Resolv hots from second PFSense box ?



  • Hey guys,

    i've trouble getting the following up and running.

    Situation:
    I've two pfsense boxes connected with site to site openvpn.
    Site A serveing DHCP 10.0.0.0/24 to clients
    Site B serveing DHCP 10.3.0.0/24 to clients

    Both pfsense boxes useing same internal domain.

    Clients can connet to each other useing IPs so VPN is fine
    Clients can resolv hostnames of hosts in there Site.

    Problem:
    Client in site A cannot resolve hostname of Client in site B and vice versa.

    I'm useing DNS Forwarder on both boxes.. Access Lists is set to allow with ip from other site.

    Not sure how to forward DNS requests from one site to other before asking public DNS ?
    Maybe some can help me here.

    Thanks
    regards


  • LAYER 8 Global Moderator

    they are using the same domain..  As in AD, or just some domain name you came up for pfsense?



  • just domain name for pfsense. All clients are linux.


  • LAYER 8 Global Moderator

    I would say you have couple of options then

    use different domains

    siteA.tld
    siteB.tld

    And domain overrides, or

    siteA.domain.tld
    siteB.domain.tld

    and domain overrides

    Your clients could the use search suffixes to query the different domains if looking for a hostname.

    Or if you really want to use the same domain name then your going to need to use an authoritative dns where you can do zone transfers so that siteA ns for domain.tld is SOA and the other site has secondary that has all the same records via zone transfer.

    Or you just use ns in 1 location and have both sites use that ns.



  • @johnpoz:

    I would say you have couple of options then

    use different domains

    siteA.tld
    siteB.tld

    And domain overrides, or

    siteA.domain.tld
    siteB.domain.tld

    and domain overrides

    Your clients could the use search suffixes to query the different domains if looking for a hostname.

    Or if you really want to use the same domain name then your going to need to use an authoritative dns where you can do zone transfers so that siteA ns for domain.tld is SOA and the other site has secondary that has all the same records via zone transfer.

    Or you just use ns in 1 location and have both sites use that ns.

    Oke, i've changed the sites domain to

    siteA.domain.tld
    siteB.domain.tld

    on pfsense on siteA domain override for siteB.domain.tld is added.
    Clients resolv.conf look like this:

    domain siteA.domain.tld
    nameserver 10.0.0.1

    ping hostname.siteB.domain.tld  -> unknown host.

    as far as i unterstand pfsense box on siteA should forward this request to siteB because of domain override ?


  • LAYER 8 Global Moderator

    And what interfaces do you have on you resolver.  You have to make sure that it can use an interface to get there.  and also need to make sure that the other unbound server acl allows that remote IP, etc.



  • @johnpoz:

    And what interfaces do you have on you resolver.  You have to make sure that it can use an interface to get there.  and also need to make sure that the other unbound server acl allows that remote IP, etc.

    on both sites network und outgoing are set to ALL .. also the ACLs are set to allow for the network range of other pfsense box.
    To get it right, in this scenario only one DNS server on siteA is enough ? So client from siteA will contact client from siteB and request is sent to pfsense SiteA and because of domain override siteA box forwards dns to siteB box (where forwarder ACL is in place)


  • LAYER 8 Global Moderator

    "So client from siteA will contact client from siteB and request is sent to pfsense SiteA "

    No a client in site A would ask the resolver running in siteA, hey you know the address for host.siteB.domain.tld, he would not have this address so he would need to resolve it.  So he would either ask roots for the authoritative ns for siteb.domain.tld or if there is an override for what NS to talk to he would go ask that ns hey what is the IP of host.siteb.domain.tld

    So your domain override in A needs to point to the IP address of pfsense IP B where the resolver is running.  He needs to know how to get there, from the pfsense itself.  And then your acl on pfsense B would need to allow the IP site A pfsense would be doing the query from.  This IP should be the IP pfsense has from its tunnel network your using.  The ACL on your pfsense B does not need to include the siteA network unless you wanted clients to be able to directly query.  But he would need to allow the IP that pfsense would be talking to site B from.



  • @johnpoz:

    "So client from siteA will contact client from siteB and request is sent to pfsense SiteA "

    No a client in site A would ask the resolver running in siteA, hey you know the address for host.siteB.domain.tld, he would not have this address so he would need to resolve it.  So he would either ask roots for the authoritative ns for siteb.domain.tld or if there is an override for what NS to talk to he would go ask that ns hey what is the IP of host.siteb.domain.tld

    So your domain override in A needs to point to the IP address of pfsense IP B where the resolver is running.  He needs to know how to get there, from the pfsense itself.  And then your acl on pfsense B would need to allow the IP site A pfsense would be doing the query from.  This IP should be the IP pfsense has from its tunnel network your using.  The ACL on your pfsense B does not need to include the siteA network unless you wanted clients to be able to directly query.  But he would need to allow the IP that pfsense would be talking to site B from.

    awesome … IP from site to site VPN tunnel was the hint. Always entered the other sites subnet instead of the VPN Network IP to acls. Also had to add to ad domains to search list.

    Thanks johnpoz !!!


  • LAYER 8 Global Moderator

    yeah if you add the other domain to the search list then a client could just look for host..  It would auto add sitea.domain.tld and siteb.domain.tld, when it asks for sitea.domain.tld it would get back nx, sorry no host here by that name, then when ask for hostb.siteb.domain.tld he would say oh I don't have anyone here by that name, but let me go ask this guy - hey guy you have a host.siteb.domain.tld


Log in to reply