Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS resolve for internal hosts in HA and peer-to-peer OpenVPN

    HA/CARP/VIPs
    3
    11
    685
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • iorxI
      iorx
      last edited by

      Hi!

      I'm going to try to explain this.
      The question is how to get internal resolving when the HA has failed over to the backup.

      Config:

      • pfSense, 2.4.4-RELEASE (amd64) built on Thu Sep 20 09:03:12 EDT 2018
      • HA
      • Two physical machines running Windows 2016 Hyper-V. pfSense as guest-vm in respectively machine.
        • Machine #1: pfSense #1 master, Windows AD #1
        • Machine #2: pfSense #2 backup, Windows AD #2

      Main Office:

      • Windows AD controllers with DNS, domain is host.sub.domain.tld
      • HA pfSense, working great. Fail-over works as intended, client doesn't notice anything when Machine #1 and/or pfSense #1 goes down.
        • pfsense DNS are set to external DNSs (1.1.1.1 ...)
        • OpenVPN server peer-to-peer.
        • DHCP is handled by the domain controllers. DNS given out is pointing to the AD-DNS #1 and #2.
      • Domain override of the internal DNS for sub.domain.tld with destination #1 of the AD-DNS (it's here I would like to be able to provide an option to make it go for AD-DNS #2 if #1 not available)

      Name resolving here is not a problem for the client as they got the AD-DNS #1 and #2. The problem is pfsense own resolving of internal address when AD-DNS #1 is not answering.

      Branch Office:

      • Single pfSense
        • OpenVPN client peer-to-peer (which reconnect beautifully after a short timeout when HA master goes down)
        • DHCP give out DNS to this pfense
        • pfsense DNS are set to external DNSs
        • Domain override of the internal DNS for sub.domain.tld with destination #1 of the AD-DNS (it's here I would like to be able to provide an option to make it go for AD-DNS #2 if #1 not available)

      If AD#1 is not available at the same time as the HA is on the backup (scenario when Machine #1 is down) I get no name resolving as I've found no way to make the Branch Office pfsense to ask AD-DNS #2 in an Override.

      Phju, that allot of explaining in an effort to make this understandable.

      Need some guidance and/or suggestion how to make this work, if possible. Maybe I'm looking at this the wrong way?

      Brgs,

      1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator
        last edited by JeGr

        Hi,

        what about setting the Branch Office pfSense' DNS to the LAN VIP of the Main Office site? That way you always ask the current "master" and therefore should get an answer of a working DNS as the main office pfSense boxes have both DNSes configured, it should get an answer of AD-DNS#2.

        Edit: almost forgot! You can add another overwrite for the exact same domain/Host and add another IP that way the DNS forwarder on the branch office will ask both of them. So you should definitly get an answer from one of them.

        Greets

        Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • iorxI
          iorx
          last edited by

          Hi and thanks for answering.

          I do hope that I understand what to say here.

          And setting the branch office pfsense DNS to point to a DNS on the other side of the VPN is problematic if the main office is offline, then they get no working DNS at all.
          That it is a solution to get the name resolution work, either giving out the AD DNSs to the client at the branch office or set the DNS in the branch office pfsense to the AD DNSs. But then they need that peer-to-peer to always being connected.

          pfSense domain override can only point to one IP as I understand it. Host overrides though can be multiples, but then you get some round-robin behavior so you end up not knowing which IP that is returned.

          The goal here is to make pfSense ask more than one DNS for a domain override as I see it.

          Maybe, an idea right now - not tested, something using a HA NAT rule that don't sync, unique for each pfsense, that redirect incoming traffic for DNS to them selves or specific AD DNS.

          1 Reply Last reply Reply Quote 0
          • JeGrJ
            JeGr LAYER 8 Moderator
            last edited by

            @iorx said in DNS resolve for internal hosts in HA and peer-to-peer OpenVPN:

            pfSense domain override can only point to one IP as I understand it. Host overrides though can be multiples, but then you get some round-robin behavior so you end up not knowing which IP that is returned.

            2d1c4925-0489-4009-84dc-7092335ba5d4-image.png

            As you see in the screenshot (even if it's from the DNS resolver), you can add two entries for domain overrides without problems. I tested it and if e.g. 252 is down, 251 will supply the address and vice versa.

            So just add both AD-DNS servers to your local DNS domain overrides and you should be good. :)

            Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

            If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

            1 Reply Last reply Reply Quote 0
            • iorxI
              iorx
              last edited by iorx

              Hi

              I though I read up thoroughly on the subject and somewhere I got to have picked up the wrongfull info that domain overrides couldn't be done like that. That one stuck so I even didn't try it, such a brain-fart ๐Ÿ˜ƒ.

              Now I successfully have created a a double domain override as you showed, but got to wait until to night to test it as the customers system are active for the moment. Going to bring machine#1 down and check the functionality from the branch office.

              I'll report back my findings and if it works as intended.

              Thanks allot for being the crutch on this matter.

              Edit:
              Also created double reverse lookup entries in domain overrides, works like a charm. 25.168.192.in-addr.arpa pointing at the AD-DNSs.
              Will test these too in a HA fail test.

              Brgs,

              JeGrJ 1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator @iorx
                last edited by

                @iorx said in DNS resolve for internal hosts in HA and peer-to-peer OpenVPN:

                Thanks allot for being the crutch on this matter.

                Glad to be of service ๐Ÿ˜„

                Don't forget to upvote ๐Ÿ‘ those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Hello -

                  I will add that I would not run Resolver on the firewall at all in that case. I would:

                  Set OpenVPN to give the clients the AD addresses for DNS
                  Set both pfSense cluster nodes to use the AD addresses for DNS (System > General)
                  Check the Disable DNS Forwarder box in System > General so the firewall does not try to use itself to resolve names.
                  Disable DNS Resolver on the cluster nodes.

                  While that solution looks good, there is no pressing requirement for a DNS cache to be running on the firewall cluster at all.

                  This way everyone is always getting the answers AD thinks it should be getting for everything.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • iorxI
                    iorx
                    last edited by

                    Hi!

                    Thanks for contributing. There are no road-warriors, connecting users, involved here only peer-to-peer site connections.
                    But you're right, giving road-warriors the AD-DNSs is a good working solution.

                    The DNS on pfSense is needed in my case. A couple of guest (VLANs) networks use that exclusively, don't and won't use the AD-DNSs for that ๐Ÿ˜ƒ

                    Brgs,

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      They are still getting forwarded to AD for the AD domain unless you have done custom ACLs.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • iorxI
                        iorx
                        last edited by iorx

                        Yes you're right, it's a bit of security by obscurity in that case. Users on guestlans need to know which suffix to probe in that case, host.sub.domain.tldm.
                        I'll see if I find a cleaver way to prevent that. I planing to implement some kind of filtering also, but I haven't come around checking how stable pfblocker is in a HA environment yet.

                        1 Reply Last reply Reply Quote 0
                        • iorxI
                          iorx
                          last edited by

                          Success!

                          Tried it out live now.
                          Shutdown machine #1. Branch Office lost its connection to the Main Office for about 10 seconds. This is OpenVPN reconnecting.

                          After OpenVPN peer-to-peer reconnected.
                          Resolving from AD DNS works! TIL: So, multiple domain overrides is the way to go for internal name resolution in this scenario with AD DNSs.

                          Goal achieved with HA, AD DNS and OpenVPN peer-to-peer.

                          • Branch Office is not a sitting duck when Main Office is not available. Normal DNS function maintained.
                          • Branch Office AD DNSs reach-ability is kept when HA is failed over.

                          Kudos to all!

                          Brgs,

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.