• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Forwarding zones and domain override settings for OpenVPN Clients question.

Scheduled Pinned Locked Moved OpenVPN
8 Posts 2 Posters 734 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    ErlandGHD
    last edited by Jun 16, 2022, 10:25 AM

    Good day,

    We've setup an OpenVPN tunnel in Pfsense and our side is the client. When the connection is established, we retain a virtual IP in the tunnel, say 10.1.1.2, and their side would be .1

    Now, for some L7 context : our hosts are accessing certain internal websites on our partner's network over this VPN and the way this was done before was by adding Static DNS entries in the router (Mikrotik), for example www.intranet.com mapped to 192.168.1.1. So each time our partner needed a new embedded website or another to be accessible they would send the IP and the full name over and we'd map those new entries to the router in order to access them.

    They've made some changes to remedy this - adding a primary and backup nameserver which will redirect any DNS requests to the appropriate address and they requested forwarding certain zones, such as example.lan, example.io and example.eu. The way I went about it is by using domain overrides in the DNS Resolver service and so far it seems to work okay for some, less so for the others. The other side has sent logs that indeed there's requests coming to the nameservers, but in the past week there's been downtimes of over 20-30 mins for certain websites and I think the issue is on our side, because adding each website (and not the zone) manually as a domain override works 100%. This is not ideal for scalability and I was wondering if someone was familiar with how forwarding and domain overrides work to make sure this works, since downtime is quite expensive for the company.

    J 1 Reply Last reply Jun 16, 2022, 11:53 AM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @ErlandGHD
      last edited by Jun 16, 2022, 11:53 AM

      @erlandghd said in Forwarding zones and domain override settings for OpenVPN Clients question.:

      The other side has sent logs that indeed there's requests coming to the nameservers

      And they show answers? If unbound or dnsmasq on pfsense (you didn't state which your using).

      What does a client on your network get in response when they query for the fqdn of where they are trying to go? Do they get a time out, do they get refused? Do they get a NX..

      Use your fav dns client on one of your users machines, nslookup, dig, host, etc.. And do a specific query for the fqdn your wanting to access.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      E 1 Reply Last reply Jun 16, 2022, 12:09 PM Reply Quote 1
      • E
        ErlandGHD @johnpoz
        last edited by Jun 16, 2022, 12:09 PM

        Thank you for taking the time John,

        @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

        If unbound or dnsmasq on pfsense

        I'm not entirely sure how to check one or the other - is this something that would show in the logs or?

        @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

        What does a client on your network get in response when they query for the fqdn of where they are trying to go? Do they get a time out, do they get refused? Do they get a NX..

        When I try nslookup towards subdomain.forwarded.zone, it shows my DNS Server as authoritative and their IP as the same one as the nameserver. When I do try nslookup subdomain.forwarded.zone <nameserver IP>, it shows their nameserver as UnKnown (non-authoritative) and then the redirected IP from their side, which I know is the correct one as it used to be statically mapped on our router.

        I've enabled DNS Forwarding Mode on the DNS Resolver service, and put our partner's nameservers as the first entries in the System-General Setup-DNS Server Settings. I know it's not a lot to go with, the main issue is that disabling these static entries on the router could bring downtime up again, so I'm a little unsure on how to approach this without possible disruptions.

        J 1 Reply Last reply Jun 16, 2022, 1:02 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @ErlandGHD
          last edited by Jun 16, 2022, 1:02 PM

          @erlandghd if there is some Nameservers you can talk to that resolve records for example.com

          Then you wouldn't put forwarding mode on you would setup a domain override pointing example.com to the IPs of their nameservers.

          Now your client says hey I want to lookup host.example.com asking pfsense, pfsense says oh for anything in example.com go ask 1.2.3.4 etc..

          Keep in mind when pfsense goes and asks 1.2.3.4 for host.example.com if the answer is some rfc1918 address, it would think that is a rebind, unless you set example.com as a private domain so that pfsense knows hey its ok to get rfc1918 answers.

          https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

          By default pfsense uses unbound, not dnsmasq.. So unless you turned that off and enabled the forwarder that is what it would be using, and where you would put your domain override in.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          E 1 Reply Last reply Jun 16, 2022, 1:44 PM Reply Quote 1
          • E
            ErlandGHD @johnpoz
            last edited by Jun 16, 2022, 1:44 PM

            @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

            Keep in mind when pfsense goes and asks 1.2.3.4 for host.example.com if the answer is some rfc1918 address, it would think that is a rebind, unless you set example.com as a private domain so that pfsense knows hey its ok to get rfc1918 answers.

            Their nameservers are definitely in the private address ranges, so I've added all the zones that were supposed to be forwarded to the custom box like :

            server:
            private-domain: "example.com"
            private-domain: "example.com"
            private-domain: "example.com"
            private-domain: "example.com"

            Now I'm wondering, do I have to toggle off Enable DNS query forwarding in the DNS Resolver Service as well for this to take effect?

            J 1 Reply Last reply Jun 16, 2022, 2:07 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @ErlandGHD
              last edited by Jun 16, 2022, 2:07 PM

              @erlandghd I am not a fan of forwarding, I let unbound just resolve. But when I get a few minutes I will test that.

              But it should work, its just a conditional forwarder, hey if domain xyz.com forward here, vs normal forward.

              If your going to be "forwarding" I would suggest you uncheck dnssec, it serves no real purpose if your forwarding. Where you forward to is either doing dnssec or it isn't no reason to have that checked when forwarding.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              E 1 Reply Last reply Jun 16, 2022, 2:56 PM Reply Quote 1
              • E
                ErlandGHD @johnpoz
                last edited by Jun 16, 2022, 2:56 PM

                @johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:

                If your going to be "forwarding" I would suggest you uncheck dnssec

                I've toggled that off for now and Saturday I will run a proper test by disabling some entries on the router so I can see if PFsense is resolving them correctly over the VPN network - and will see what I see, I guess. I'm not that familiar with DNS and PFsense overall, so for me this is entirely new territory.

                J 1 Reply Last reply Jun 16, 2022, 3:24 PM Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator @ErlandGHD
                  last edited by Jun 16, 2022, 3:24 PM

                  @erlandghd well let us know how it works.. If you run into trouble, happy to help. But this weekend I prob not going to be around - My youngest son is getting married this weekend ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received