DNS Resolver for internal domains non-responsive over IPSec tunnel
-
Hi all-
I recently migrated my site-to-site tunnel from OpenVPN to IPSec (the OpenVPN tunnel was shutting down intermittently, but that's an issue for another day). The issue is that DNS Resolver is failing to forward/resolve local domains configured in domain overrides now, which was working with OpenVPN.
I've got two pfSense boxes at .cozyhome and .cozynet:
- pfsense.cozyhome (10.0.2.1)
- pfsense.cozynet (10.0.1.1)
I have DNS Resolver configured on both machines. The issue is with DNS queries for the domain .cozynet that initiate from *.cozyhome.
My config is as follows:
- On my pfsense.cozyhome machine, DNS resolver has a domain override to lookup .cozynet hostnames at 10.0.1.1 (FWIW, DNS lookups initiated from within the .cozynet network for .cozynet hostnames resolve fine, so I can confirm this is at least configured correctly).
- On pfsense.cozynet the DNS resolver has the 10.0.2.0/24 network configured in its access list (to allow queries from the .cozyhome network.)
- IPSec firewall rules on pfsense.cozynet are set to allow Any from 10.0.2.0/24 and all other traffic is otherwise working fine
- Additionally, pfsense.cozyhome has 10.0.1.1 in the DNS servers in General Setup to try that for queries
When I do a DNS lookup from pfsense.cozyhome for a .cozynet hostname, the forwarding to 10.0.1.1 reports "No Response":
I'm not seeing anything in the firewall logs that would indicate that these requests are being blocked.
As I mentioned previously, this exact same configuration was working perfectly when I had my site-to-site tunnel configured with OpenVPN -- it stopped working when I switched to IPSec.
Is there something unique/different about IPSec that needs additional configuration to allow DNS resolver to forward requests over the tunnel?
-
@darrenavid Is there a way to keep the forum from scaling images up to full width?
-
Got a little more info on this - I set the local DNS resolver logging to show queries, and when I query the cozynet domain from cozyhome I see:
Feb 6 06:18:44 unbound 57298:1 debug: return error response SERVFAIL Feb 6 06:18:44 unbound 57298:1 debug: configured stub or forward servers failed -- returning SERVFAIL
This is only happening for lookups for the cozynet domain, everything else is resolving properly