Domain Forward Only for Some Networks
-
Long story short, I need to forward a certain domain query to another internal DNS server for most clients. However, I want clients connecting via VPN to resolve to public IP addresses for these queries. Does anyone have any ideas on how to do this?
-
@wblanton so I am sure I understand what your after.
So your internal clients using pfsense as their dns you want to use a domain override pointing to some other local ns that resolves say host.domain.tld to the internal IP 192.168.1.100 for example
But if the client is connected via vpn to pfsense, using it for dns you want to resolve this same host.domain.tld to the public IP (where is this resolved? Public dns) to say 1.2.3.4 the public IP known to the internet. Via some other NS out on the public internet?
Why would you want this - if the client is connected to your network via vpn, why would you not resolve the local IP for it. It would have access to these local IPs via the vpn, or it could..
-
@johnpoz This is for an OT network, which is connected to the IT network via DMZ. For SMTP traffic, I’m forwarding the DNS for the mail servers to the IT DNS server so the SMTP traffic goes to that network.
But when users connect to VPN, their outlook clients are being resolved to the internal IP of exchange, and this traffic isn’t allowed over the DMZ and so outlook fails to connect.
-
@wblanton you should be able to do something with views so that if client asking from your vpn cidr asks for the fqdn address of your smtp server, the view responds with the public IP you want that to resolve too.
-
@johnpoz So it looks like it was even simpler than that. I set up an access list to "refuse nonlocal" for the OpenVPN remote access subnet. After a DNS cache flush, my outlook is connnected to the public IP and the pfSense dns over the OpenVPN is only resolving it's local addresses.
-
@wblanton nice solution.. So vpn client still asked unbound on pfsense, but pfsense returned the public? Or the client asked some other dns?
Once a client asks another NS, and it gets say a NX for some local resource it wouldn't go back and ask pfsense for that..
Hoping that client will ask some other NS for something can be problematic for sure.
-
@johnpoz It appears to have fallen back to my default DNS server. But pfSense is now responding with a message saying recursion was requested but not available, which is what I want.
-
@wblanton while that might be what you would expect. Hoping clients use a different NS to resolve something is problematic for sure.
Clients will normally not go ask another NS unless they get back no answer.. Not 100% sure on recursion requested but not available.
While that might solve your issue with this specific fqdn.. Where the problem can show up, is if the client looking for some resource host.localdomain.tld and they ask some public ns and get back a NX.. In such a response the client will say oh ok thanks, no need to go ask my other listed NS for that.
It is problematic to setup multiple ns on a client that can not actually resolve all the same stuff.. For just this reason - clients if get a NX will not go ask their other listed NSers..
