DNS names not resolving when connected via VPN

JLundberg · Jul 2, 2020, 1:26 AM

I'm setting this up on my companies network. Its replacing a SonicWall firewall. The network currently is running an older Windows 2003 domain and DNS server (oh yes I know. I'm working on the 2016 replacement as I finely got our finance software working on it but that's a later date. What a pain. Ok so I was able to get the netgate installed and have OpenVPN working I found that my local DNS names are not being resolved when connected via VPN. Local computers still work but not over VPN. I can type in the local address and get to it but I can't start several programs because the servers can't be located. I tried several things I found using DNS resolver but I must not be doing it correctly.

Any help would be appreciated.

Gertjan · Jul 2, 2020, 8:06 AM

Hi,

When you connect to the VPN server, did your device (PC) receive a DNS IP ?
Use

ipconfig  /all

You should also us "nslookup".

On your VPN server firewall tab, what are the fire wall rules ?
=> Can UDP/TCP traffic enter ?

Is the pfSense Resolver set up to listen on this interface ?
This setting :

handles this question just fine.

Resolver settings : you're not using CL settings ?
These :

Also : does the pfSense Resolver actually contain the local host names ?
Execute

cat /etc/hosts

to find out.

When all this works as aspected, then - and only then - throw in the " Windows 2003 domain and DNS server" part.
If this "Windows 2003 domain and DNS server" is also running DHCP ( and pfSense doesn't) then it's normal the Resolver isn't aware of the local host names . The DNS IP given to the OpenVPN clients should be the IP of your "Windows 2003 domain and DNS server" - and this "Windows 2003 domain and DNS server" should be set up to accept connecting coming from the OpenVPN network (which is not the case - I guess, by default)

This is just a small list of the things to be tested.
Many other possibilities exists, but you did not give any details - so impossible to detail more (there is just to much)

JeGr · Jul 2, 2020, 3:08 PM

@JLundberg said in DNS names not resolving when connected via VPN:

Ok so I was able to get the netgate installed and have OpenVPN working I found that my local DNS names are not being resolved when connected via VPN.

What DNS Server did you configure in your OVPN server settings? Which one is handed out to the client? Also do you have the Flush DNS option set in your server configuration? For Win10 clients the option to block outside DNS is also extremely useful to stop clients making DNS calls to their local home routers but instead use the DNS server you push via OVPN

JLundberg · Jul 2, 2020, 2:24 PM

Thank's everyone for the input. I will review what I have set and get back to you. I currently have it removed and back at the house so I'm limited as to what I can do. Our office is closing this Friday for an extended weekend. I plan on being there first thing setting this back up. No holiday for me but at least I can bring down the network as needed.

I hope some of you will be browsing this page and able to lend a hand if needed. I'm in Louisiana and will probably be there around 8:00am US Central Time.

I know this is all volunteer and any help is appreciated. I have learned so much already.

Take care everyone. I will get the information soon.

JLundberg · Jul 2, 2020, 3:08 PM

@JeGr
Im my OVPN Client Setting I set DNS Server 1 on my ODNS Server 208.67.222.222 Is this incorrect? When the netgate is NOT installed and I do a nslookup I get 1.1.1.1 for my Default Server. I'll have to check to see if I have Flush DNS set.

I only have three remote Windows 10 computers that connect to the network. Currently, we are using SonicWall that is EOL and starting to have issues. I wanted to set up a new firewall before a total death happens. We use the Dell SonicWall Global VPN Client currently.

Gertjan · Jul 2, 2020, 3:15 PM

@JLundberg said in DNS names not resolving when connected via VPN:

.... I set DNS Server 208.67.222.222 ....... I get 1.1.1.1 for my Default Server.

All those DNS servers don't know nothing about your local network devices.

JLundberg · Jul 2, 2020, 3:27 PM

@Gertjan
Some of the questions I have to wait until I get the netgate connected back up.

Under the firewall rules I have the protocol set to TCP. Should I use UDP/TCP for all my NAT Settings?
Yes the Network Interfaces is set to All
I'm not using CL Settings
for the local host names:

It may be as @Gertjan pointed out. I don't have my local DNS set in the OVPN settings. I will try setting that tomorrow morning and see what I get. Also I'll be better set to get more info when it's connected to the network.

I'll look up more info on getting my settings set correctly in the OVPN DNS section.

JLundberg · Jul 2, 2020, 3:52 PM

When making a change to the OVPN Advanced Client Settings by changing the DNS settings and I correct in assuming that I will need to recreate the user certificates for our users?

JeGr · Jul 3, 2020, 9:17 AM

@JLundberg said in DNS names not resolving when connected via VPN:

Under the firewall rules I have the protocol set to TCP. Should I use UDP/TCP for all my NAT Settings?

TCP set for what? You didn't show us the ruleset :)

@JLundberg said in DNS names not resolving when connected via VPN:

It may be as @Gertjan pointed out. I don't have my local DNS set in the OVPN settings. I will try setting that tomorrow morning and see what I get. Also I'll be better set to get more info when it's connected to the network.

If you use any public DNS as your DNS setting in OVPN server settings you won't get any answers for internal IPs or internally used domains. Obviously ;)
So if you want them it depends: do you use pfSense for your internal DNS or do normal clients get DHCP/DNS via your Windows DC? If you want your OVPN clients to get the same, you have to hand them your pfSense or Windows DC/DNS IP as their DNS server, otherwise no one knows about your internal domains and can't resolve it :)

\jens