Query BIND DNS over IPsec IKEv2 mobile tunnel

  • Hi everyone,

    I have several pfsense boxes installed at remote sites. To all sites I'm having IPsec IKEv2 mobile VPN tunnels from my Laptop/iPhone etc.
    This is working great. As long as the DNS Resolver is active I can query this DNS Server over the VPN tunnel.
    At some sites DNS Resolver is disabled and I'm using BIND.
    Problem is that i cannot query the BIND DNS server over the VPN tunnel.

    Firewall rule on IPsec tab is pass any to any. On the IPsec Mobile Clients tab I'm providing the DNS Server (DNS Resolver respectivly BIND).

    I want to accomplish that I can query the DNS entrys made in the BIND zones over the VPN tunnel.
    Do you have any ideas?


  • Hi,

    @posto587 said in Query BIND DNS over IPsec IKEv2 mobile tunnel:

    Do you have any ideas?

    Without knowing how you set it up ? The main idea is pretty close to : finish the setup, you're not done yet.

    Some other ideas :
    "bind" does the same thing as what "unbound", listing to all interfaces, port 53 at least. So, my question is : is it also listing to the "VPN interface" ? Check also what happens when VPN restarts, maybe bind needes to be reload / restarted also. unbound is been handles by pfSEnse out of the box, bind, as a package might be handled diffrenetly.
    Also : when bind start before VPN server, the interface VPN creates isn't on the "listen" list of interfaces.

  • Thanks for your answer!
    BIND is listening on all interfaces, IPsec ist not listed in there but in unbound IPsec isn't listed too and there it's working.

    I already checked to restart VPN service but that changes nothing. I also think that has something to do with unbound being handled out of the box and BIND as a package is handled differently.

    Just to clarify: I can query all DNS entrys made in BIND from all local networks but not from the VPN tunnel / IPsec interface.
    Perhaps there need to be an advanced config made to get BIND to listen on IPsec interace too. Unfortuantely it's not listed in the "listen interfaces" tab...

Log in to reply