DNS Resolver not working as expected

  • Hello,

    I've got two branch offices A and B (both on 2.3.3-RELEASE-p1) connected via OpenVPN to a central VPN concentrator (2.4.1-RELEASE). Routing and firewalling is ok, ping works from both offices to each other and to the concentrator. On both sides I have set up the DNS resolver with domain overrides to forward queries for the other office to its respective DNS server. Both offices show on the dashboard, (office A) and, (office B) respectively as DNS servers (in this order). and are the networks on the WAN (!) side.

    Trying to resolve a local and a remote name from office A works. But from office B the resolving of a remote name fails.

    I tried it on the console of pfSense with option 8 (Shell) and I get a correct answer on office A

    > dc01.officeb.lan
    Non-authoritative answer:
    Name:   dc01.officeb.lan

    On office B I get an error

    > dc01.officea.lan
    ** server can't find dc01.officea.lan: NXDOMAIN

    Why does office B ask the upstream DNS and not the resolver on localhost? I think I should have configured both machines identitcal…

    Thanks in advance!

  • LAYER 8 Global Moderator

    those are both of pfsense boxes?

  • All three are pfSense boxes - both branch offices and hub-and-spoke point.

  • LAYER 8 Global Moderator

    well the 1 pfsense box that is not pointing to loopback is not out of the box setup… Out of the box pfsense would run the resolver and point to itself (

  • Exactly! But unfortunately I have not knowingly configured "something strange". So the question is: how do I get this pfSense back to behave like out of the box? Thanks!

  • LAYER 8 Global Moderator

    Do you have let dhcp dns overrride set?

  • Which option do you mean exactly? I've had a look in the "DHCP Server" and "DNS Resolver" areas and I am not really sure? Thanks!

    What I noticed now: after it first went ok on side office A it now stopped working and shows the same result as in office B. Unfortunately I did not change any settings in the meantime?!

  • LAYER 8 Netgate

    You have to set the source interface in the resolver to be something that is interesting to the other side (is an OpenVPN remote network there) so replies come back properly.

    If it is a point-to-point OpenVPN you can probably assign an interface to the side receiving the query and make sure the traffic doesn't match the rules on the OpenVPN tab and use the benefit of reply-to to get the same result.

    This is the one place where dnsmasq (DNS Forwarder) shines over unbound (DNS Resolver). You can set a source address of the DNS query on a per-domain-override basis.

  • Thanks for your answer. Unfortunately I have to ask again as I'm too new to this stuff. I don't really understand what you are explaining to me.

    As far as I understand you I have to correct the configuration of the DNS forwarder at office A and office B (the configuration on the VPN concentrator "hub" can be unchanged). Currently both "Network Interfaces" and "Outgoing Network Interfaces" are set to "All" at both offices.

    The OpenVPN connection is indeed peer-to-peer between office A and the hub and office B and the hub each.

    My problem seems to be that e.g. office B (LAN with WAN address does not direct it's DNS query into the tunnel but directly to it's uplink DNS server (which is

    Should I update pfSense (from 2.3.3-RELEASE-p1 to 2.4.1-RELEASE)? Might that help?

    Thanks for your patience!

Log in to reply