• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver and IPsec

Scheduled Pinned Locked Moved DHCP and DNS
4 Posts 2 Posters 289 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • H
    haroldh
    last edited by haroldh Jun 19, 2024, 7:29 AM Jun 19, 2024, 7:28 AM

    I'm trying to get my DNS setup working with our new IPsec tunnel setup. Now, I've come across a couple of posts on this forum saying I need to change the "Outgoing Interfaces" option in my Resolver settings. For example: https://forum.netgate.com/topic/103395/dns-server-domain-override-over-ipsec-vpn-not-working
    However, won't this break the ability to resolve public domains like google.com? I don't want requests for public domains to be sent across the IPsec tunnel, only the domains I've set under Domain Overrides. I'm actually kind of confused that it does not do this automatically, since it knows how to route to the IP address of the remote DNS server.

    V 1 Reply Last reply Jun 19, 2024, 5:29 PM Reply Quote 0
    • V
      viragomann @haroldh
      last edited by Jun 19, 2024, 5:29 PM

      @haroldh
      You can select multiple outgoing interface in the resolver settings. So it will send out requests according to the routing table.

      H 1 Reply Last reply Jun 20, 2024, 6:39 AM Reply Quote 0
      • H
        haroldh @viragomann
        last edited by Jun 20, 2024, 6:39 AM

        @viragomann okay, buy by default that setting is set to "Any". Wouldn't that also allow the resolver to choose an interface according to the routing table? Or is that setting specifically bugged?
        Other posts suggest setting it to a specific interface. But the IPsec tunnel is not an 'interface' in that list. Should I be specifying both WAN (for forwarded queries to public nameservers) and an interface that can route through the IPsec tunnel, for example, LAN? And why do other posts suggest choosing the Localhost interface? Is that used by requests that are resolved by pfSense's own resolver?

        I am not in a position where I can just play around with the settings and see what works. I've got a company of 50 people depending on this router/firewall working correctly.

        V 1 Reply Last reply Jun 20, 2024, 10:30 AM Reply Quote 0
        • V
          viragomann @haroldh
          last edited by Jun 20, 2024, 10:30 AM

          @haroldh said in DNS Resolver and IPsec:

          buy by default that setting is set to "Any". Wouldn't that also allow the resolver to choose an interface according to the routing table?

          Yes, it does of course. But since you requested this, my assumption was, that you have currently selected only WAN.

          Other posts suggest setting it to a specific interface. But the IPsec tunnel is not an 'interface' in that list.

          Policy-based IPSec connections are not treated as interfaces. You would only get interfaces for VTI IPSec.

          But I don't assume, that you need to specify an interface in the DNS Resolver settings for a server IP on the remote site of a policy-based IPSec. I guess, pfSense routes traffic to it anyway.

          And why do other posts suggest choosing the Localhost interface? Is that used by requests that are resolved by pfSense's own resolver?

          No idea, what the benefit of selecting localhost should be here.

          1 Reply Last reply Reply Quote 0
          2 out of 4
          • First post
            2/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received