Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS override IPsec?

    DHCP and DNS
    4
    6
    261
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kuchenmann
      last edited by

      Hello,
      I've setup a site2site IPsec tunnel, which works.
      But I'd like to resolve the domain of the remote site with the DNS of the remote-site.
      I've added Domain Overrides to DNS resolver, but this does not seem to work.
      I can ping the remote DNS servers and can resolve with them, when using them in nslookup command.
      But it seems they are not asked when using the domain overriding.
      Any suggestions?
      Thanks.

      M keyserK 2 Replies Last reply Reply Quote 0
      • M
        mcury @kuchenmann
        last edited by

        @kuchenmann you would need to set an outbound NAT.
        Choose interface IPsec
        destination IP: remote DNS server
        tcp/udp port 53

        translation address: put LAN or any other interface that is allowed to cross the p2 of this tunnel.

        There is a long time I don't do something like this, I could have forgotten something.

        dead on arrival, nowhere to be found.

        K 1 Reply Last reply Reply Quote 0
        • K
          kuchenmann @mcury
          last edited by

          @mcury
          Ok, it was the wrong question.
          It should be "Does domain override work with DNS resolver?".
          Because it seems it does not do anything, even when I use an internal DNS.
          Host overrides works, but domain overrides not.
          Thanks.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @kuchenmann
            last edited by

            @kuchenmann said in DNS override IPsec?:

            It should be "Does domain override work with DNS resolver?".

            Yes, it should of course. However, you might need to make the settings advised above by @mcury. Have you done this already?

            Because it seems it does not do anything, even when I use an internal DNS.
            Host overrides works, but domain overrides not.

            But if you do a lookup, is your pfSense shown up as responding server?

            1 Reply Last reply Reply Quote 0
            • keyserK
              keyser Rebel Alliance @kuchenmann
              last edited by

              @kuchenmann There is a “simpler” workaround. In this setup I assume you are using IPSEC policy tunnels (P2) to allow your LAN on source to talk with LAN on your remote network.
              On the source pfsense In system -> routing, create a gateway using the LAN IP address of the source system. Then create a route using the remote network as destination, and your LAN address gateway as gateway. This will cause your pfSense to source it’s DNS quieries from the LAN IP which i correctly policy routed to the remote network.
              You need to do the same thing on the remote system in order for it to reply properly.

              Love the no fuss of using the official appliances :-)

              K 1 Reply Last reply Reply Quote 0
              • K
                kuchenmann @keyser
                last edited by kuchenmann

                @keyser
                Yes, with some packet captures I found, that the DNS-requests are send from the WAN-IP-address.
                DNS resolver outgoing network interface was set to default "All".
                So of course, I did not get response from the private IP-addresses of the DNS-servers on the remote site.
                So I tried to set the outgoing network interface to LAN, which worked.
                Then I set it to WAN/LAN because I do not want to send all DNS-requests to remote-site.
                This seems to work, I can resolve the domain.local with the internal remote-DNS and all the internet addresses with the public-DNS.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.