Domain override => host override over VPN
-
I have two pfSense connected via VPN, main & remote.
Both sites use DNS resolver
The main site has a series of host overrides that resolve correctly at the main site network
- server1.domainA => 192.168.1.20
- server2.domainA => 192.168.1.21
- server3.domainA => 192.168.1.22
At the remote site I wish to also be able to resolve these hosts so I believe my options are:
- Recreate all host overrides at the remote site (tested and works)
- Use a domain override for domainA on the remote site's pfSense and point it to the main site's pfSense (not working)
I'd prefer (2) as the list of host overrides will grow over time and I'd prefer not to update multiple locations.
Should (2) above work or is not the way to do this?
-
@McMurphy It can be brought to work (I’m currently using exactly that setup), but it requires some “non logical” configuration on your boxes.
Basically the issue is that when one pfSense tries to connect to the other over VPN, it sources the traffic from an interface which causes the traffic to bypass being routet to the remote site (typically goes out of WAN - default route instead)
So depending on which interface IP you are trying to reach remotely (I assume LAN), you need to create a gateway on each box using it’s own LAN interface as the gateway IP, and then create a route to the remote LAN subnet using that Gateway. That will cause the local pfsense to source the traffic from its own LAN interface, and thus comply with the routing or VPN policy rules for sending traffic down the tunnel. -
@McMurphy keep in mind whenever you forward, ie your domain override is a forward, if the answer is rfc1918 it would be a rebind. So where your creating the domain override you would also need to set the domain as private.
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections
You also need to make sure where your sending the query that the ACL on unbound allows for the query. I would do a directed query to the unbound on the far side of the vpn and make sure you actually get an answer, this would not take into account any rebind, but would validate your firewall rules and unbound acls allow for the query.