openvpn client cannot resolve pfsense dns entries
-
Hi,
I have a simple network setup: 5 windows servers and a server with pfsense DHCP, pfsense DNS and pfsense OpenVPN running. All windows servers on the LAN can resolve all other windows server names.
Then I have 30 VPN clients (windows) and none can resolve any server name. Why?
The following resolves when run from a computer on the LAN, but does not resolve when through a vpn client:
nslookup fileserver 10.44.0.3
In both cases nslookup connects to the dns server (10.44.0.3)
-
@lassesj said in openvpn client cannot resolve pfsense dns entries:
Then I have 30 VPN clients (windows) and none can resolve any server name. Why?
A possible answer :
Even when you force the client to use the "DNS proposed by the VPN connection" with an option like this :
and this :
people (your OpenVPN clients) can have, for example, browsers on their devices that don't respect that, and go DoH or 8.8.8.8 for their DNS requests.
And needles to say : any DoH DNS server, or 8.8.8.8, or anybody else, won't know anything about your local (on OpenVPN server) host names.
@lassesj said in openvpn client cannot resolve pfsense dns entries:
In both cases nslookup connects to the dns server (10.44.0.3)
nslookup, a OS command, will respect the connection's registered DNS.
-
I am not an DNS expert, so bare with me. Can you explain why this happens:
When connecting directly to the dns server over vpn, I cannot resolve name
When connecting directly to the dns server from the lan, I can resolve nameconnecting directly means logging in to dns server via nslookup and then ask to resolve e.g.:
nslookup - 10.44.0.3and then type
fileserverI don't understand why the connection registered dns has something to do with the lookup if I connect directly to the dns server.
-
@lassesj said in openvpn client cannot resolve pfsense dns entries:
When connecting directly to the dns server over vpn, I cannot resolve name
Who is the server that you want to reach over VPN ?
Can you go to the place where this DNS server is, and check with the extended query logs, or packet capture, if this DNS server actually received your query ? (did the request arrive ?)
@lassesj said in openvpn client cannot resolve pfsense dns entries:
fileserver
"fileserver" ?
If you were using 8.8.8.8 : it doesn't' know nothing about your local resources. It knows only about publicly available host names. -
@Gertjan: Thanks for the reply. I started to look at the logs and now I know what is wrong! I do connect to the DNS server both over VPN and from LAN. However, when I query from my LAN it adds my DNS suffix to the query, e.g. fileserver > fileserver.home.arpo. When I do it over VPN, it does not add any suffix.
I have an idea on how to solve this...
As I read from the docs, it is a requirement to have a domain in general setup, and this is used as a DNS suffix when querying from LAN. How can I configure the VPN clients to have the same dns suffix?Or is there anther, better way to do this?
-
@lassesj said in openvpn client cannot resolve pfsense dns entries:
I have an idea on how to solve this.
Use your keyboard ?
Normally, you should not be able to use a host name like 'file-server' to reach this device, even it's on your own LAN.
The correct way is : fileserver.yournetwork.tld which is the full device location.Like this :
C:\Users\Gauche>ping -4 dvr.bhf.tld Envoi d’une requête 'ping' sur dvr.bhf.tld [192.168.1.8] avec 32 octets de données : Réponse de 192.168.1.8 : octets=32 temps=9 ms TTL=64 Réponse de 192.168.1.8 : octets=32 temps=2 ms TTL=64 Réponse de 192.168.1.8 : octets=32 temps=3 ms TTL=64 Réponse de 192.168.1.8 : octets=32 temps=4 ms TTL=64True, Windows spoiled us a bit by adding a local network domain to the host name.
So, start being less lazy ^^, and always use the fill host name with domain name and your done ^^
@lassesj said in openvpn client cannot resolve pfsense dns entries:
Or is there anther, better way to do this?
You mean :
?
