(SOLVED) Remote DNS not working over IPSec



  • I have a IPSec tunnel between two offices:

    Office A:
    domain: a.mydomain.com
    LAN:    10.0.0.1/16
    
    Office B:
    domain: b.mydomain.com
    LAN:    10.1.0.1/16
    

    The machines in LAN A can ping and access the machines in LAN B and vice-versa by using IP address.

    In office A in DNS Resolver Domain Overrides I have:

    Domain:                   b.mydomain.com
    Lookup Server IP Address: 10.1.0.1
    

    In office B in DNS Resolver Domain Overrides I have:

    Domain:                   a.mydomain.com
    Lookup Server IP Address: 10.0.0.1
    

    The problem: The pfsense DNS server that is remote to the client does not work at all. A machine in LAN A cannot resolve anything in LAN B and vice-versa.

    From a machine in LAN A I can ping the DNS server in LAN B (10.1.0.1) and I can even telnet on port 53. But I cannot use it to resolve anything.
    For example: (The following is executed from a machine in LAN A)

    dig +short pfsense.b.mydomain.com @10.0.0.1 # this fails indicating that the Domain Overrides in the DNS Resolver does not work
    
    dig +short pfsense.b.mydomain.com @10.1.0.1 # this fails indicating that the remote DNS cannot resolve anything
    

    Trying to resolve internet domains using the remote DNS fails as well. The following is executed from a machine in LAN A:

    $ dig +short netgate.com @10.0.0.1 # <- this is LAN A pfsense
    208.123.73.73
    $ dig +short netgate.com @10.1.0.1 # <- this is LAN B pfsense over the IPSec tunnel
    $
    

    Any ideas?



  • Problem solved.

    1. LAN A subnet must be added to DNS Resolver ACL on pfSense B and LAN B must be added to DNS Resolver ACL on pfSense A
      Services -> DNS Resolver -> Access Lists -> + Add
      The "Action" should be "Allow"

    2. The DNS Resolver "Outgoing Network Interfaces" in both pfSense must be set to "LAN" and "Localhost"
      https://forum.netgate.com/topic/103395/dns-server-domain-override-over-ipsec-vpn-not-working


Log in to reply