DNS Forwarding over VPN



  • Hi, I've been using pfSense for a a couple of months now, and it has been nothing but fantastic. So Thanks to all involved.

    I'm mainly using it as a gateway on small networks to provide VPN access, as well as DNS/DHCP and as a Certificate manager too.

    However I'm starting to create it as a VPN client on a network, where I want a remote domain accessible to the local users.
    I have OpenVPN setup (routing mode) to the remote site, and I can ping servers in the IP range on that network.
    So now I've added a domain override in the DNS Forwarder to that remote network (as I have for the local domain too).
    So pfSense forwards
    domain.local > local IP of dns server
    domain.remote > remote IP of DNS server on remote network

    The first one works well.
    The second one get's no response.
    An NSlookup on the client PC gives "DNS request timed out" ie:

    nslookup host.domain.remote
    Server:  pfsense.domain.local
    Address:  10.20.1.7

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to pfsense.poli.local timed-out

    Can anyone suggest what could be wrong? or how to debug it?
    Ping on the PFSense box itself works to the remote network, but on the dns names. (Like this)

    /root(7): nslookup dc1.domain.remote
    Server:        127.0.0.1
    Address:        127.0.0.1#53

    ** server can't find dc1.domain.remote: NXDOMAIN



  • Does your pfSense box have a route to your remote DNS server? Does the remote DNS server have  route back to your pfSense box?



  • Which address would the remote DNS server need a route back to.

    I can successfully ping from clientA (on domain.local) to ServerB (on domain.remote) through pfsense, over the vpn and back.
    So the server does have a route back to 10.20.1.0/24 network.

    Would it be the VPN ip range?



  • By default, the DNS request will be sent with source IP = the IP of your OpenVPN site-to-site link. The remote DNS server would need to know how to route back to that. It can be a nuisance to get all the routes in your internal network to/from the various OpenVPN link subnets known correctly everywhere.
    To fix it: in domain overrides, enter Source IP = n.n.n.n where n.n.n.n is your pfSense LAN IP address.
    Then the requests will come from the LAN IP address, which everything already knows how to route back to.
    PS: It would be handy to be able to use a preconfigured alias in this field - then I could select "LAN address" and it would automatically update itself whenever the LAN address is changed. At the moment, there is data duplication, and if I change the LAN address, I have to also find duplicate places like this and change them also to match.



  • @brianmills:

    Which address would the remote DNS server need a route back to.

    The IP address of the system originating the DNS request.Since you are using DNS forwarder, normally the IP address of the pfSense openVPN interface.

    @brianmills:

    I can successfully ping from clientA (on domain.local) to ServerB (on domain.remote) through pfsense, over the vpn and back.
    So the server does have a route back to 10.20.1.0/24 network.

    Is the server here the "remote DNS server"?

    It is a necessary condition there be a path and suitable routes for two systems to communicate. It is not a sufficient condition in that an intervening firewall might block particular traffic (for example, allow http but block ftp), the server application might block/ignore requests from particular IP addresses etc. Is the "remote DNS server" configured to accept DNS requests? Packet capture can be a useful tool to verify specific traffic gets to a particular host and that host generates an appropriate response.



  • I think it's a routing issue. My route's seem to not be in place as I expect (even though pinging from client a to server remote works).

    The DNS server is remote.

    If I was to enter Source IP = n.n.n.n in DNS forwarder, where do I enter that? into the advanced options?



  • Put it your pfSense LAN IP in the source IP field of the Edit Domain Override screen - see screenshot example.
    (The screenshot is from a 2.1 system - I hope the field exists on 2.0.n!)



  • Rebel Alliance Developer Netgate

    The source address field was added on 2.1, but you can get the same effect using advanced options and removing the current domain override. Make sure to remove the current domain override, so the advanced option one will take effect.

    server=/domain.com/x.x.x.x@y.y.y.y

    domain.com is the domain to override, x.x.x.x is the DNS SERVER IP, and y.y.y.y is your LOCAL source IP.


Log in to reply