OpenVPN passing DNS queries to BIND

A Former User

I'd be very grateful if anyone has any advice with an issue I'm having.

I've been running OpenVPN on my pfSense box for many years with no issues. In the past, I've always had DNS servers on other boxes rather than use the same pfSense box for DNS itself. However, I have recently installed the excellent BIND package on my pfSense box for name resolution on my LAN in an attempt to keep everything in the same place and on the same hardware. The BIND package works fine with name resolution on my LAN.

When I connect to my VPN when outside my network DNS fails to resolve completely. The client is recieving the correct DNS addresses so I know it's not an issue there.

I've updated the published DNS servers in the OpenVPN server section to point to the IP address of the same pfSense box hosting BIND (and OpenVPN). I've also set the BIND package to listen on all interfaces (should this be set to listen on WAN?). I've checked the firewall rules and one has been set automatically under OpenVPN to allow everything to anywhere. The same rule is also set on the LAN interface to DNS queries should be allowed through.

Other than this I'm a little lost. I do have a secondary DNS server and everything works fine when it's on as I'm assuming my client fails to contact the first DNS server (BIND on pfSense) and then reverts to the secondary instead. However, the secondary DNS is hosted on a power hungry server I prefer to keep off. From what I can tell OpenVPN is establishing a tunnel back to pfSense but isn't allowing DNS queries through?

I hope this makes sense and if anyone has any advice I'd be very grateful.

Many Thanks

OH

johnpoz

So what about the bind ACLs?  What network are you openvpn clients on, for example mine are 10.0.8 network while my lan is 192.168.1/24.  So for a client with that IP, BIND would have to have an ACL to allow that access.

So the new resolver unbound has the same sort of rules.

So for example from my vpn connection if I disable the auto add allow rules - I get refused from my vpn client

C:>dig

; <<>> DiG 9.9.5-W1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 30254
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 145 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)

If I add allow of 10.0.8/24 which my vpn network falls in.. then it works.

; <<>> DiG 9.9.5-W1 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21296
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                      518400  IN      NS      a.root-servers.net.
.                      518400  IN      NS      b.root-servers.net.
.                      518400  IN      NS      c.root-servers.net.
.                      518400  IN      NS      d.root-servers.net.
.                      518400  IN      NS      e.root-servers.net.
.                      518400  IN      NS      f.root-servers.net.
.                      518400  IN      NS      g.root-servers.net.
.                      518400  IN      NS      h.root-servers.net.
.                      518400  IN      NS      i.root-servers.net.
.                      518400  IN      NS      j.root-servers.net.
.                      518400  IN      NS      k.root-servers.net.
.                      518400  IN      NS      l.root-servers.net.
.                      518400  IN      NS      m.root-servers.net.

;; Query time: 426 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Tue Feb 10 09:57:05 Central Standard Time 2015
;; MSG SIZE  rcvd: 239

A Former User

Thank you for your reply. My VPN Clients are on 192.168.0/24 and my LAN is 172.16.0/24. I've added an ACL with '192.168.0.0/24' but am still having the same problem. When running dig I simply get "Connection timed out; no servers could be reached". I feel like I may be doing something daft?

I have all the default allow-all BIND ACLs set like localnets, etc.

Edit: More info

johnpoz

so 192.168.0/24 is what you hand your vpn clients.. what local network are they on - I would guess that is going to be a huge chance for overlap.

A Former User

You make a good point. I have changed the tunnel network to 192.168.100/24. The local network was 10.0.1/24. Is there a specific format I should enter the entry for the tunnel network in the BIND ACL?

Thanks again for your help with this.

A Former User

I got this working in the end. I had to change the zone files to look at the new ACL as well as the View. I figured I was doing something daft. Thanks for pointing me in the right direction.