Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver: Domain Override with OpenVPN

    DHCP and DNS
    6
    17
    7.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AaronTS
      last edited by

      1. I don't know what it means to "check the states"
      2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

        So yeah unbound has acl..

        If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

        Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          Soyokaze
          last edited by

          @AaronTS:

          1. I don't know what it means to "check the states"
          2. Yes, pfsense at HOME is the default gateway for the Windows Server 2012 DNS server.

          Diagnostics -> States
          This will show all 'live' traffic (not explicitly blocked or dropped)

          Need full pfSense in a cloud? PM for details!

          1 Reply Last reply Reply Quote 0
          • A
            AaronTS
            last edited by

            @johnpoz:

            your not doing query to your home dns, your doing a query to unbound are you not?  And it does a query to your home dns server.  That is what a domain override is..

            So yeah unbound has acl..

            If your doing a query directly to your 2012 server, that would be an issue with your 2012 server not pfsense if its not answering.

            Vs coming home and domain overrides.. Lets just be clear.. Where is your client doing a query to what IP?  What is this IP.. If its not doing a query to unbound on pfsense, what does domain overrides have to do with anything?

            Remote client 10.1.1.51 queries pfSense DNS Resolver at 10.1.1.1. This works for non-local domain names. Domain override points back to the HOME DNS at 192.168.9.3 (Windows Server 2012 DNS). When client 10.1.1.51 queries 10.1.1.1 for a host in the local domain, resolution fails.  10.1.1.51 can resolve local hostnames if it uses 192.168.9.3 as it's DNS server, but not if it uses 10.1.1.1.

            The ACL is blank in the DNS Resolver at 10.1.1.1. Is it necessary for me to populate that list in order for the domain override to 192.168.9.3 to work correctly?

            1 Reply Last reply Reply Quote 0
            • A
              AaronTS
              last edited by

              I have tried adding the networks to the unbound ACL but this has no effect. I'm still banging my head against the wall as the why the Unbound domain override works locally but not at the remote sites.

              1 Reply Last reply Reply Quote 0
              • A
                AaronTS
                last edited by

                I installed Wireshark on the HOME DNS controller.

                On the HOME LAN:
                DNS query for a host in the domain override: a DNS query/response shows in wireshark

                On the REMOTE LAN:
                DNS query for a host in the domain override: nothing is displayed in wireshark

                It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ??

                1 Reply Last reply Reply Quote 0
                • M
                  MaxZZZ
                  last edited by

                  Services / DNS Resolver / General Settings
                  Outgoing Network Interfaces
                  All - does not work
                  Select Localhost, WAN, LAN, OPT (OpenVPN)

                  1 Reply Last reply Reply Quote 0
                  • L
                    logo78
                    last edited by

                    Hi,
                    i have similar issues which hostname resolutions from the remote network.
                    @Aaron, any further progresses?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "It appears that the DNS requests from Unbound on REMOTE LAN (for Domain Override hosts) are not making it back to the DNS server on HOME LAN. But why? No firewall rules in place to block it, everything in place to allow it. ?"

                      That that server is working and he allows.. Did the traffic actually get there?  Sniff on the server to see if you see the query, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        darnoldvcs @johnpoz
                        last edited by

                        I had this issue as well with DNS Domain Overrides to MS DNS over OpenVPN.

                        To fix I had to:

                        • Disable DNSSEC
                        • Select outbound Interfaces as ALL.

                        I originally had Outbound Interfaces it as WAN. It appears that OpenVPN interfaces are implicitly included under all. They cannot be explicitly selected.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.