Site to Site OPENVPN DNS



  • Hello

    I have currently 3 sites. What are the proper configuration to DNS Resolver so I can resolve the host from let say if I am on Site A and want to resolve host on site B. I am be able to resolve them by adding the hosts to an DNS Resolver-> Host Overrides but I have lots of clients if I have to add or remove them manually every time I got or remove a new host. I am sure that there are some more practical configuration for that. I've been looking on netgate forum but I can't find the solution for that

    Thank you


  • LAYER 8 Global Moderator

    Sorry but not understanding your issue/concern..

    So you have site to site vpn setup between multiple locations... Where do they sites point to for dns? Where are the sites actually located.. And assume you want them to resolve to some rfc1918 address?

    So clients in site A point to where for dns, pfsense server in site A? And you want it to resolve say www.domain.tld that is at 192.168.10.100 in site B?

    If site B is going to be where all the sites are, then setup domain overrides on your other locations to point to the dns in site B for a domain override for domain.tld

    If you have sites hosted all over the locations, then unbound (resolver) prob not the best solution.. Since its not even meant to be an authoritative NS.. If you need full dns you prob want to look at bind package which you can setup zone transfers between different NS so each location could have a full copy of zones from other locations, etc.



  • Each site point to pfsense on its site for DNS
    Sites are in different locations Site B is the routing point witch mean In order to go from Site A to Site C you have to go trough Site B and from Site C to Site A the same have to go trough Site B.

    Do you know if there are any documentation on bind package for pfsense
    some basic configurations

    Thank you


  • LAYER 8 Global Moderator

    Bind is really the internet standard when it comes to dns to be honest ;) There is tons and tons of documentation.. Multiple books - I highly recommend DNS and Bind.. http://shop.oreilly.com/product/9780596100575.do

    Anyone wanting to run authoritative Name Servers should really read such a book.. I have an older edition laying around here somewhere ;) 2nd edition or so mid 90's I believe...

    I take it your not a MS shop then, if so all your clients should be using your AD for dns and not pointing and pfsense at all.

    All the bind package is a gui to the configuration... You still have to understand what a zone is, what zone transfers are - what a slave ns is and master.. If your all just 1 zone ie say domain.tld then your site B for example would be your master and your other sites could all be slaves. They would have copies of everything you put into your zone via your SOA ns..

    This is really not related to opendns at all to be honest, and just basic dns questions..



  • Hello

    I tried about 2 years a go to configure BIND with no luck I hope this time I will make it work.
    I know this book looks promising. and NO I don't like MS

    I've seen configuration on bind where people use VIPs for DNS. Is that good configuration?

    Thank you


  • LAYER 8 Global Moderator

    Why would need a vip? Guess they might run a vip if they don't want to conflict with unbound or something else listening on same port..

    In your sort of setup I see no reason why would want/need to use a vip.. This is really very basic setup.. You have a master with multiple slaves for your other locations. It only gets complicated if your going to want say site A to be soa for domain.tld and site B to be soa for other.tld, etc..

    If you just use 1 site as the master for all your domains and reverse zones, and your remote sites as just slaves off the master its very easy to setup and then only 1 location to manage.

    Are you wanting devices to self register themselves in dns?



  • Yes I do want them register to the DNS automatically but from what I know is security risk


  • LAYER 8 Global Moderator

    Security risk? From devices on your secure network?



  • @johnpoz Are you sure it is secure ? :) You mean register from DHCP ? Yes I do


Log in to reply