Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver fails when IPsec VPN is connected

    DHCP and DNS
    2
    9
    567
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zMaliz
      last edited by

      Hi
      I have DNS Resolver installed and running.
      The dashboard shoes my DNS server as 127.0.0.1

      DNS Resolver is configured for All internal and external interfaces.
      As far as I can tell DNS resolves correctly until my IPsec VPN connects.

      The VPN is connecting me to the office which seems to work well. I have rules allowing several devices to route from the LAN to the office but all other devicess are blocked from the VPN.

      On the IPsec rules I have allowed access to specific devices and all others are blocked.

      Once the VPN connects then DNS fails to resolve.
      Can anyone suggest what to check and how to resolve this.

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What are your IPsec traffic selectors (phase 2 networks) ??

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • Z
          zMaliz
          last edited by

          Thanks for the reply. I'm not sure what you need.

          Phase2 is configured as

          Tunnel IPv4
          LAN Subnet
          NAT/BINAT none

          Network 192.168.9.0/24
          Protocol ESP
          AES 256bits SHA1

          Is that what is needed ?
          Thanks

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yeah. That shouldn't impact DNS resolver at all.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • Z
              zMaliz
              last edited by

              Any idea why his doesn't work ?
              I can get logs tomorrow if that helps.

              Thanks

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                What logs?

                Do basic DNS troubleshooting and see where the failure is.

                dig/drill are your friends there.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • Z
                  zMaliz
                  last edited by

                  For a test I've disabled the IPSec VPN and restarted DNS Resolver.

                  I still don't get any resolution using the server address as 127.0.0.1
                  All testing is done via SSH direct on the pfSense server.

                  dig bbc.co.uk
                  ; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
                  ;; global options: +cmd
                  ;; connection timed out; no servers could be reached

                  drill bbc.co.uk
                  Error: error sending query: Could not send or receive, because of network error

                  nslookup

                  server 8.8.8.8
                  Default server: 8.8.8.8
                  Address: 8.8.8.8#53

                  bbc.co.uk
                  Server:        8.8.8.8
                  Address:        8.8.8.8#53

                  Non-authoritative answer:
                  Name:  bbc.co.uk
                  Address: 151.101.128.81
                  Name:  bbc.co.uk
                  Address: 151.101.192.81
                  Name:  bbc.co.uk
                  Address: 151.101.0.81
                  Name:  bbc.co.uk
                  Address: 151.101.64.81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42:200::81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42::81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42:400::81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42:600::81

                  server 127.0.0.1
                  Default server: 127.0.0.1
                  Address: 127.0.0.1#53
                  bbc.co.uk
                  ;; connection timed out; no servers could be reached

                  After a couple of minutes DNS resolves and NOTHING has been changed.

                  dig bbc.co.uk

                  ; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30606
                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

                  ;; OPT PSEUDOSECTION:
                  ; EDNS: version: 0, flags:; udp: 4096
                  ;; QUESTION SECTION:
                  ;bbc.co.uk.                    IN      A

                  ;; ANSWER SECTION:
                  bbc.co.uk.              47      IN      A      151.101.64.81
                  bbc.co.uk.              47      IN      A      151.101.128.81
                  bbc.co.uk.              47      IN      A      151.101.0.81
                  bbc.co.uk.              47      IN      A      151.101.192.81

                  ;; AUTHORITY SECTION:
                  bbc.co.uk.              19      IN      NS      ns3.bbc.co.uk.
                  bbc.co.uk.              19      IN      NS      ns4.bbc.co.uk.
                  bbc.co.uk.              19      IN      NS      ns3.bbc.net.uk.
                  bbc.co.uk.              19      IN      NS      ns4.bbc.net.uk.

                  ;; Query time: 0 msec
                  ;; SERVER: 127.0.0.1#53(127.0.0.1)
                  ;; WHEN: Tue Jan 02 22:42:52 GMT 2018
                  ;; MSG SIZE  rcvd: 182

                  drill bbc.co.uk

                  ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64161
                  ;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
                  ;; QUESTION SECTION:
                  ;; bbc.co.uk.  IN      A

                  ;; ANSWER SECTION:
                  bbc.co.uk.      40      IN      A      151.101.64.81
                  bbc.co.uk.      40      IN      A      151.101.128.81
                  bbc.co.uk.      40      IN      A      151.101.0.81
                  bbc.co.uk.      40      IN      A      151.101.192.81

                  ;; AUTHORITY SECTION:
                  bbc.co.uk.      12      IN      NS      ns3.bbc.co.uk.
                  bbc.co.uk.      12      IN      NS      ns4.bbc.co.uk.
                  bbc.co.uk.      12      IN      NS      ns3.bbc.net.uk.
                  bbc.co.uk.      12      IN      NS      ns4.bbc.net.uk.

                  ;; ADDITIONAL SECTION:

                  ;; Query time: 0 msec
                  ;; SERVER: 127.0.0.1
                  ;; WHEN: Tue Jan  2 22:42:59 2018
                  ;; MSG SIZE  rcvd: 171

                  nslookup

                  server 127.0.0.1
                  Default server: 127.0.0.1
                  Address: 127.0.0.1#53
                  bbc.co.uk
                  Server:        127.0.0.1
                  Address:        127.0.0.1#53

                  Non-authoritative answer:
                  Name:  bbc.co.uk
                  Address: 151.101.64.81
                  Name:  bbc.co.uk
                  Address: 151.101.128.81
                  Name:  bbc.co.uk
                  Address: 151.101.0.81
                  Name:  bbc.co.uk
                  Address: 151.101.192.81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42:600::81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42::81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42:200::81
                  Name:  bbc.co.uk
                  Address: 2a04:4e42:400::81

                  Can you advise how I look into this further to see why it stopped and then started resolving DNS ?

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    No idea. something in your routing changing, perhaps. What are the WAN settings? Any Multi-WAN? What are your DNS Resolver settings?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • Z
                      zMaliz
                      last edited by

                      I made a slight change to the DNS Resolver configuration last night.

                      I changed Network Interfaces & Outgoing Network Interfaces from ALL and selected the specific interfaces needed.
                      I also disabled the DHCP Registration & Static DHCP options.

                      Since then it's been resolving fine. I'll keep monitoring but so far so good..

                      Thanks

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.