DNS Resolver not forwarding for domains behind VPN

PaulG 79 · Oct 19, 2022, 4:08 PM

I'm a total pfSense newbie, so I'm still a little overwhelmed with all the features available. I have basic experience with far less capable routers (Netgear, Actiontec, etc.), but nothing that's prepared me for this. Thanks in advance!

Everything works fine for non-VPN sites. Zero problems accessing the rest of the internet.
I have pfSense configured for DNS Resolving, with Forwarding Mode enabled. I've specified OpenDNS's primary and secondary IPv4 and IPv6 DNS servers and set them to be used by the correct WAN interfaces in System/General Setup.

The problem comes when I try to access some of my employer's servers behind their VPN. I can ping the IP addresses, but the domain names can't be resolved. If I do NSLOOKUP <server name>, I don't get any results. If I do NSLOOKUP <server name> 208.67.222.222, it can find it no problem. So specifying the DNS server works. I may be wrong, but that looks like pfSense isn't forwarding the DNS request to the upstream server at all.

Because I need to get work done, I ended up specifying the IP address in pfSense's Host Override settings, but I'd really rather have this just work. Any thoughts? What other info do you need from me to help?

bingo600 · Oct 19, 2022, 4:22 PM

@paulg-79
You mention DNS forwarder (I havent used that one)

But if you are using DNS resolver (Unbound) , i had to add my OpenVPN Client range to the Unbound Accesslists

See
https://forum.netgate.com/post/950470

/Bingo

PaulG 79 · Oct 24, 2022, 7:45 PM

@bingo600 , sorry, this wasn't particularly helpful. No idea what "Unbound" means. I'm using the built-in DNS resolver in pfSense, and within that, there is an option labeled "DNS Query Forwarding". The "Enable Forwarding Mode" is enabled.

The problem I'm having is that for domain names that exist within the VPN, pfSense is failing to resolve them. If I specify a different DNS provider such as 208.67.222.222 (OpenVPN), 8.8.8.8 (Google), or 1.1.1.1 (Cloudflare), they are all able to resolve the host name.

So nslookup without specifying a DNS provider comes back listing my pfSense DNS resolver as the source and can't find the server. nslookup with a DNS provider can find the server. It looks like pfSense is failing to forward the request on to the upstream DNS server when it can't find the server itself, but I don't know how to verify that or test it myself.

viragomann · Oct 24, 2022, 8:01 PM

@paulg-79 said in DNS Resolver not forwarding for domains behind VPN:

The problem comes when I try to access some of my employer's servers behind their VPN. I can ping the IP addresses, but the domain names can't be resolved.

Give some more information about the VPN, please.

VPN on pfSense or on your PC?

Is the domain name you cannot resolve a public or a private one?

PaulG 79 · Oct 26, 2022, 7:15 PM

@viragomann sorry, I thought that was in my original post. It's a VPN running on my work computer. The domains in question are for servers inside the corporate network (private, I guess - not really sure how the public/private labels work in this context).

PaulG 79 · Oct 26, 2022, 7:24 PM

I managed to solve the issue myself, but it took some doing to figure it out.

The DNS Resolver logs were useless for this. There was zero usable information in there related to this problem. When - out of desperation - I switched to the DNS Forwarder and checked the logs, I started seeing entries for the server I was trying to reach talking about a potential DNS rebinding attack.

Those log entries gave me my only real clue what was happening. I followed the documentation on this page to add an entry to the DNS Resolver Custom Options, after switching back to the resolver from the forwarder. Just in case the page moves, the entry looks like this:

server:
private-domain: "example.com"

I initially made the mistake of including the subdomain, and nothing seemed to be working. Once I removed the subdomain, it seemed to work fine. Maybe it would work fine with the subdomain and I just was too impatient.

viragomann · Oct 26, 2022, 7:27 PM

@paulg-79
If your running the VPN on your computer it has probably nothing to do with pfSense.

I assume, the VPN server is providing a DNS server, but investigate it to get sure.
If it's a Windows OS run "ipconfig /all", while the VPN is up, and check if there is a DNS server shown for the virtual VPN network adapter.