pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!

freisei

Hi.

on my pfsense-OpenVPN-Server (10.10.20.254) i have set a DNS-name
ltr.rz.zz which resolves fine to 10.10.20.2

on my pfsense-OpenVPN-Client (192.168.99.254) DNS-Settings are pulled from DNS-Server (i can see in Diagnostics/DNS Lookup i can see the name-server 10.10.20.254 as second entry.)

if i do a
nslookup ltr.rz.zz 10.10.20.254
from the client, it resolves, so i think i can access-restrictions are correct.

[2.5.2-RELEASE][root@pfsense.xp8.local]/root: nslookup ltr.rz.zz 10.10.20.254
Server:         10.10.20.254
Address:        10.10.20.254#53

Name:   ltr.rz.zz
Address: 10.10.20.2

But if i try to lookup without specific DNS-Server it doesn't work.

[2.5.2-RELEASE][root@pfsense.xp8.local]/root: nslookup ltr.rz.zz
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find ltr.rz.zz: NXDOMAIN

Why is my client not using the pushed DNS?

I the meantime i can do a Domain-Override on the client. But this is not a real solution for me.

greets

Gertjan

@freisei said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

But this is not a real solution for me.

Your unbound starts up on your pfSense.xp8.local
How should it know that ltr.rz.zz is 10.10.20.254 ?

What your unbound knows : type :

cat /etc/hosts

on the command line.

Did you saw a line with "ltr.rz.zz" ?

edit :

We all love the old bugs, new bug are always difficult to deal with.
But trading security for comfort, are you sure ??
( 2.5.2 is depreciated ...)

freisei

@gertjan
thanks for your reply.

@gertjan said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

How should it know that ltr.rz.zz is 10.10.20.254 ?

OK, as i understand pfsense uses the first DNS, and if that one fails to resolve noone of the others is asked if he can resolv.

I know the behavour of openvpn-client on windows. There i can push DNS and Domain and it is just used. This works even if there a multiple VPNs connected.

Is there a way to tell my unbound that he have to look for .rz.zz names on the other host and pushing that informations through OpenVPN?

@gertjan said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

( 2.5.2 is depreciated ...)

uh, i have to update!

bmeeks

@freisei said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

Is there a way to tell my unbound that he have to look for .rz.zz names on the other host and pushing that informations through OpenVPN?

The domain override setting can be used to accomplish this. Simply create a Domain Override for the ".rz.zz" domain (from your example), and give unbound the IP address of the DNS server that is authoritative for that domain. If the VPN is up, and that server is available over the VPN via a proper route, then unbound on pfSense will ask that DNS server for information about the overridden domain.

I am not 100% clear on what you want to achieve, though. Reading your posts a second time made me less certain of what you want. The process I describe lets you assign domain resolution for a specific domain to a dedicated DNS server. I read your request as wanting to contact a DNS server that is on the other end of a VPN connection when resolving a specific domain.

Gertjan

@bmeeks said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

The domain override setting can be used to accomplish this

Lol. That solution was down voted.

@freisei said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

I the meantime i can do a Domain-Override on the client. But this is not a real solution for

So, the reality will soon impact, @freisei will change his mind, and the issue is solved.

DNS servers are always IP addresses.
They can't be given as host names.
Because : you need DNS server to resolve hos names to IP addresses.
If that DNS is entered as a host name, you wind up with the typical chicken and egg problem.

bmeeks

@gertjan said in pfsense doesnt use DNS Pushed from OpenVPN, even it it listed!:

Lol. That solution was down voted.

Ah! I quickly perused the thread and focused in on the single line I quoted in my first reply. Missed the earlier downvote from the OP .

freisei

Thanks all.
So my solution is to know that my workaround was the solution :)