[solved] VPN Clients can ping AD DNS server, but cannot resolve local names

Tired2

Hi,

I've been reading for a bit, and I've found some posts about dns/dhcp across multiple subnets, but I've yet to find any information about my specific situation.

We currently have pfSense as an edge firewall/router. Behind that is a LAN Active Directory server that serves out DHCP and DNS to LAN clients. This is the 192.168.1.0/24 Network.

I have OpenVPN set up, clients can connect and receive an IP on a different subnet (10.0.8.0/24) than our main LAN, but are provided with the addresses of the LAN DNS servers.

VPN Clients are able to ping the DNS servers, but will not resolve dns from them.

Is this a case of the DNS server blocking the request due to the client being on an unknown network?

I've read a bit about DHCP relay, and even set it up a while back on the DHCP server, but I've had no luck. I'm still hung up on the fact that I don't need DHCP to relay to the other network, I only need DNS queries to be fulfilled.

Can anyone shed some light on my problem?

Thank you.

johnpoz

Do you allow dns on the firewall rules for your openvpn clients? If your allowing ping I assume your just wide open?

But yes its quite possible your HOST is running a firewall that does not allow dns from a remote segment.

Tired2

Thank you for the reply.

I am open from the 10. VPN network to the 192. LAN network with an allow IPv4* rule in place.

My test client has the firewall off.

I assume no dns forwarding or dhcp relay needs used in this situation typically?

Maybe I just need to figure out how to check the logs on the DNS server to see if it sees the request.

johnpoz

what rules do you have on the lan interface - anything that might prevent dns?

Its simple enough to sniff pfsense lan to make sure a dns query goes out to dns server.

So for example - I am vpn'd into my home network currently, and sniffing on the lan interface on pfsense - I see the query go out to the dns server on 192.168.1.7 on my home lan. But that current dns server does not currently reply to anything outside of the 192.168.1.0/24 network – as you can see from the dig I got refused.

vpndnsclient.png_thumb

Tired2

Thanks, my LAN rules are pretty open as well, and I don't have problems with any other services like RDP across the VPN, so I'm pretty sure it is not being blocked there.

I'll try using dig like you did (which is new to me), and see if I get refused. If I do, I know the problem lies on config on the AD DNS side and I'll approach it from there.

Assuming you are using pfSense for DNS, are you able to allow the DNS query across subnets somehow? Basically, is there some dns nomenclature I should look for on the AD DNS server to allow this if it is indeed refusing the connection?

johnpoz

Its been a while since I played with windows DNS - what server are you running on, 2k3, 2k8, 2012? I don't recall any sort of dns views feature in MS dns.. It would be firewall based in windows if you wanted to block I believe.

That refused you saw is from a BIND server.

As to using pfsense for dns - unless your using the BIND package, the dnsmasq wouldn't have any restrictions other than firewall rules.

Did you you do a simple sniff on pfsense lan to validate you saw a query go out to your server - did you get anything back in the sniff?

Tired2

I have not yet sniffed for a request. I'll give that a shot tonight (I've left the test client at home). I could do it here since my machine on LAN has cached all the dns records already it seems like it might not be as good as testing with a machine that has never been introduced to our LAN.

Thanks for the ideas, I'll post back when I get something worked out.

Tired2

I'm held up for now, reading more about AD DNS, but doing a "dig" like you did, I am not getting a response on local hostnames, but I do on public ones, like www.google.com

It seems I actually get the same "SERVFAIL" result when I'm on the VPN, and if I'm connected directly… back to the drawing board.

![2014-01-06 16_09_06-Administrator_ C__Windows_system32_cmd.exe - Windows_bind_dig.exe @192.168.1.1.png](/public/imported_attachments/1/2014-01-06 16_09_06-Administrator C__Windows_system32_cmd.exe - Windows_bind_dig.exe @192.168.1.1.png)
![2014-01-06 16_09_06-Administrator C__Windows_system32_cmd.exe - Windows_bind_dig.exe @192.168.1.1.png_thumb](/public/imported_attachments/1/2014-01-06 16_09_06-Administrator C__Windows_system32_cmd.exe - _Windows_bind_dig.exe @192.168.1.1.png_thumb)

johnpoz

what kind of query is stingray. ?? That is not a FQDN

Where did you dig up such an old version of dig btw?

Tired2

I just grabbed dig off the 'bind' package website, or a site for win binaries. Maybe I should have looked closer.

Just be sure I'm barking up the right tree here with the dns issue… I am trying to resolve local host names on my LAN, so STINGRAY is just a lan computer that should have a record in our DNS server.

Maybe this sort of lookup is done over NetBIOS or WINS or something instead of DNS? I've never really had a full grasp on where each of those services overlap.

I'd like my clients on VPN to be able to type a Windows PC hostname and get to them on services like RDP, VNC, Windows Sharing, etc. Is the DNS config the right place to look?

johnpoz

Oh my bad 9.10.0a1 is the development version ;) I saw it as 9.1 ;) which is from like 2001 era ;)

I agree stingray should have a record - but not stingray. it would be stingray.something.tld

So here is the thing if you want a user to do say stingray and it to actually do a query for stingray.yourdomain.tld then you need to make sure these machines are in the something.tld and or they use something.tld as search suffix.

If your wanting to netbios name to resolve that would be either be just broadcast - which unless your tap and bridged on your vpn would not work. Or you would need to use wins.

I would suggest you validate you can do a fqdn query to your dns - so say stringray.yourdomain.tld vs just stingray.

If that works, then you can work out your machines search suffix to auto attach the yourdomain.tld or have users use fqdn to query. If your wanting just netbios over a routed connection than wins works.

Here I fired up 2k8r2 dns for you – so it has a forward zone of local.lan.. But as you see if I query for the host 2k8r2. it gives me serverfail.. But if I query the actual fqdn it responds just fine

I also did a query from my vpn client, notice the 10.0.200 address and 2k8r2 dns had no issues answering the query - other than it took a bit longer than the 4ms it took on my local lan ;)

also notice last example.. Using nslookup -- now pfsense will resolve just host names, because it has it in host file that way. so 2k8r2 as just host name would resolve.. But if I ask the ms dns for a non fqdn it fails.

examplednsquery.png_thumb

dnsmanager.png_thumb

dnsfromvpn.png_thumb

nosuffix.png_thumb

Tired2

Well, I think you nailed it. I missed that one big time.

From my test box, I could ping computername.domain.com, but not 'computername'.

So, In the OpenVPN config, I changed up the domain name I passed (leaving a few details out, but I had truncated off the first few subdomains). Anyway, after getting that right, a ping of 'computername' returned "host not found computername.localdomain".

So, I never set the domain of pfsense because I did not think it mattered, so I corrected that, and after a reconnect, my client can now ping 'computername', and it resolves the ip, and the FQDN for that matter.

I'm not sure which setting (OpenVPN domain or General Domain setting) actually made it work, or maybe a combo of both, but it is all good now!

Your beer money has been sent via paypal. :)

Thanks again for the help!

johnpoz

Great to hear - and if you donated to pfsense, that is just icing on the cake! Thanks!!