Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Server Domain Override Over IPSec VPN not working

    DHCP and DNS
    8
    8
    8971
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      2fast4u2 last edited by

      Hi,
      We have a pfSense v2.3.1 device in our office.
      In DNS Resolver, under 'Domain Overrides' we have 2 entries:

      1. Our local on-site domain controller: domain.local  192.168.1.2
      2. A domain controller that belongs to one of our sister companies, connected via IPSec VPN: domain.lan 192.168.5.2

      The remote DNS works if I use command "nslookup pc.domain.lan 192.168.5.2", but does not work via pfSense DNS Resolver.
      DNS #1 works in pfSense DNS Resolver.
      I've tried deleting #1 to see if #2 will work, no luck.
      Restarting the DNS Resolver Service didn't help either.
      Not seeing anything under firewall logs.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • luckman212
        luckman212 last edited by

        On the DNS Resolver page, set "Outgoing Network Interfaces" to LAN and localhost

        Save and try again.  Should work.  This is a known quirk of DNS over IPSEC tunnels.

        1 Reply Last reply Reply Quote 0
        • A
          asiTechsupport last edited by

          @luckman212:

          On the DNS Resolver page, set "Outgoing Network Interfaces" to LAN and localhost

          Save and try again.  Should work.  This is a known quirk of DNS over IPSEC tunnels.

          Okay, I just ran into this on 2.3.2…

          While I realize this is a "quirk", can someone please explain the reason for this a little bit? Does this apply to other scenarios?

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            It's fully explained here: https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN

            1 Reply Last reply Reply Quote 0
            • R
              rogerpre last edited by

              Thanks for posting this solution!

              It took me a few hours of searching and fiddling around to find this.  It seems like a pretty reasonable scenario to want to resolve domain addresses over VPN to a central server.  In searching about, I found several people with the exact same problem.  Some were very recent.  This is the only solution that worked.

              There's no indication anywhere that using domain overrides in this way won't work in pfsense.  It would be helpful if there was some way to tip off the user about the problem.  If the kludge that causes this has been around for 13+ years, I don't think anyone's too interested in resolving it, so a note in the interface would save some people a lot of frustration.

              1 Reply Last reply Reply Quote 0
              • P
                piersdd last edited by

                +1 on that sentiment.

                Absolutely is it reasonable for an more legible explanation of this to show up in the documentation.. NOT just in the forums. I too blew several hours on this.

                :(

                @rogerpre:

                Thanks for posting this solution!

                It took me a few hours of searching and fiddling around to find this.  It seems like a pretty reasonable scenario to want to resolve domain addresses over VPN to a central server.  In searching about, I found several people with the exact same problem.  Some were very recent.  This is the only solution that worked.

                There's no indication anywhere that using domain overrides in this way won't work in pfsense.  It would be helpful if there was some way to tip off the user about the problem.  If the kludge that causes this has been around for 13+ years, I don't think anyone's too interested in resolving it, so a note in the interface would save some people a lot of frustration.

                1 Reply Last reply Reply Quote 0
                • A
                  albanc last edited by

                  It took me some time to figure this : DNS override will only work if you specify a trailing dot to the domain name you expect to override. It is not explained in the contextual help of the field :

                  Domain                            Lookup server IP address
                  mydomain.com**.**                10.10.10.1

                  1 Reply Last reply Reply Quote 0
                  • W
                    wonko80 last edited by

                    I am so glad I finally found this thread. I was using pfBlockerNG before, but just for country blocking. I decided to start using DNSBL, but that required my remote sites to switch from DNS Forwarder to DNS resolver, but when I did that the internal DNS broke. I had searched with the wrong keywords I guess before, but this one was a lifesaver! Thanks for these suggestions that fixed my DNS problems!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post

                    Products

                    • Platform Overview
                    • TNSR
                    • pfSense
                    • Appliances

                    Services

                    • Training
                    • Professional Services

                    Support

                    • Subscription Plans
                    • Contact Support
                    • Product Lifecycle
                    • Documentation

                    News

                    • Media Coverage
                    • Press
                    • Events

                    Resources

                    • Blog
                    • FAQ
                    • Find a Partner
                    • Resource Library
                    • Security Information

                    Company

                    • About Us
                    • Careers
                    • Partners
                    • Contact Us
                    • Legal
                    Our Mission

                    We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                    Subscribe to our Newsletter

                    Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                    © 2021 Rubicon Communications, LLC | Privacy Policy