DNS Server Domain Override Over IPSec VPN not working

2fast4u2

Hi,
We have a pfSense v2.3.1 device in our office.
In DNS Resolver, under 'Domain Overrides' we have 2 entries:

1. Our local on-site domain controller: domain.local  192.168.1.2
2. A domain controller that belongs to one of our sister companies, connected via IPSec VPN: domain.lan 192.168.5.2

The remote DNS works if I use command "nslookup pc.domain.lan 192.168.5.2", but does not work via pfSense DNS Resolver.
DNS #1 works in pfSense DNS Resolver.
I've tried deleting #1 to see if #2 will work, no luck.
Restarting the DNS Resolver Service didn't help either.
Not seeing anything under firewall logs.

Any ideas?

luckman212

On the DNS Resolver page, set "Outgoing Network Interfaces" to LAN and localhost

Save and try again.  Should work.  This is a known quirk of DNS over IPSEC tunnels.

asiTechsupport

@luckman212:

On the DNS Resolver page, set "Outgoing Network Interfaces" to LAN and localhost

Save and try again.  Should work.  This is a known quirk of DNS over IPSEC tunnels.

Okay, I just ran into this on 2.3.2…

While I realize this is a "quirk", can someone please explain the reason for this a little bit? Does this apply to other scenarios?

jimp

It's fully explained here: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

rogerpre

Thanks for posting this solution!

It took me a few hours of searching and fiddling around to find this.  It seems like a pretty reasonable scenario to want to resolve domain addresses over VPN to a central server.  In searching about, I found several people with the exact same problem.  Some were very recent.  This is the only solution that worked.

There's no indication anywhere that using domain overrides in this way won't work in pfsense.  It would be helpful if there was some way to tip off the user about the problem.  If the kludge that causes this has been around for 13+ years, I don't think anyone's too interested in resolving it, so a note in the interface would save some people a lot of frustration.

piersdd

+1 on that sentiment.

Absolutely is it reasonable for an more legible explanation of this to show up in the documentation.. NOT just in the forums. I too blew several hours on this.

:(

@rogerpre:

Thanks for posting this solution!

It took me a few hours of searching and fiddling around to find this.  It seems like a pretty reasonable scenario to want to resolve domain addresses over VPN to a central server.  In searching about, I found several people with the exact same problem.  Some were very recent.  This is the only solution that worked.

There's no indication anywhere that using domain overrides in this way won't work in pfsense.  It would be helpful if there was some way to tip off the user about the problem.  If the kludge that causes this has been around for 13+ years, I don't think anyone's too interested in resolving it, so a note in the interface would save some people a lot of frustration.

albanc

It took me some time to figure this : DNS override will only work if you specify a trailing dot to the domain name you expect to override. It is not explained in the contextual help of the field :

Domain                            Lookup server IP address
mydomain.com**.**                10.10.10.1

wonko80

I am so glad I finally found this thread. I was using pfBlockerNG before, but just for country blocking. I decided to start using DNSBL, but that required my remote sites to switch from DNS Forwarder to DNS resolver, but when I did that the internal DNS broke. I had searched with the wrong keywords I guess before, but this one was a lifesaver! Thanks for these suggestions that fixed my DNS problems!