Upgrade to 2.3.2 breaks OpenVPN DNS resolution for private networks
-
We recently upgraded from 2.3 to 2.3.2 and found that after the upgrade, our OpenVPN connections could not resolve DNS for local private hosts. Everything else worked just fine. What we found was a single uncommented line in the /usr/local/etc/dnsmasq.conf file (keyword "local-service") and commenting that line out and restarting fixed the issue.
Did I do something wrong, or is this a bug?
Thanks!
-
Actually I think the way it was before was broken and what you are seeing as it being broken is actually fixage. Utilizing the local DNS can be a security hole to VPN clients. Local DNS may not be trust worthy and if compromised could direct even VPN clients to malicious sites.
-
I looked at the release notes for 2.3.1 and 2.3.2 and I didn't see anything about any dnsmasq config changes. I would expect a change like this to be documented in the release notes, but perhaps I missed it.
In our setup, we are pointing our VPN clients at the DNS server on the pfsense firewall. So it is hard for me to understand how this could possibly be a security hole. If people point their VPN clients at insecure DNS servers, then they deserve the result.
How would you suggest doing internal name resolution for private IP space, if not by utilizing the DNS forwarding functionality of pfsense?
-
local-service
What does that have to do with resolving local hosts? That has to do with if dnsmasq will answer you at all..
Accept DNS queries only from hosts whose address is on a local
subnet, ie a subnet for which an interface exists on the server.
This option only has effect if there are no –interface
--except-interface, --listen-address or --auth-server options.
local-service
That did not change from 2.3 to 2.3.2, why would they have changed that?? It has always been that way..
Did you maybe change your interfaces from all to specific ones, or enable strict binding? What IP do you hand out to your vpn users to use?
I use the resolver, which has acl that you have to add your vpn tunnel networks too.. But when I get to work later I will switch over to the dnsforwarder and test.. leaving that config item in there, etc.