Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to get separate DNS for "OpenVPN subnets" and "ISP subnets"?

    Scheduled Pinned Locked Moved OpenVPN
    9 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ip Man
      last edited by

      In my network I have subnets with direct access to Internet via ISP and also subnets with Internet access via a VPN service provider running OpenVPN. Currently the system has encrypted access to DNS via my VPN service provider and I use their DNS servers. I also have the Unbound DNS resolver running.

      If the VPN service or connection to ISP goes down for some reason then access to Internet is lost on all subnets because the connection to the DNS servers is broken. I have to restart the OpenVPN client to get Internet access again.

      I want this behaviour only for the VPN-subnets and not for the ISP subnets. I don't want the computers with direct ISP connection to be affected if VPN connection is lost. Can I have the DNS resolver working only on the ISP-subnets or do I have to specify DNS servers for each and every subnet? What is the best way to solve this problem?

      1 Reply Last reply Reply Quote 0
      • T
        TheNarc
        last edited by

        I'm not sure how large of a network you're administering, so this may or may not be an option for you, but I use static mappings in the DHCP server for all clients that I want to exclude from the VPN.  In those same static mappings, you can optionally assign DNS servers that override whatever the system default DNS settings are.  This works for me, although I'm dealing with a small home network and realize this approach wouldn't scale well to a much larger network.

        1 Reply Last reply Reply Quote 0
        • I
          Ip Man
          last edited by

          @TheNarc:

          I'm not sure how large of a network you're administering, so this may or may not be an option for you, but I use static mappings in the DHCP server for all clients that I want to exclude from the VPN.  In those same static mappings, you can optionally assign DNS servers that override whatever the system default DNS settings are.  This works for me, although I'm dealing with a small home network and realize this approach wouldn't scale well to a much larger network.

          This is just a small home network with two LANs, two WLANs and a DMZ. I am trying your solution and it appears to be working. I'm a bit puzzled about the funcion of the DNS resolver in my system. I have it enabled by default. Should i turn it off?  Maybe it is possible to use it on just the ISP subnets?

          1 Reply Last reply Reply Quote 0
          • T
            TheNarc
            last edited by

            There shouldn't be any need to turn off the resolver, but you want to make sure that in its "outgoing network interfaces" area, only your VPN interface(s) is/are selected.  At least, that's how I have it set up.  So the resolver only contacts authoritative root servers via the VPN tunnel, and all clients on your LAN user the resolver (i.e. the pfSense box itself) as their DNS server except for those clients that you have explicitly excluded from the VPN by way of static mappings in the DHCP server, which instead use the DNS server(s) that you have configured for them in those static mappings.

            Two other things to be aware of though:

            1.  When you tell your resolver it must only use your VPN interface(s) for outgoing traffic, you lose the ability to bring up your VPN client connections if you specified host names instead of IPs in their configurations.  This isn't a big deal in my experience, but if you've currently got host names in there you'll need to put in the raw IPs instead.

            2.  When the resolver is configured to use VPN interfaces for outgoing traffic, a race condition occurs on startup.  See this bug:  https://redmine.pfsense.org/issues/6186  What this means in practice (or at least in my experience) is that when your pfSense machine is restarted, the resolver will come up before your VPN clients have connected and will default its outgoing interface settings to "all interfaces".  All you need to do to correct this is go to the resolver's settings page, click on Save, and then Apply Changes.  This may or may not be acceptable to you.  In my case, I almost never need to restart my pfSense box, so it's not a huge deal.  On the other hand, it's burden to remember that extra step, because otherwise your DNS queries will not be going out exclusively by way of your VPN.

            1 Reply Last reply Reply Quote 0
            • I
              Ip Man
              last edited by

              @TheNarc:

              There shouldn't be any need to turn off the resolver, but you want to make sure that in its "outgoing network interfaces" area, only your VPN interface(s) is/are selected.  At least, that's how I have it set up.  So the resolver only contacts authoritative root servers via the VPN tunnel, and all clients on your LAN user the resolver (i.e. the pfSense box itself) as their DNS server except for those clients that you have explicitly excluded from the VPN by way of static mappings in the DHCP server, which instead use the DNS server(s) that you have configured for them in those static mappings.

              Two other things to be aware of though:

              1.  When you tell your resolver it must only use your VPN interface(s) for outgoing traffic, you lose the ability to bring up your VPN client connections if you specified host names instead of IPs in their configurations.  This isn't a big deal in my experience, but if you've currently got host names in there you'll need to put in the raw IPs instead.

              2.  When the resolver is configured to use VPN interfaces for outgoing traffic, a race condition occurs on startup.  See this bug:  https://redmine.pfsense.org/issues/6186  What this means in practice (or at least in my experience) is that when your pfSense machine is restarted, the resolver will come up before your VPN clients have connected and will default its outgoing interface settings to "all interfaces".  All you need to do to correct this is go to the resolver's settings page, click on Save, and then Apply Changes.  This may or may not be acceptable to you.  In my case, I almost never need to restart my pfSense box, so it's not a huge deal.  On the other hand, it's burden to remember that extra step, because otherwise your DNS queries will not be going out exclusively by way of your VPN.

              In my system the resolver doesn't appear to do anything useful. In General Setup I have the two DNS Servers from my VPN service provider and the OpenVPN gateway. For the subnets without VPN I specify another DNS (OpenDNS) in the DHCP server as recomended in the previous post. I would rather use the resolver for the non VPN subnets but I don't know how to accomplish that.

              1 Reply Last reply Reply Quote 0
              • jahonixJ
                jahonix
                last edited by

                You have to assign DNS services on their respective config pages to interfaces.

                1 Reply Last reply Reply Quote 0
                • I
                  Ip Man
                  last edited by

                  @jahonix:

                  You have to assign DNS services on their respective config pages to interfaces.

                  By "their" I suppose you are referring to the subnets not using the VPN service. What "config pages" do you mean? The Interface menu? I find nothing related to DNS there.

                  1 Reply Last reply Reply Quote 0
                  • T
                    TheNarc
                    last edited by

                    I may be wrong about this, but I believe that if you have either the DNS resolver (unbound) or the DNS forwarder (dnsmasq) enabled, then your clients will be handed the IP of your pfSense machine's LAN interface by default to use as a DNS server (e.g. 192.168.1.1).  If the resolver is enabled, then queries will be handled by the pfSense machine contacting authoritative root servers.  If the forwarder is enabled, then queries will be handled via the DNS server(s) you have configured on the "System > General Setup" page.  If neither the resolver nor the forwarder is enabled, then I believe clients will be directly handed the IPs of the DNS server(s) you have configured on the "System > General Setup" page.  But I've never tried that; pfSense may enforce that either the resolver or the forwarder is enabled.  In any case, I believe you can always supersede DNS server assignment on a per-client basis by way of DHCP static mappings.  If you want to use the resolver only for non-VPN traffic, then I believe you would need to enable it and configure the "outgoing interfaces" to be only your WAN interface.  Then, for any clients you want on the VPN, create DHCP static mappings that assign them both the VPN gateway and your VPN's DNS servers.

                    1 Reply Last reply Reply Quote 0
                    • jahonixJ
                      jahonix
                      last edited by

                      @Ip:

                      By "their" I suppose you are referring to the subnets …

                      I'm refering to  Services > DNS Resolver  and  Services > DNS Forwarder
                      You have to pick the interfaces they serve.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.