Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver and IPsec

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 263 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      haroldh
      last edited by haroldh

      I'm trying to get my DNS setup working with our new IPsec tunnel setup. Now, I've come across a couple of posts on this forum saying I need to change the "Outgoing Interfaces" option in my Resolver settings. For example: https://forum.netgate.com/topic/103395/dns-server-domain-override-over-ipsec-vpn-not-working
      However, won't this break the ability to resolve public domains like google.com? I don't want requests for public domains to be sent across the IPsec tunnel, only the domains I've set under Domain Overrides. I'm actually kind of confused that it does not do this automatically, since it knows how to route to the IP address of the remote DNS server.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @haroldh
        last edited by

        @haroldh
        You can select multiple outgoing interface in the resolver settings. So it will send out requests according to the routing table.

        H 1 Reply Last reply Reply Quote 0
        • H
          haroldh @viragomann
          last edited by

          @viragomann okay, buy by default that setting is set to "Any". Wouldn't that also allow the resolver to choose an interface according to the routing table? Or is that setting specifically bugged?
          Other posts suggest setting it to a specific interface. But the IPsec tunnel is not an 'interface' in that list. Should I be specifying both WAN (for forwarded queries to public nameservers) and an interface that can route through the IPsec tunnel, for example, LAN? And why do other posts suggest choosing the Localhost interface? Is that used by requests that are resolved by pfSense's own resolver?

          I am not in a position where I can just play around with the settings and see what works. I've got a company of 50 people depending on this router/firewall working correctly.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @haroldh
            last edited by

            @haroldh said in DNS Resolver and IPsec:

            buy by default that setting is set to "Any". Wouldn't that also allow the resolver to choose an interface according to the routing table?

            Yes, it does of course. But since you requested this, my assumption was, that you have currently selected only WAN.

            Other posts suggest setting it to a specific interface. But the IPsec tunnel is not an 'interface' in that list.

            Policy-based IPSec connections are not treated as interfaces. You would only get interfaces for VTI IPSec.

            But I don't assume, that you need to specify an interface in the DNS Resolver settings for a server IP on the remote site of a policy-based IPSec. I guess, pfSense routes traffic to it anyway.

            And why do other posts suggest choosing the Localhost interface? Is that used by requests that are resolved by pfSense's own resolver?

            No idea, what the benefit of selecting localhost should be here.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.