OpenVPN works but no local DNS

john_galt

Hi,

I'm running pfSense 2.4.4-RELEASE-p2 with pfBlockerNG-devel 2.2.5_22. I have OpenVPN setup and running and can connect successfully. I can access assets by IPv4 address but can't resolve local host names. I've read countless forum articles and tutorials on OpenVPN, Client, DNS issues but at this point I can't see the trees through the forest. I'm humbly asking for some assistance and or clues as to what I'm missing.

I'm including some screen captures below. (apologies if it's too many)

Doug

OpenVPN Server:

DNS Resolver:

Firewall > Rules > OpenVPN:

Firewall > Rules > WAN:

Firewall > Rules > LAN:

client ipconfig:

client nslookkup:

pfSense packet capture:
on OpenVPN interface, port 53:

johnpoz

Out of the box unbound does auto ACLs to allow the local networks of pfsense to query it... If you want your tunnel networks (ie vpn clients) to be able to query unbound running on pfsense then you need to adjust your unbound acls.

john_galt

Hi John,

Thanks for your quick reply.

Is this what you are talking about?

Doug

johnpoz

yeah that is where you set the acls on who can query unbound.

john_galt

@johnpoz

Isn't it set by that entry?

The client is 10.0.8.2 and that is in the ACL.

Doug

johnpoz

yeah that should allow it yes.. So you just created it, or that was there already? Do you have automatic set? Not sure if when you have automatic if it reads what you set?

I have always turned off automatic and done my own acls..

I looked closer and sure looks like your getting answers in your packet capture..

Oh your dns on your client is just pointing to loopback??

That kind of broken... should be pointing to pfsense lan IP for dns would be how I would set it up..

john_galt

@johnpoz

No I didn't just create it. It's been there probably since I setup OpenVPN.

I haven't disabled auto-added list.

From that packet capture I thought so as well but I still can't get host resolution. Why I'm at a loss.

Doug

johnpoz

your client is asking itself for dns... So how would that get sent down the tunnel to unbound on pfsense?

john_galt

@johnpoz

I thought so as well John. I had that set to my pfSense IP before a recent pfBlockerNG devel release.
BBcan177 did some "tinkering". I will ping him on this.

Doug

john_galt

@johnpoz

I can now get local DNS over OpenVPN but I don't know why. I would like to if anyone can explain.

In Services > DNS Resolver > General Settings I changed the Network Interfaces from "All" to selecting all the interfaces and saving.

I've spent a lot of time trying to figure this out and really would like to understand why one setting
doesn't work but the other does when essentially they are both the same?

Thanks,

Doug

// Edit//

Here's the forum thread that gave me this fix.

johnpoz

So your clients are using doing ssl/tls queries? over a VPN? WTF???

john_galt

@johnpoz

I’m not even sure how to answer that John. I’ll let it go as it seems to have struck a nerve.

Thanks for your help.

KOM

@john_galt said in OpenVPN works but no local DNS:

I've spent a lot of time trying to figure this out and really would like to understand why one setting
doesn't work but the other does when essentially they are both the same?

That looks like some sort of glitch to me. There may not be any sense to be made about it other than 'bug'.

johnpoz

@john_galt

Dude why would you do dns over tls over your own vpn? Complete nonsense and extra overhead

Did you fix your client from pointing to loop back? Dude I use this every day there is no “bug”

john_galt

@KOM

KOM,

Someone in the old forum article I referenced mentioned something about committing a fix but that was years ago.

Like I tried to explain I know enough about networking to get myself into trouble. But I'm willing to learn.

Thank you for your assistance.

Doug

john_galt

@johnpoz

John,

My name is Doug. It's in my messages. I give you the respect of using your name.

I did fix the loopback.

I really don't understand why you are taking this request for help and my stated lack of
knowledge so personally. I have no idea that I'm doing DNS over TLS over my own VPN.
All I wanted to do was VPN into my home network from my work location and be able
to access assets by name.

If you wish to help I will listen and respect you for it. If you wish to berate then please
don't help.

Doug

KOM

Check your DHCP server to see what it's pushing to clients for DNS.

john_galt

@KOM

KOM,

I will check when I get back to work Monday morning.

It's working now though since I made that change. I don't know why
and that bothers me. I will continue my research.

Thank you for your help.

johnpoz

If you do not understand what dns over tls is then why would you set it??

Fixing your issue does not come from just randomly clicking shit..

Come back when you have your client actually pointing to the IP for dns that is your pfsense box on your vpn connection which was pointed out to you back in the beginning of this thread.

Do a simple query from your client using your fav dns tool, nslookup, dig, host, etc..

Does it respond - yes or no?

You show an answer in your packet capture to your query to 53 - what was that query, what was the answer... download that packet capture in wireshark.

It's working now though since I made that change

You changed from ALL to manually selecting "all" that is not a fix that is not even different.. So how would that "fix" anything..

john_galt

@johnpoz

John I setup pfsense to use Quad9 DNS over TLS earlier this year. I can't find the URL for the instructions I used but will keep looking. In those instructions I was instructed to enable that feature.

I will come back when I can check over the VPN connection Monday.

In my initial request for help I posted a screen grab of the packet capture which you said showed the query being answered. I did that query using nslookup and explicitly setting the server to my pfsense IPv4 address. I did not get a name back using this method.

I will get wireshark and get that data but can't until Monday.

Thank you for your help.

Doug