Forwarding zones and domain override settings for OpenVPN Clients question.
-
Good day,
We've setup an OpenVPN tunnel in Pfsense and our side is the client. When the connection is established, we retain a virtual IP in the tunnel, say 10.1.1.2, and their side would be .1
Now, for some L7 context : our hosts are accessing certain internal websites on our partner's network over this VPN and the way this was done before was by adding Static DNS entries in the router (Mikrotik), for example www.intranet.com mapped to 192.168.1.1. So each time our partner needed a new embedded website or another to be accessible they would send the IP and the full name over and we'd map those new entries to the router in order to access them.
They've made some changes to remedy this - adding a primary and backup nameserver which will redirect any DNS requests to the appropriate address and they requested forwarding certain zones, such as example.lan, example.io and example.eu. The way I went about it is by using domain overrides in the DNS Resolver service and so far it seems to work okay for some, less so for the others. The other side has sent logs that indeed there's requests coming to the nameservers, but in the past week there's been downtimes of over 20-30 mins for certain websites and I think the issue is on our side, because adding each website (and not the zone) manually as a domain override works 100%. This is not ideal for scalability and I was wondering if someone was familiar with how forwarding and domain overrides work to make sure this works, since downtime is quite expensive for the company.
-
@erlandghd said in Forwarding zones and domain override settings for OpenVPN Clients question.:
The other side has sent logs that indeed there's requests coming to the nameservers
And they show answers? If unbound or dnsmasq on pfsense (you didn't state which your using).
What does a client on your network get in response when they query for the fqdn of where they are trying to go? Do they get a time out, do they get refused? Do they get a NX..
Use your fav dns client on one of your users machines, nslookup, dig, host, etc.. And do a specific query for the fqdn your wanting to access.
-
Thank you for taking the time John,
@johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:
If unbound or dnsmasq on pfsense
I'm not entirely sure how to check one or the other - is this something that would show in the logs or?
@johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:
What does a client on your network get in response when they query for the fqdn of where they are trying to go? Do they get a time out, do they get refused? Do they get a NX..
When I try nslookup towards subdomain.forwarded.zone, it shows my DNS Server as authoritative and their IP as the same one as the nameserver. When I do try nslookup subdomain.forwarded.zone <nameserver IP>, it shows their nameserver as UnKnown (non-authoritative) and then the redirected IP from their side, which I know is the correct one as it used to be statically mapped on our router.
I've enabled DNS Forwarding Mode on the DNS Resolver service, and put our partner's nameservers as the first entries in the System-General Setup-DNS Server Settings. I know it's not a lot to go with, the main issue is that disabling these static entries on the router could bring downtime up again, so I'm a little unsure on how to approach this without possible disruptions.
-
@erlandghd if there is some Nameservers you can talk to that resolve records for example.com
Then you wouldn't put forwarding mode on you would setup a domain override pointing example.com to the IPs of their nameservers.
Now your client says hey I want to lookup host.example.com asking pfsense, pfsense says oh for anything in example.com go ask 1.2.3.4 etc..
Keep in mind when pfsense goes and asks 1.2.3.4 for host.example.com if the answer is some rfc1918 address, it would think that is a rebind, unless you set example.com as a private domain so that pfsense knows hey its ok to get rfc1918 answers.
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections
By default pfsense uses unbound, not dnsmasq.. So unless you turned that off and enabled the forwarder that is what it would be using, and where you would put your domain override in.
-
@johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:
Keep in mind when pfsense goes and asks 1.2.3.4 for host.example.com if the answer is some rfc1918 address, it would think that is a rebind, unless you set example.com as a private domain so that pfsense knows hey its ok to get rfc1918 answers.
Their nameservers are definitely in the private address ranges, so I've added all the zones that were supposed to be forwarded to the custom box like :
server:
private-domain: "example.com"
private-domain: "example.com"
private-domain: "example.com"
private-domain: "example.com"Now I'm wondering, do I have to toggle off Enable DNS query forwarding in the DNS Resolver Service as well for this to take effect?
-
@erlandghd I am not a fan of forwarding, I let unbound just resolve. But when I get a few minutes I will test that.
But it should work, its just a conditional forwarder, hey if domain xyz.com forward here, vs normal forward.
If your going to be "forwarding" I would suggest you uncheck dnssec, it serves no real purpose if your forwarding. Where you forward to is either doing dnssec or it isn't no reason to have that checked when forwarding.
-
@johnpoz said in Forwarding zones and domain override settings for OpenVPN Clients question.:
If your going to be "forwarding" I would suggest you uncheck dnssec
I've toggled that off for now and Saturday I will run a proper test by disabling some entries on the router so I can see if PFsense is resolving them correctly over the VPN network - and will see what I see, I guess. I'm not that familiar with DNS and PFsense overall, so for me this is entirely new territory.
-
@erlandghd well let us know how it works.. If you run into trouble, happy to help. But this weekend I prob not going to be around - My youngest son is getting married this weekend ;)