Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver for internal domains non-responsive over IPSec tunnel

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 1 Posters 454 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      darrenavid
      last edited by

      Hi all-

      I recently migrated my site-to-site tunnel from OpenVPN to IPSec (the OpenVPN tunnel was shutting down intermittently, but that's an issue for another day). The issue is that DNS Resolver is failing to forward/resolve local domains configured in domain overrides now, which was working with OpenVPN.

      I've got two pfSense boxes at .cozyhome and .cozynet:

      • pfsense.cozyhome (10.0.2.1)
      • pfsense.cozynet (10.0.1.1)

      I have DNS Resolver configured on both machines. The issue is with DNS queries for the domain .cozynet that initiate from *.cozyhome.

      My config is as follows:

      • On my pfsense.cozyhome machine, DNS resolver has a domain override to lookup .cozynet hostnames at 10.0.1.1 (FWIW, DNS lookups initiated from within the .cozynet network for .cozynet hostnames resolve fine, so I can confirm this is at least configured correctly).

      5088d07f-dec8-4d7c-842d-5b5aa1af2325-image.png

      • On pfsense.cozynet the DNS resolver has the 10.0.2.0/24 network configured in its access list (to allow queries from the .cozyhome network.)

      93a21193-c6fc-43b1-b114-7f07fe6513ed-image.png

      • IPSec firewall rules on pfsense.cozynet are set to allow Any from 10.0.2.0/24 and all other traffic is otherwise working fine

      7da3ae23-7f8e-41b9-9d4d-4c204b60350e-image.png

      • Additionally, pfsense.cozyhome has 10.0.1.1 in the DNS servers in General Setup to try that for queries

      db7e4efd-631f-49cf-bc63-4df3de1e8cca-image.png

      When I do a DNS lookup from pfsense.cozyhome for a .cozynet hostname, the forwarding to 10.0.1.1 reports "No Response":

      44ad549f-5830-457e-b7cd-3694c0cc8ed2-image.png

      I'm not seeing anything in the firewall logs that would indicate that these requests are being blocked.

      As I mentioned previously, this exact same configuration was working perfectly when I had my site-to-site tunnel configured with OpenVPN -- it stopped working when I switched to IPSec.

      Is there something unique/different about IPSec that needs additional configuration to allow DNS resolver to forward requests over the tunnel?

      D 2 Replies Last reply Reply Quote 0
      • D
        darrenavid @darrenavid
        last edited by

        @darrenavid Is there a way to keep the forum from scaling images up to full width?

        1 Reply Last reply Reply Quote 0
        • D
          darrenavid @darrenavid
          last edited by

          Got a little more info on this - I set the local DNS resolver logging to show queries, and when I query the cozynet domain from cozyhome I see:

          Feb 6 06:18:44	unbound	57298:1	debug: return error response SERVFAIL
          Feb 6 06:18:44	unbound	57298:1	debug: configured stub or forward servers failed -- returning SERVFAIL
          

          This is only happening for lookups for the cozynet domain, everything else is resolving properly

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.