Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Domain Forward Only for Some Networks

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 2 Posters 856 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wblanton
      last edited by

      Long story short, I need to forward a certain domain query to another internal DNS server for most clients. However, I want clients connecting via VPN to resolve to public IP addresses for these queries. Does anyone have any ideas on how to do this?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @wblanton
        last edited by

        @wblanton so I am sure I understand what your after.

        So your internal clients using pfsense as their dns you want to use a domain override pointing to some other local ns that resolves say host.domain.tld to the internal IP 192.168.1.100 for example

        But if the client is connected via vpn to pfsense, using it for dns you want to resolve this same host.domain.tld to the public IP (where is this resolved? Public dns) to say 1.2.3.4 the public IP known to the internet. Via some other NS out on the public internet?

        Why would you want this - if the client is connected to your network via vpn, why would you not resolve the local IP for it. It would have access to these local IPs via the vpn, or it could..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        W 1 Reply Last reply Reply Quote 0
        • W
          wblanton @johnpoz
          last edited by

          @johnpoz This is for an OT network, which is connected to the IT network via DMZ. For SMTP traffic, I’m forwarding the DNS for the mail servers to the IT DNS server so the SMTP traffic goes to that network.

          But when users connect to VPN, their outlook clients are being resolved to the internal IP of exchange, and this traffic isn’t allowed over the DMZ and so outlook fails to connect.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @wblanton
            last edited by

            @wblanton you should be able to do something with views so that if client asking from your vpn cidr asks for the fqdn address of your smtp server, the view responds with the public IP you want that to resolve too.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            W 1 Reply Last reply Reply Quote 0
            • W
              wblanton @johnpoz
              last edited by

              @johnpoz So it looks like it was even simpler than that. I set up an access list to "refuse nonlocal" for the OpenVPN remote access subnet. After a DNS cache flush, my outlook is connnected to the public IP and the pfSense dns over the OpenVPN is only resolving it's local addresses.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @wblanton
                last edited by

                @wblanton nice solution.. So vpn client still asked unbound on pfsense, but pfsense returned the public? Or the client asked some other dns?

                Once a client asks another NS, and it gets say a NX for some local resource it wouldn't go back and ask pfsense for that..

                Hoping that client will ask some other NS for something can be problematic for sure.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                W 1 Reply Last reply Reply Quote 0
                • W
                  wblanton @johnpoz
                  last edited by

                  @johnpoz It appears to have fallen back to my default DNS server. But pfSense is now responding with a message saying recursion was requested but not available, which is what I want.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @wblanton
                    last edited by

                    @wblanton while that might be what you would expect. Hoping clients use a different NS to resolve something is problematic for sure.

                    Clients will normally not go ask another NS unless they get back no answer.. Not 100% sure on recursion requested but not available.

                    While that might solve your issue with this specific fqdn.. Where the problem can show up, is if the client looking for some resource host.localdomain.tld and they ask some public ns and get back a NX.. In such a response the client will say oh ok thanks, no need to go ask my other listed NS for that.

                    It is problematic to setup multiple ns on a client that can not actually resolve all the same stuff.. For just this reason - clients if get a NX will not go ask their other listed NSers..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.