Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Forwarding zones and domain override settings for OpenVPN Clients question.

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 2 Posters 922 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      ErlandGHD
      last edited by

      Good day,

      We've setup an OpenVPN tunnel in Pfsense and our side is the client. When the connection is established, we retain a virtual IP in the tunnel, say 10.1.1.2, and their side would be .1

      Now, for some L7 context : our hosts are accessing certain internal websites on our partner's network over this VPN and the way this was done before was by adding Static DNS entries in the router (Mikrotik), for example www.intranet.com mapped to 192.168.1.1. So each time our partner needed a new embedded website or another to be accessible they would send the IP and the full name over and we'd map those new entries to the router in order to access them.

      They've made some changes to remedy this - adding a primary and backup nameserver which will redirect any DNS requests to the appropriate address and they requested forwarding certain zones, such as example.lan, example.io and example.eu. The way I went about it is by using domain overrides in the DNS Resolver service and so far it seems to work okay for some, less so for the others. The other side has sent logs that indeed there's requests coming to the nameservers, but in the past week there's been downtimes of over 20-30 mins for certain websites and I think the issue is on our side, because adding each website (and not the zone) manually as a domain override works 100%. This is not ideal for scalability and I was wondering if someone was familiar with how forwarding and domain overrides work to make sure this works, since downtime is quite expensive for the company.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @ErlandGHD
        last edited by

        @erlandghd said in Forwarding zones and domain override settings for OpenVPN Clients question.:

        The other side has sent logs that indeed there's requests coming to the nameservers

        And they show answers? If unbound or dnsmasq on pfsense (you didn't state which your using).

        What does a client on your network get in response when they query for the fqdn of where they are trying to go? Do they get a time out, do they get refused? Do they get a NX..

        Use your fav dns client on one of your users machines, nslookup, dig, host, etc.. And do a specific query for the fqdn your wanting to access.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        E 1 Reply Last reply Reply Quote 1
        • E Offline
          ErlandGHD @johnpoz
          last edited by

          Thank you for taking the time John,

          @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

          If unbound or dnsmasq on pfsense

          I'm not entirely sure how to check one or the other - is this something that would show in the logs or?

          @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

          What does a client on your network get in response when they query for the fqdn of where they are trying to go? Do they get a time out, do they get refused? Do they get a NX..

          When I try nslookup towards subdomain.forwarded.zone, it shows my DNS Server as authoritative and their IP as the same one as the nameserver. When I do try nslookup subdomain.forwarded.zone <nameserver IP>, it shows their nameserver as UnKnown (non-authoritative) and then the redirected IP from their side, which I know is the correct one as it used to be statically mapped on our router.

          I've enabled DNS Forwarding Mode on the DNS Resolver service, and put our partner's nameservers as the first entries in the System-General Setup-DNS Server Settings. I know it's not a lot to go with, the main issue is that disabling these static entries on the router could bring downtime up again, so I'm a little unsure on how to approach this without possible disruptions.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @ErlandGHD
            last edited by

            @erlandghd if there is some Nameservers you can talk to that resolve records for example.com

            Then you wouldn't put forwarding mode on you would setup a domain override pointing example.com to the IPs of their nameservers.

            Now your client says hey I want to lookup host.example.com asking pfsense, pfsense says oh for anything in example.com go ask 1.2.3.4 etc..

            Keep in mind when pfsense goes and asks 1.2.3.4 for host.example.com if the answer is some rfc1918 address, it would think that is a rebind, unless you set example.com as a private domain so that pfsense knows hey its ok to get rfc1918 answers.

            https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

            By default pfsense uses unbound, not dnsmasq.. So unless you turned that off and enabled the forwarder that is what it would be using, and where you would put your domain override in.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            E 1 Reply Last reply Reply Quote 1
            • E Offline
              ErlandGHD @johnpoz
              last edited by

              @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

              Keep in mind when pfsense goes and asks 1.2.3.4 for host.example.com if the answer is some rfc1918 address, it would think that is a rebind, unless you set example.com as a private domain so that pfsense knows hey its ok to get rfc1918 answers.

              Their nameservers are definitely in the private address ranges, so I've added all the zones that were supposed to be forwarded to the custom box like :

              server:
              private-domain: "example.com"
              private-domain: "example.com"
              private-domain: "example.com"
              private-domain: "example.com"

              Now I'm wondering, do I have to toggle off Enable DNS query forwarding in the DNS Resolver Service as well for this to take effect?

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @ErlandGHD
                last edited by

                @erlandghd I am not a fan of forwarding, I let unbound just resolve. But when I get a few minutes I will test that.

                But it should work, its just a conditional forwarder, hey if domain xyz.com forward here, vs normal forward.

                If your going to be "forwarding" I would suggest you uncheck dnssec, it serves no real purpose if your forwarding. Where you forward to is either doing dnssec or it isn't no reason to have that checked when forwarding.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                E 1 Reply Last reply Reply Quote 1
                • E Offline
                  ErlandGHD @johnpoz
                  last edited by

                  @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

                  If your going to be "forwarding" I would suggest you uncheck dnssec

                  I've toggled that off for now and Saturday I will run a proper test by disabling some entries on the router so I can see if PFsense is resolving them correctly over the VPN network - and will see what I see, I guess. I'm not that familiar with DNS and PFsense overall, so for me this is entirely new territory.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @ErlandGHD
                    last edited by

                    @erlandghd well let us know how it works.. If you run into trouble, happy to help. But this weekend I prob not going to be around - My youngest son is getting married this weekend ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.