(SOLVED) Remote DNS not working over IPSec
-
I have a IPSec tunnel between two offices:
Office A: domain: a.mydomain.com LAN: 10.0.0.1/16 Office B: domain: b.mydomain.com LAN: 10.1.0.1/16The machines in LAN A can ping and access the machines in LAN B and vice-versa by using IP address.
In office A in DNS Resolver Domain Overrides I have:
Domain: b.mydomain.com Lookup Server IP Address: 10.1.0.1In office B in DNS Resolver Domain Overrides I have:
Domain: a.mydomain.com Lookup Server IP Address: 10.0.0.1The problem: The pfsense DNS server that is remote to the client does not work at all. A machine in LAN A cannot resolve anything in LAN B and vice-versa.
From a machine in LAN A I can ping the DNS server in LAN B (10.1.0.1) and I can even telnet on port 53. But I cannot use it to resolve anything.
For example: (The following is executed from a machine in LAN A)dig +short pfsense.b.mydomain.com @10.0.0.1 # this fails indicating that the Domain Overrides in the DNS Resolver does not work dig +short pfsense.b.mydomain.com @10.1.0.1 # this fails indicating that the remote DNS cannot resolve anythingTrying to resolve internet domains using the remote DNS fails as well. The following is executed from a machine in LAN A:
$ dig +short netgate.com @10.0.0.1 # <- this is LAN A pfsense 208.123.73.73 $ dig +short netgate.com @10.1.0.1 # <- this is LAN B pfsense over the IPSec tunnel $Any ideas?
-
Problem solved.
-
LAN A subnet must be added to DNS Resolver ACL on pfSense B and LAN B must be added to DNS Resolver ACL on pfSense A
Services -> DNS Resolver -> Access Lists -> + Add
The "Action" should be "Allow" -
The DNS Resolver "Outgoing Network Interfaces" in both pfSense must be set to "LAN" and "Localhost"
https://forum.netgate.com/topic/103395/dns-server-domain-override-over-ipsec-vpn-not-working
-