Problemi with dns resolution

sasa1 · Mar 28, 2019, 5:34 PM

Hi,
I have a problem with a host-to-site, the vpn is working properly but the remote client cannot make a dns resolution.
After the remote client (Windows 10) is connected in vpn, if I try from a Web browser, to access a website this fails.
If I use the IP address (and not the domain name) it works.
In the configuration, in "Advanced Client Settings" in DNS Domain I indicated 8.8.8.8
Do I need to configure any other parameters?
Thanks.

KOM · Mar 28, 2019, 5:46 PM

Did you check the DNS Server enable checkbox?

sasa1 · Mar 28, 2019, 5:57 PM

yes

KOM · Mar 28, 2019, 6:00 PM

I had to ask. You didn't explicitly say, and I never assume the obvious. I have a similar config and it works for me. If the client runs:

ipconfig /all

what is showing for DNS servers?

sasa1 · Mar 29, 2019, 1:34 PM

Hi,
the dns shown is:
8.8.8.8
I attach picture.
Thanks.

KOM · Mar 29, 2019, 1:39 PM

OK, so it seems ot be aware of DNS available to it. Can you ping 8.8.8.8? What happens when you run this on the client:

nslookup www.microsoft.com

sasa1 · Mar 29, 2019, 1:47 PM

the ping is OK, in attached result about dns resolution.
Thanks.

KOM · Mar 29, 2019, 1:47 PM

Well, there is your problem. Can you ping 8.8.8.8?

sasa1 · Mar 29, 2019, 1:49 PM

yes, ping to 8.8.8.8 is OK.
Thanks.

KOM · Mar 29, 2019, 1:55 PM

OK, so what happens when you run:

nslookup
server 8.8.8.8
www.microsoft.com

As I recall, on the OpenVPN page there were some mitigation options for Windows 10 clients. Have you tried checking Force DNS cache update under Advanced Client Settings?

sasa1 · Mar 29, 2019, 2:07 PM

the result is in attach.
Yes, force DNS cache update is already selected.
Thanks.

KOM · Mar 29, 2019, 2:08 PM

Show me a screenshot of your firewall rules for the OpenVPN interface. I suspect you're not allowing UDP traffic or something like that.

sasa1 · Mar 29, 2019, 2:11 PM

Hi,
attached the required rules.
Thanks.

KOM · Mar 29, 2019, 2:15 PM

Set the protocol to Any and try again.

sasa1 · Mar 29, 2019, 2:31 PM

Hi,
unfortunately even with any dns resolution it fails.
Thanks.

KOM · Mar 29, 2019, 2:40 PM

Very strange. Does your firewall log show any relevant blocks while you're testing?

sasa1 · Mar 29, 2019, 5:31 PM

Hi,
no, I don't see deny in the logs.
Thanks.

KOM · Mar 29, 2019, 5:32 PM

Yo @johnpoz Johnny joe ray bob, any thoughts?

marvosa · Mar 30, 2019, 5:19 AM

We need more details on the setup. For clarity, is "host-to-site" referring to a remote access, road warrior setup? If so, post the server1.conf (/var/etc/openvpn).

We'll know more once we see the config, but is all traffic forced thru the tunnel?

sasa1 · Mar 30, 2019, 10:46 AM

Hi, attached server1.conf.
The address:
192.168.1.1
is the address of the router / dns referenced by the remote client that connects to my openvpn server.
The pfSense version is 2.3.2, do I need to update it?
Thanks.
server1.txt