Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade to 2.3.2 breaks OpenVPN DNS resolution for private networks

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    4 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R Offline
      rhaskins
      last edited by

      We recently upgraded from 2.3 to 2.3.2 and found that after the upgrade, our OpenVPN connections could not resolve DNS for local private hosts. Everything else worked just fine. What we found was a single uncommented line in the /usr/local/etc/dnsmasq.conf file (keyword "local-service") and commenting that line out and restarting fixed the issue.

      Did I do something wrong, or is this a bug?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • N Offline
        NOYB
        last edited by

        Actually I think the way it was before was broken and what you are seeing as it being broken is actually fixage.  Utilizing the local DNS can be a security hole to VPN clients.  Local DNS may not be trust worthy and if compromised could direct even VPN clients to malicious sites.

        1 Reply Last reply Reply Quote 0
        • R Offline
          rhaskins
          last edited by

          I looked at the release notes for 2.3.1 and 2.3.2 and I didn't see anything about any dnsmasq config changes. I would expect a change like this to be documented in the release notes, but perhaps I missed it.

          In our setup, we are pointing our VPN clients at the DNS server on the pfsense firewall. So it is hard for me to understand how this could possibly be a security hole. If people point their VPN clients at insecure DNS servers, then they deserve the result.

          How would you suggest doing internal name resolution for private IP space, if not by utilizing the DNS forwarding functionality of pfsense?

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            local-service

            What does that have to do with resolving local hosts?  That has to do with if dnsmasq will answer you at all..

            Accept DNS queries only from hosts whose address is on a local

            subnet, ie a subnet for which an interface exists on the server.

            This option only has effect if there are no –interface

            --except-interface, --listen-address or --auth-server options.

            local-service

            That did not change from 2.3 to 2.3.2, why would they have changed that??  It has always been that way..

            Did you maybe change your interfaces from all to specific ones, or enable strict binding?  What IP do you hand out to your vpn users to use?

            I use the resolver, which has acl that you have to add your vpn tunnel networks too..  But when I get to work later I will switch over to the dnsforwarder and test.. leaving that config item in there, etc.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.