Local DNS over VPN

guile

I have a VPN (OpenVPN) and the local DNS, isn't working through VPN.

My current DNS config, looks like this: DHCP ditributes pfSense IP as DNS, pfSense (DNS Resolver) forward to Active Directory DNS and the Active Directory forward to OpenDNS:

DHCP > pfSense > Active Directory > OpenDNS

Everything works fine when im on local LAN, but through VPN is not working to resolve local servers addresses. What I've already tried:

• In the DNS Resolver configuration, I set "ALL" to "Network Interfaces" and "Outgoing Network";
• I added the VPN network in "Access List" in the DNS Resolver configuration;
• In the VPN configuration, I checked the option "Provide a default domain name to clients" and configured a domain and the DNS (I tried Active Directory DNS and pfSense IP);
• Using the "nslookup" command shows the OpenDNS IP (208.67.222.222) that's why is not resolving the local addresses. It seems that VPN is bypassing DNS Resolver to resolve local addresses (I'm using "Domain Override" in DNS Resolver).

What config am I missing?

viragomann

@guile
Are you pushing the pfSense IP as DNS to the VPN clients?

You can try to add the OpenVPN tunnel network to the DNS Resolvers ACLs.

Did you try a whole FQDN?

guile

@viragomann Yes, I tried the pfSense DNS and Active Directory DNS, but both didn't work.

I tried the DNS Resolver ACLs and didnt work too.

And yes, I always use FQDN to try to access the servers.

viragomann

@guile
You should use pfSense if you forward any requests to the AD DNS. For pfSense you can be sure that it's permitted to access it.

Just read this:

Using the "nslookup" command shows the OpenDNS IP (208.67.222.222) that's why is not resolving the local addresses.

So the client is ignoring the pushed DNS server from the OpenVPN?
Or do you push the OpenDNS?

Check the OpenVPN logs to see if the DNS server is set or the IP settings of the client.

guile

@viragomann Yea, I forward to AD DNS. The ACL I configured the VPN network, not the AD DNS. ill try this later.

I push the pfSense DNS to clients... i also tried the AD DNS. Both didn't work. Yea, looks like the VPN clients is ignoring the local DNS, and just forward to OpenDNS.

If everything working fine when im on local network, probably is something related to VPN config. only.

viragomann

@guile
Other idea. Do you have "redirect gateway" checked to direct the whole clients upstream traffic over the VPN?

If so, you can easily intercept it. Just redirect the DNS traffic from the VPN client to localhost (Resolver).

guile

@viragomann The "Redirect IPv4 Gateway" is unchecked. If i check this the clients will use Internet through VPN, right?

viragomann

@guile
Correct.

guile

@viragomann i dont want VPN clients using internet through VPN, but ill try it. ill try this and the ACL idea.

Thanks for now!

guile

@viragomann said in Local DNS over VPN:

If so, you can easily intercept it. Just redirect the DNS traffic from the VPN client to localhost (Resolver).

To redirect DNS is a NAT rule, right?

viragomann

@guile
Yes, port forwarding.
destination: any
dest. port: 53
redirect target: localhost 53

Ensure that localhost is enabled in the Resolvers "Network Interfaces".

guile

This post is deleted!

guile

@viragomann I tested and the "Redirect IPv4 Gateway" and "NAT rule" made it work.

BUT... I don't want all VPN clients using internet through VPN. Is there a way to make this work, without the "Redirect IPv4 Gateway" option checked?

viragomann

@guile
If it's a Windows client you can try to check "Block Outside DNS" in the OpenVPN server settings.

guile

@viragomann the redirect gateway is the best option for me, bc some clients is using mac/linux.. thanks for your help!

viragomann

@guile
If you know the DNS server the clients are using like OpenDNS you can also only route this over the VPN by adding its IP(s) to the "local networks" and then redirect it to pfSense. I.e. if you control the clients.

guile

@viragomann the problem is I have no idea which DNS each client is using. Some use ISP DNS, others Google, others OpenDNS, others quad 9.. and so on. And some clients are from others countries..

In this case, i think the best option is let the clients use internet through VPN.

Thanks for your help. I really appreciate it!