DNS Resolver fails when IPsec VPN is connected
-
Hi
I have DNS Resolver installed and running.
The dashboard shoes my DNS server as 127.0.0.1DNS Resolver is configured for All internal and external interfaces.
As far as I can tell DNS resolves correctly until my IPsec VPN connects.The VPN is connecting me to the office which seems to work well. I have rules allowing several devices to route from the LAN to the office but all other devicess are blocked from the VPN.
On the IPsec rules I have allowed access to specific devices and all others are blocked.
Once the VPN connects then DNS fails to resolve.
Can anyone suggest what to check and how to resolve this.Thanks
-
What are your IPsec traffic selectors (phase 2 networks) ??
-
Thanks for the reply. I'm not sure what you need.
Phase2 is configured as
Tunnel IPv4
LAN Subnet
NAT/BINAT noneNetwork 192.168.9.0/24
Protocol ESP
AES 256bits SHA1Is that what is needed ?
Thanks -
Yeah. That shouldn't impact DNS resolver at all.
-
Any idea why his doesn't work ?
I can get logs tomorrow if that helps.Thanks
-
What logs?
Do basic DNS troubleshooting and see where the failure is.
dig/drill are your friends there.
-
For a test I've disabled the IPSec VPN and restarted DNS Resolver.
I still don't get any resolution using the server address as 127.0.0.1
All testing is done via SSH direct on the pfSense server.dig bbc.co.uk
; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
;; global options: +cmd
;; connection timed out; no servers could be reacheddrill bbc.co.uk
Error: error sending query: Could not send or receive, because of network errornslookup
server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53bbc.co.uk
Server: 8.8.8.8
Address: 8.8.8.8#53Non-authoritative answer:
Name: bbc.co.uk
Address: 151.101.128.81
Name: bbc.co.uk
Address: 151.101.192.81
Name: bbc.co.uk
Address: 151.101.0.81
Name: bbc.co.uk
Address: 151.101.64.81
Name: bbc.co.uk
Address: 2a04:4e42:200::81
Name: bbc.co.uk
Address: 2a04:4e42::81
Name: bbc.co.uk
Address: 2a04:4e42:400::81
Name: bbc.co.uk
Address: 2a04:4e42:600::81server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
bbc.co.uk
;; connection timed out; no servers could be reachedAfter a couple of minutes DNS resolves and NOTHING has been changed.
dig bbc.co.uk
; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30606
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.co.uk. IN A;; ANSWER SECTION:
bbc.co.uk. 47 IN A 151.101.64.81
bbc.co.uk. 47 IN A 151.101.128.81
bbc.co.uk. 47 IN A 151.101.0.81
bbc.co.uk. 47 IN A 151.101.192.81;; AUTHORITY SECTION:
bbc.co.uk. 19 IN NS ns3.bbc.co.uk.
bbc.co.uk. 19 IN NS ns4.bbc.co.uk.
bbc.co.uk. 19 IN NS ns3.bbc.net.uk.
bbc.co.uk. 19 IN NS ns4.bbc.net.uk.;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 02 22:42:52 GMT 2018
;; MSG SIZE rcvd: 182drill bbc.co.uk
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64161
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; bbc.co.uk. IN A;; ANSWER SECTION:
bbc.co.uk. 40 IN A 151.101.64.81
bbc.co.uk. 40 IN A 151.101.128.81
bbc.co.uk. 40 IN A 151.101.0.81
bbc.co.uk. 40 IN A 151.101.192.81;; AUTHORITY SECTION:
bbc.co.uk. 12 IN NS ns3.bbc.co.uk.
bbc.co.uk. 12 IN NS ns4.bbc.co.uk.
bbc.co.uk. 12 IN NS ns3.bbc.net.uk.
bbc.co.uk. 12 IN NS ns4.bbc.net.uk.;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Tue Jan 2 22:42:59 2018
;; MSG SIZE rcvd: 171nslookup
server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
bbc.co.uk
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
Name: bbc.co.uk
Address: 151.101.64.81
Name: bbc.co.uk
Address: 151.101.128.81
Name: bbc.co.uk
Address: 151.101.0.81
Name: bbc.co.uk
Address: 151.101.192.81
Name: bbc.co.uk
Address: 2a04:4e42:600::81
Name: bbc.co.uk
Address: 2a04:4e42::81
Name: bbc.co.uk
Address: 2a04:4e42:200::81
Name: bbc.co.uk
Address: 2a04:4e42:400::81Can you advise how I look into this further to see why it stopped and then started resolving DNS ?
Thanks
-
No idea. something in your routing changing, perhaps. What are the WAN settings? Any Multi-WAN? What are your DNS Resolver settings?
-
I made a slight change to the DNS Resolver configuration last night.
I changed Network Interfaces & Outgoing Network Interfaces from ALL and selected the specific interfaces needed.
I also disabled the DHCP Registration & Static DHCP options.Since then it's been resolving fine. I'll keep monitoring but so far so good..
Thanks