DNS Resolver fails when IPsec VPN is connected

zMaliz

Hi
I have DNS Resolver installed and running.
The dashboard shoes my DNS server as 127.0.0.1

DNS Resolver is configured for All internal and external interfaces.
As far as I can tell DNS resolves correctly until my IPsec VPN connects.

The VPN is connecting me to the office which seems to work well. I have rules allowing several devices to route from the LAN to the office but all other devicess are blocked from the VPN.

On the IPsec rules I have allowed access to specific devices and all others are blocked.

Once the VPN connects then DNS fails to resolve.
Can anyone suggest what to check and how to resolve this.

Thanks

Derelict

What are your IPsec traffic selectors (phase 2 networks) ??

zMaliz

Thanks for the reply. I'm not sure what you need.

Phase2 is configured as

Tunnel IPv4
LAN Subnet
NAT/BINAT none

Network 192.168.9.0/24
Protocol ESP
AES 256bits SHA1

Is that what is needed ?
Thanks

Derelict

Yeah. That shouldn't impact DNS resolver at all.

zMaliz

Any idea why his doesn't work ?
I can get logs tomorrow if that helps.

Thanks

Derelict

What logs?

Do basic DNS troubleshooting and see where the failure is.

dig/drill are your friends there.

zMaliz

For a test I've disabled the IPSec VPN and restarted DNS Resolver.

I still don't get any resolution using the server address as 127.0.0.1
All testing is done via SSH direct on the pfSense server.

dig bbc.co.uk
; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
;; global options: +cmd
;; connection timed out; no servers could be reached

drill bbc.co.uk
Error: error sending query: Could not send or receive, because of network error

nslookup

server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53

bbc.co.uk
Server:        8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:  bbc.co.uk
Address: 151.101.128.81
Name:  bbc.co.uk
Address: 151.101.192.81
Name:  bbc.co.uk
Address: 151.101.0.81
Name:  bbc.co.uk
Address: 151.101.64.81
Name:  bbc.co.uk
Address: 2a04:4e42:200::81
Name:  bbc.co.uk
Address: 2a04:4e42::81
Name:  bbc.co.uk
Address: 2a04:4e42:400::81
Name:  bbc.co.uk
Address: 2a04:4e42:600::81

server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
bbc.co.uk
;; connection timed out; no servers could be reached

After a couple of minutes DNS resolves and NOTHING has been changed.

dig bbc.co.uk

; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30606
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.co.uk.                    IN      A

;; ANSWER SECTION:
bbc.co.uk.              47      IN      A      151.101.64.81
bbc.co.uk.              47      IN      A      151.101.128.81
bbc.co.uk.              47      IN      A      151.101.0.81
bbc.co.uk.              47      IN      A      151.101.192.81

;; AUTHORITY SECTION:
bbc.co.uk.              19      IN      NS      ns3.bbc.co.uk.
bbc.co.uk.              19      IN      NS      ns4.bbc.co.uk.
bbc.co.uk.              19      IN      NS      ns3.bbc.net.uk.
bbc.co.uk.              19      IN      NS      ns4.bbc.net.uk.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 02 22:42:52 GMT 2018
;; MSG SIZE  rcvd: 182

drill bbc.co.uk

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64161
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; bbc.co.uk.  IN      A

;; ANSWER SECTION:
bbc.co.uk.      40      IN      A      151.101.64.81
bbc.co.uk.      40      IN      A      151.101.128.81
bbc.co.uk.      40      IN      A      151.101.0.81
bbc.co.uk.      40      IN      A      151.101.192.81

;; AUTHORITY SECTION:
bbc.co.uk.      12      IN      NS      ns3.bbc.co.uk.
bbc.co.uk.      12      IN      NS      ns4.bbc.co.uk.
bbc.co.uk.      12      IN      NS      ns3.bbc.net.uk.
bbc.co.uk.      12      IN      NS      ns4.bbc.net.uk.

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Tue Jan  2 22:42:59 2018
;; MSG SIZE  rcvd: 171

nslookup

server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
bbc.co.uk
Server:        127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:  bbc.co.uk
Address: 151.101.64.81
Name:  bbc.co.uk
Address: 151.101.128.81
Name:  bbc.co.uk
Address: 151.101.0.81
Name:  bbc.co.uk
Address: 151.101.192.81
Name:  bbc.co.uk
Address: 2a04:4e42:600::81
Name:  bbc.co.uk
Address: 2a04:4e42::81
Name:  bbc.co.uk
Address: 2a04:4e42:200::81
Name:  bbc.co.uk
Address: 2a04:4e42:400::81

Can you advise how I look into this further to see why it stopped and then started resolving DNS ?

Thanks

Derelict

No idea. something in your routing changing, perhaps. What are the WAN settings? Any Multi-WAN? What are your DNS Resolver settings?

zMaliz

I made a slight change to the DNS Resolver configuration last night.

I changed Network Interfaces & Outgoing Network Interfaces from ALL and selected the specific interfaces needed.
I also disabled the DHCP Registration & Static DHCP options.

Since then it's been resolving fine. I'll keep monitoring but so far so good..

Thanks