Who does Wireguard ask for DNS lookups?
-
I have a strange Wireguard situation at home. My pfsense resolves nextcloud.nibelheim to 10.0.0.200 (static mapping registered in DNS resolver as well as host override). Locally I can access my nextcloud using its name (https://nextcloud.nibelheim). It has a selfsigned certificate.
But when I tunnel in with Wireguard app using my Android phone, even though I can access all my other servers as well as the pfsense GUI where I can perform the same lookup successfully, the browser says "DNS_PROBE_FINISHED_NXDOMAIN" when I try https://nextcloud.nibelheim .
When I try, inside the tunnel, with https://10.0.0.200 I first get "This connection is not secure" but I have the option to "Continue to site". When I click that button I get "ERR_SSL_PROTOCOL_ERROR". I don't know but I guess this is due to the certificate being tied to "nextcloud.nibelheim" and not the IP.
But why cannot the browser?/wireguard?/something? resolve nextcloud.nibelheim to 10.0.0.200 when I am inside the tunnel? Pfsense can when I am outside.
This is eating at me, I am thinking about this every night until I fall asleep. :-)
-
@pastic Can you try this with a desktop browser and post any errors from the browser console please. Also what is the output of
nslookup nextcloud.nibelheim? -
@paoloposo
Hi, excuse me for taking a bit of time to get back to you.nslookup mentions an address in a range I do not use locally at all, I use 10.0.0.0/24. I do not know where it comes from.
peter@lenovo-debian12:~$ nslookup nextcloud.nibelheim Server: 192.168.43.76 Address: 192.168.43.76#53 ** server can't find nextcloud.nibelheim: NXDOMAINAs for the browser output, I enclose a screen dump of all info I was able to get:
-
Server: 192.168.43.76
but the DNS lookup at the above address when inside the tunnel work for other addresses (tethering my laoptop to my phone, carrier-only, phone wifi disabled);
peter@lenovo-debian12:~$ nslookup nextcloud.nibelheim Server: 192.168.43.76 Address: 192.168.43.76#53 ** server can't find nextcloud.nibelheim: NXDOMAIN peter@lenovo-debian12:~$ nslookup dn.se Server: 192.168.43.76 Address: 192.168.43.76#53 Non-authoritative answer: Name: dn.se Address: 3.73.167.51 Name: dn.se Address: 3.65.23.168 Name: dn.se Address: 3.123.196.169 -
@pastic What DNS-server do you have in your wg-config for that phone? You should put in the IP-address of the wg-interface as the DNS-server and also have rules allowing the access.
-
@Bob-Dig & @paoloposo
I have entertained the idea that DNS might need to be configured specifically for Wireguard (hence my post here), but somehow my googling always went off in different directions. And this has been going on for two weeks. I tried so many solutions both software and hardware, but somehow it completely escaped me that there even is a DNS field in the Wireguard app for Android.I feel embarrassed for having bothered the community with such a simple matter, but am grateful that both of you stepped in to help out.
Thanks!
