additional DNS-name kills service

MaxTheITGuy

Hello,

I am running multiple OpenVPN-Servers on my pfSense (2.5.2-RELEASE), which does work flawlessly with a more or less standard configuration.

However, once I try adding an additional DNS-name under "DNS Default Domain", The service of that OpenVPN-server breaks down and cannot be restarted.

I also tried to push the domains via:
push "dhcp-option DOMAIN example.local"
push "dhcp-option DOMAIN core.windows.net"

With the same result.
Do you know of that issue? Any way to bypass it?

Thanks in advance, hope somebody can help me.

Gertjan

@maxtheitguy

Can you clarify ?

You entered one "DNS Default Domain", and what did you do to enter more of them ?

"DNS Default Domain"

@maxtheitguy said in additional DNS-name kills service:

cannot be restarted.

It tells you why. May we know why ?
(the logs !)

edit :
I don't know why hosts should have multiple domain names, but, ok, I tried this :

openvpn server restarted just fine.
No errors or alerts.

MaxTheITGuy

@gertjan

First, thank you for helping me out.

I tried to enter it multiple ways:

About the Logs:
I found an entry. Sorry, I was looking in 'System' before, thinking as it was a service that was causing issues. And our OpenVPN is getting so many Logs that this info was not visible anymore once I checked there. Seeing this sheds light into my issue.

Also, it did work as a custom option the way you entered it. I must say... I forgot the semicolons.

Sorry, I might have worked myself into this issue so much, I did not see any obvious clues.

Other question about the same topic.
Because, maybe I am on a completely wrong track here...
We need to force the clients to lookup the second domain via our provided DNS as well, as we are routing those windows packages to azure internally.
Is this even the correct way of doing that?

Thank you,
Max

Gertjan

@maxtheitguy said in additional DNS-name kills service:

First, thank you for helping me out.
I tried to enter it multiple ways:

Look at what the doc says about "DHCP-push options" : Go here https://build.openvpn.net/man/openvpn-2.5/openvpn.8.html and locate --dhcp-option

The variable DOMAIN can have a "name".
Nothing has been said about adding multiple domain names.
IMHO : it's even not 'logic' that multiple DOMAIN names can be used here.

@maxtheitguy said in additional DNS-name kills service:

I forgot the semicolons.

Just to be sure : the usage of semicolons is just a pfSense GUI syntax, so it can separate the lines.

@maxtheitguy said in additional DNS-name kills service:

Because, maybe I am on a completely wrong track here...

Shouldn't you check "DNS server enable" and add the IP's of your own DNS servers ?
See my image above, previous post.

johnpoz

If you want search domains then use that option..

dhcp-option DOMAIN-SEARCH my.company.domain
dhcp-option DOMAIN-SEARCH some.example.domain

MaxTheITGuy

Yes, I see now.
so Domain-name should be unique and other domains can be added with domain-search.
So, can I use domain-search with * as well?

What I try to achieve is the following:
We have an azure server to which we need to redirect the *.core.microsoft.com traffic.

We cannot send all traffic to the pfSense and redirect there, because it would overwhelm our site. (we tried that once... due to home office we currently have a lot of OpenVPN users and all those small DNS-Packets somehow brick our application-firewall...)

So, the correct way would be:

push "dhcp-option DOMAIN example.local";
push "dhcp-option DOMAIN-SEARCH *.example.domain";

?

johnpoz

@maxtheitguy why would you think you need an asterisk?

say your domain was mydomain.tld

and you added search of
otherdomain.tld
something.mydomain.tld
other.mydomain.tld

And client searched for just host

What would be queried would be
host.mydomain.tld

and if nothing returned then
host.otherdomain.tld
host.something.mydomain.tld
host.other.mydomain.tld

How would a wildcard work, there is almost an infinite amount of possibilities..

MaxTheITGuy

@johnpoz I think, we are speaking of two different things here. Might very well be due to my missing know-how in pfSense.

First is the default domain, which would be company.local, that is clear and used to correctly lookup hostnames, no asterisk needed there, that was a mistake.

But we need a set of other DNS-names to also be resolved by the "tunnel-DNS", not domain-hosts. Just plain, simple DNS-names from websites.

For example:
file1.core.microsoft.com
or
file2.core.microsoft.com

As I don't support the DNS by myself, it would be great if I could just work with an asterisk there, so I do not have to add names again and again when somebody changes something on our local DNS-server.

Split-DNS, so to say, I guess.

johnpoz

@maxtheitguy so you want to create a host override wild card? You want to resolve anything.core.microsoft.com to same IP?

This is how you would do that via unbound

https://docs.netgate.com/pfsense/en/latest/services/dns/wildcards.html#creating-wildcard-records-in-dns-forwarder-resolver

You can not do that via gui..

if you want file1.somedomain.tld to resolve to 192.168.1.100, and file2.somedomain.tld to 192.168.1.101, you would have to create the records for those, or point the domain to some other NS that would resolve them to what you want.