DNS Default Domain



  • I have an OpenVPN setup with the DNS Default Domain option checked.  I push my  local default domain along with my pfSense IP adresss as the local DNS server to clients connecting via openvpn.

    I’m running the DNS resolver and pfblockerng and with one exception everything works correctly.

    Yesterday, the  iOS openvpn client was updated from 1.2.4 to 1.2.5 and since that time I cannot resolve hostnames without manually adding my domain name.

    For example I can resolve and ping “host.localdomain.net”, but I can’t ping just “host”.

    In looking through the logs on my iPhone I can see:

    2018-01-09 17:24:12 NIP: adding search domain localdomain.net
    2018-01-09 17:24:12 NIP: adding DNS 192.168.1.1

    I can ping the dns server and pfblockerng is correctly blocking.  I can also connect with my IPSEC connection and it will resolve just the host name just fine.

    This worked fine until yesterday.

    Any ideas why I cannot revolve with just the host name any more?



  • Same problem here. Stopped working yesterday on iOS. Fine in Arch


  • Rebel Alliance Global Moderator

    What does this have to do with pfsense?

    Your IOS client updated, and now its not sending your search domain?  Get with openvpn on their client you show that your phone got the search domain setting, etc..

    What client are you using exactly on your phone that you believe it should use the search domain in the first place?



  • What does this have to do with pfsense?

    Perhaps nothing now that someone else confirmed the same issue.  But that wasn't the case when I posted.  Also, maybe there is something that can be done on pfSense side to address the issue…?

    The clients in question are Prompt 2 and Screens.  Previously both clients could connect to machines with just the hostname.  Now they both require the FQDN.  I'm sure others are impacted too.


  • Rebel Alliance Global Moderator

    There is nothing to be done on pfsense if a fully query is not sent.. A fqdn has to be sent to dns if it is to resolve it.

    As you can see in your logs the search domain was sent.. working with the windows client, etc.



  • I confirmed since I updated the iOS client and pfsense on the same day and did not know on which side the change was made.


  • Rebel Alliance Global Moderator

    it not working just forces you to break a bad habit ;)

    Its a bad habit to try and resolve host name and hope your search suffix gets you the answer your looking ;)

    When trying to resolve something you should always use a fully qualified name..  But from windows client..

    You can see it set via ipconfig, see my local.lan is setup for the connection specific dns suffix on my vpn interface when I connect to openvpn.

    
    Ethernet adapter Local Area Connection 2:
    
       Connection-specific DNS Suffix  . : local.lan
       Description . . . . . . . . . . . : TAP-Windows Adapter V9
       Physical Address. . . . . . . . . : 00-FF-1F-37-23-EC
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.0.8.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Thursday, January 11, 2018 9:53:58 AM
       Lease Expires . . . . . . . . . . : Friday, January 11, 2019 9:53:58 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 10.0.8.254
       DNS Servers . . . . . . . . . . . : 192.168.9.253
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    

    Now if your OS or application or tool adheres to that would be up to the OS, tool or application..  Simple check would be a sniff do you see it add the suffix?  If not then its on the client side where the issue is..



  • Well this was fixed in the latest OpenVPN connect client on iOS (1.2.7) so we can start our bad habits again 🍻