Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] VPN Clients can ping AD DNS server, but cannot resolve local names

    Scheduled Pinned Locked Moved DHCP and DNS
    13 Posts 2 Posters 10.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tired2
      last edited by

      Thank you for the reply.

      I am open from the 10. VPN network to the 192. LAN network with an allow IPv4* rule in place.

      My test client has the firewall off.

      I assume no dns forwarding or dhcp relay needs used in this situation typically?

      Maybe I just need to figure out how to check the logs on the DNS server to see if it sees the request.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        what rules do you have on the lan interface - anything that might prevent dns?

        Its simple enough to sniff pfsense lan to make sure a dns query goes out to dns server.

        So for example - I am vpn'd into my home network currently, and sniffing on the lan interface on pfsense - I see the query go out to the dns server on 192.168.1.7 on my home lan.  But that current dns server does not currently reply to anything outside of the 192.168.1.0/24 network – as you can see from the dig I got refused.

        vpndnsclient.png
        vpndnsclient.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          Tired2
          last edited by

          Thanks, my LAN rules are pretty open as well, and I don't have problems with any other services like RDP across the VPN, so I'm pretty sure it is not being blocked there.

          I'll try using dig like you did (which is new to me), and see if I get refused.  If I do, I know the problem lies on config on the AD DNS side and I'll approach it from there.

          Assuming you are using pfSense for DNS, are you able to allow the DNS query across subnets somehow?  Basically, is there some dns nomenclature I should look for on the AD DNS server to allow this if it is indeed refusing the connection?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Its been a while since I played with windows DNS - what server are you running on, 2k3, 2k8, 2012?  I don't recall any sort of dns views feature in MS dns..  It would be firewall based in windows if you wanted to block I believe.

            That refused you saw is from a BIND server.

            As to using pfsense for dns - unless your using the BIND package, the dnsmasq wouldn't have any restrictions other than firewall rules.

            Did you you do a simple sniff on pfsense lan to validate you saw a query go out to your server - did you get anything back in the sniff?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • T
              Tired2
              last edited by

              I have not yet sniffed for a request.  I'll give that a shot tonight (I've left the test client at home).  I could do it here since my machine on LAN has cached all the dns records already it seems like it might not be as good as testing with a machine that has never been introduced to our LAN.

              Thanks for the ideas, I'll post back when I get something worked out.

              1 Reply Last reply Reply Quote 0
              • T
                Tired2
                last edited by

                I'm held up for now, reading more about AD DNS, but doing a "dig" like you did, I am not getting a response on local hostnames, but I do on public ones, like www.google.com

                It seems I actually get the same "SERVFAIL" result when I'm on the VPN, and if I'm connected directly… back to the drawing board.

                ![2014-01-06 16_09_06-Administrator_ C__Windows_system32_cmd.exe - Windows_bind_dig.exe @192.168.1.1.png](/public/imported_attachments/1/2014-01-06 16_09_06-Administrator C__Windows_system32_cmd.exe - Windows_bind_dig.exe @192.168.1.1.png)
                ![2014-01-06 16_09_06-Administrator
                C__Windows_system32_cmd.exe - Windows_bind_dig.exe @192.168.1.1.png_thumb](/public/imported_attachments/1/2014-01-06 16_09_06-Administrator C__Windows_system32_cmd.exe - _Windows_bind_dig.exe @192.168.1.1.png_thumb)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  what kind of query is stingray. ??  That is not a FQDN

                  Where did you dig up such an old version of dig btw?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • T
                    Tired2
                    last edited by

                    I just grabbed dig off the 'bind' package website, or a site for win binaries.  Maybe I should have looked closer.

                    Just be sure I'm barking up the right tree here with the dns issue… I am trying to resolve local host names on my LAN, so STINGRAY is just a lan computer that should have a record in our DNS server.

                    Maybe this sort of lookup is done over NetBIOS or WINS or something instead of DNS?  I've never really had a full grasp on where each of those services overlap.

                    I'd like my clients on VPN to be able to type a Windows PC hostname and get to them on services like RDP, VNC, Windows Sharing, etc.  Is the DNS config the right place to look?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Oh my bad 9.10.0a1 is the development version ;)  I saw it as 9.1 ;)  which is from like 2001 era ;)

                      I agree stingray should have a record - but not stingray. it would be stingray.something.tld

                      So here is the thing if you want a user to do say stingray and it to actually do a query for stingray.yourdomain.tld then you need to make sure these machines are in the something.tld and or they use something.tld as search suffix.

                      If your wanting to netbios name to resolve that would be either be just broadcast - which unless your tap and bridged on your vpn would not work.  Or you would need to use wins.

                      I would suggest you validate you can do a fqdn query to your dns - so say stringray.yourdomain.tld vs just stingray.

                      If that works, then you can work out your machines search suffix to auto attach the yourdomain.tld or have users use fqdn to query.  If your wanting just netbios over a routed connection than wins works.

                      Here I fired up 2k8r2 dns for you – so it has a forward zone of local.lan.. But as you see if I query for the host 2k8r2. it gives me serverfail.. But if I query the actual fqdn it responds just fine

                      I also did a query from my vpn client, notice the 10.0.200 address and 2k8r2 dns had no issues answering the query - other than it took a bit longer than the 4ms it took on my local lan ;)

                      also notice last example.. Using nslookup -- now pfsense will resolve just host names, because it has it in host file that way.  so 2k8r2 as just host name would resolve..  But if I ask the ms dns for a non fqdn it fails.

                      examplednsquery.png
                      examplednsquery.png_thumb
                      dnsmanager.png
                      dnsmanager.png_thumb
                      dnsfromvpn.png
                      dnsfromvpn.png_thumb
                      nosuffix.png
                      nosuffix.png_thumb

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • T
                        Tired2
                        last edited by

                        Well, I think you nailed it.  I missed that one big time.

                        From my test box, I could ping computername.domain.com, but not 'computername'.

                        So, In the OpenVPN config, I changed up the domain name I passed (leaving a few details out, but I had truncated off the first few subdomains).  Anyway, after getting that right, a ping of 'computername' returned "host not found computername.localdomain".

                        So, I never set the domain of pfsense because I did not think it mattered, so I corrected that, and after a reconnect, my client can now ping 'computername', and it resolves the ip, and the FQDN for that matter.

                        I'm not sure which setting (OpenVPN domain or General Domain setting) actually made it work, or maybe a combo of both, but it is all good now!

                        Your beer money has been sent via paypal.  :)

                        Thanks again for the help!

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Great to hear - and if you donated to pfsense, that is just icing on the cake!  Thanks!!

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.