DNS Resolver not working as expected

abockhold · Nov 6, 2017, 3:20 PM

Hello,

I've got two branch offices A and B (both on 2.3.3-RELEASE-p1) connected via OpenVPN to a central VPN concentrator (2.4.1-RELEASE). Routing and firewalling is ok, ping works from both offices to each other and to the concentrator. On both sides I have set up the DNS resolver with domain overrides to forward queries for the other office to its respective DNS server. Both offices show on the dashboard 127.0.0.1, 192.168.104.254 (office A) and 127.0.0.1, 192.168.105.254 (office B) respectively as DNS servers (in this order). 192.168.104.0/24 and 192.168.105.0/24 are the networks on the WAN (!) side.

Trying to resolve a local and a remote name from office A works. But from office B the resolving of a remote name fails.

I tried it on the console of pfSense with option 8 (Shell) and I get a correct answer on office A

nslookup
> dc01.officeb.lan
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   dc01.officeb.lan
Address: 192.168.5.1
>

On office B I get an error

nslookup
> dc01.officea.lan
Server:         192.168.105.254
Address:        192.168.105.254#53

** server can't find dc01.officea.lan: NXDOMAIN

Why does office B ask the upstream DNS and not the resolver on localhost? I think I should have configured both machines identitcal…

Thanks in advance!

johnpoz · Nov 6, 2017, 3:31 PM

those are both of pfsense boxes?

abockhold · Nov 6, 2017, 4:22 PM

All three are pfSense boxes - both branch offices and hub-and-spoke point.

johnpoz · Nov 6, 2017, 4:37 PM

well the 1 pfsense box that is not pointing to loopback 127.0.0.1 is not out of the box setup… Out of the box pfsense would run the resolver and point to itself (127.0.0.1)..

abockhold · Nov 6, 2017, 6:38 PM

Exactly! But unfortunately I have not knowingly configured "something strange". So the question is: how do I get this pfSense back to behave like out of the box? Thanks!

johnpoz · Nov 7, 2017, 9:14 AM

Do you have let dhcp dns overrride set?

abockhold · Nov 8, 2017, 6:23 AM

Which option do you mean exactly? I've had a look in the "DHCP Server" and "DNS Resolver" areas and I am not really sure? Thanks!

What I noticed now: after it first went ok on side office A it now stopped working and shows the same result as in office B. Unfortunately I did not change any settings in the meantime?!

Derelict · Nov 8, 2017, 7:40 AM

You have to set the source interface in the resolver to be something that is interesting to the other side (is an OpenVPN remote network there) so replies come back properly.

If it is a point-to-point OpenVPN you can probably assign an interface to the side receiving the query and make sure the traffic doesn't match the rules on the OpenVPN tab and use the benefit of reply-to to get the same result.

This is the one place where dnsmasq (DNS Forwarder) shines over unbound (DNS Resolver). You can set a source address of the DNS query on a per-domain-override basis.

abockhold · Nov 9, 2017, 6:44 PM

Thanks for your answer. Unfortunately I have to ask again as I'm too new to this stuff. I don't really understand what you are explaining to me.

As far as I understand you I have to correct the configuration of the DNS forwarder at office A and office B (the configuration on the VPN concentrator "hub" can be unchanged). Currently both "Network Interfaces" and "Outgoing Network Interfaces" are set to "All" at both offices.

The OpenVPN connection is indeed peer-to-peer between office A and the hub and office B and the hub each.

My problem seems to be that e.g. office B (LAN 192.168.5.0/24 with WAN address 192.168.105.1) does not direct it's DNS query into the tunnel but directly to it's uplink DNS server (which is 192.168.105.254).

Should I update pfSense (from 2.3.3-RELEASE-p1 to 2.4.1-RELEASE)? Might that help?

Thanks for your patience!