Resolver won't work with it.

          I tried several options for Outgoing Network Interfaces (All, LAN, local VLAN, WAN, etc) but that does not have an effect. External domain resolution is working ok, but anything from the Domain Override field will not resolve.

          1 Reply Last reply Reply Quote 0
          • A
            AaronTS last edited by

            The setting that I am most unsure about is the "System Domain Local Zone Type". The default is Transparent.

            The DNS server on the HOME LAN is Windows Server 2012. Do I have to use a specific "System Domain Local Zone Type" for it to work with my DNS server?

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              Did you set your ACL??  Your coming from another network, your going to have to edit the ACL to allow them to query it.

              You can change it from transparent, not a fan of that default mode either.  Mine is set to static..  Transparent will try and resolve, so for example if I try and resolve something.local.lan that does not exist I don't want it trying to resolve that.  Since I know for sure there is no .lan tld no reason to even send that query.  This also stops any bad suffix search like something.local.lan.local.lan from going out.

              I wold assume you have to edit your acl for your other network and then you can query.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 23.01 | Lab VMs CE 2.6, 2.7

              1 Reply Last reply Reply Quote 0
              • A
                AaronTS last edited by

                As far as I can tell, Windows Server 2012 DNS server does not have ACLs for who can make a query. Also, we already have another site where all clients query this remote DNS server directly and we did not set up any ACLs for these remote clients. Yes, some of them are domain members but many of them are not, for example printers and iPhones that are successfully making DNS queries from this remote network. This is why I don't understand what is stopping DNS resolver. If other devices can use the remote DNS server, why can't DNS Resolver make queries?

                1 Reply Last reply Reply Quote 0
                • S
                  Soyokaze last edited by

                  1. Check the states at REMOTE pfsense, at least you will know on which interface your dns resolver sends packets for HOME DNS.
                  2. is pfsense at HOME is default gateway for DNS server?

                  Need full pfSense in a cloud? PM for details!

                  1 Reply Last reply Reply Quote 0
                  • A
                    AaronTS last edited by

                    1. I don't know what it means to "check the states"
                    2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.
                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

                      So yeah unbound has acl..

                      If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

                      Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                      1 Reply Last reply Reply Quote 0
                      • S
                        Soyokaze last edited by

                        @AaronTS:

                        1. I don't know what it means to "check the states"
                        2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.

                        Diagnostics -> States
                        This will show all 'live' traffic (not explicitly blocked or dropped)

                        Need full pfSense in a cloud? PM for details!

                        1 Reply Last reply Reply Quote 0
                        • A
                          AaronTS last edited by

                          @johnpoz:

                          your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

                          So yeah unbound has acl..

                          If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

                          Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

                          Remote client 10.1.1.51 queries pfSense DNS Resolver at 10.1.1.1. This works for non-local domain names. Domain override points back to the HOME DNS at 192.168.9.3 (Windows Server 2012 DNS). When client 10.1.1.51 queries 10.1.1.1 for a host in the local domain, resolution fails.  10.1.1.51 can resolve local hostnames if it uses 192.168.9.3 as it's DNS server, but not if it uses 10.1.1.1.

                          The ACL is blank in the DNS Resolver at 10.1.1.1. Is it necessary for me to populate that list in order for the domain override to 192.168.9.3 to work correctly?

                          1 Reply Last reply Reply Quote 0
                          • A
                            AaronTS last edited by

                            I have tried adding the networks to the unbound ACL but this has no effect. I'm still banging my head against the wall as the why the Unbound domain override works locally but not at the remote sites.

                            1 Reply Last reply Reply Quote 0
                            • A
                              AaronTS last edited by

                              I installed Wireshark on the HOME DNS controller.

                              On the HOME LAN:
                              DNS query for a host in the domain override: a DNS query/response shows in wireshark

                              On the REMOTE LAN:
                              DNS query for a host in the domain override: nothing is displayed in wireshark

                              It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ??

                              1 Reply Last reply Reply Quote 0
                              • M
                                MaxZZZ last edited by

                                Services / DNS Resolver / General Settings
                                Outgoing Network Interfaces
                                All - does not work
                                Select Localhost, WAN, LAN, OPT (OpenVPN)

                                1 Reply Last reply Reply Quote 0
                                • L
                                  logo78 last edited by

                                  Hi,
                                  i have similar issues which hostname resolutions from the remote network.
                                  @Aaron, any further progresses?

                                  1 Reply Last reply Reply Quote 0
                                  • johnpoz
                                    johnpoz LAYER 8 Global Moderator last edited by

                                    "It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ?"

                                    That that server is working and he allows.. Did the traffic actually get there?  Sniff on the server to see if you see the query, etc.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                    D 1 Reply Last reply Reply Quote 0
                                    • D
                                      darnoldvcs @johnpoz last edited by

                                      I had this issue as well with DNS Domain Overrides to MS DNS over OpenVPN.

                                      To fix I had to:

                                      • Disable DNSSEC
                                      • Select outbound Interfaces as ALL.

                                      I originally had Outbound Interfaces it as WAN. It appears that OpenVPN interfaces are implicitly included under all. They cannot be explicitly selected.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post