[Workaround] DNS Resolver - Domain Overrides



  • Hello,

    I have a working LAN to LAN IPSec Tunnel between a PfSense router and a Draytek one on the other side.

    I would like that all my lan clients connected to the PFSENSE box with DHCP could resolve my servers hostnames. Those servers are physically located on the other side, in another network range.
    I can ping them, but not with their hostname.

    For this example, let's say my domain name is test.com.

    I set up my DHCP server on the PfSense box with these DNS IP :

    • 192.168.1.254 (self address of PfSense LAN interface)
    • XXX.XXX.XXX.XXX (public IP DNS of my Internet provider)
    • XXX.XXX.XXX.XXX (second IP DNS of my Internet provider)

    Also, some additionnal config :

    In the resolver configuration, i've tried to use the "domain override" option but it doesn't seems to work. Clients are not able to resolve my servers names.
    The config was :
    DOMAIN : test.com    –--  IP Address : 192.168.0.1

    I've removed everything to use the "advanced option" instead, but the Unbound service doesn't start anymore with a "could not enter zone test.com transparent", "duplicate local-zone" entries in log file.

    I would like my clients to be able to resolve their IP address with their machines names in their own network (thanks to the help of the PFSense Box with DHCP Server), but also resolve others machines located through the VPN tunnel and for which, my Active Directory DNS who knows them has the IP Address 192.168.0.1.

    Here's my config

    ##########################
    # Unbound Configuration
    ##########################
    
    ##
    # Server configuration
    ##
    server:
    
    chroot: /var/unbound
    username: "unbound"
    directory: "/var/unbound"
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    port: 53
    verbosity: 1
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    module-config: "validator iterator"
    unwanted-reply-threshold: 0
    num-queries-per-thread: 4096
    jostle-timeout: 200
    infra-host-ttl: 900
    infra-cache-numhosts: 10000
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    edns-buffer-size: 4096
    cache-max-ttl: 86400
    cache-min-ttl: 0
    harden-dnssec-stripped: yes
    msg-cache-size: 4m
    rrset-cache-size: 8m
    
    num-threads: 1
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 4096
    #so-rcvbuf: 4m
    auto-trust-anchor-file: /var/unbound/root.key
    prefetch: no
    prefetch-key: no
    use-caps-for-id: no
    # Statistics
    # Unbound Statistics
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: yes
    
    # Interface IP(s) to bind to
    interface: 0.0.0.0
    interface: ::0
    interface-automatic: yes
    
    # DNS Rebinding
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 169.254.0.0/16
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    # Set private domains in case authoritative name server returns a Private IP address
    
    # Access lists
    include: /var/unbound/access_lists.conf
    
    # Static host entries
    include: /var/unbound/host_entries.conf
    
    # dhcp lease entries
    include: /var/unbound/dhcpleases_entries.conf
    
    # Domain overrides
    include: /var/unbound/domainoverrides.conf
    
    # Unbound custom options
    private-domain: "test.com"
    local-zone: "test.com" redirect
    local-data: "test.com A 192.168.0.1"
    
    ###
    # Remote Control Config
    ###
    include: /var/unbound/remotecontrol.conf
    

    Thanks everyone for the help. I read many articles and posts but nothing on that "duplicate local-zone".



  • Your AD clients should be using the Windows DC as their primary DNS server only. Set the Windows DNS server to use the pfSense as a forwarder and don't bother with the override.



  • Thanks for your answer muswellhillbilly.

    Actually, the problem is more on the pfsense side. All my LAN clients within the HQ don't need to resolve the machines behind the pfsense box in the other branch office.
    But clients on the PFsense box need to resolve my servers hostnames.

    Anyway, I read everywhere that we should not use DNS Forwarder but Resolver instead. I give it a try though and guess what, it works flawlessly.
    I can resolve my servers hostnames, and nslookup for everything related to the internet is way faster than with DNS resolver.

    For youtube.com and famous others names, I used to have:

    • timeout for 2 seconds
    • timeout for 2 seconds
    • RESULTS

    Now with DNS Forwarder it's quick.

    DNS Resolver worked partialy because when I set one of my server hostname in the "HOST OVERRIDE" section, my clients could resolve the name. But oddly, if I set a domain override, it doesn't work anymore.

    I'm wondering if DNS Resolver and IPSEC tunnel are working together ? Because for the domain override, it needs to send the query to my PDC in another subnet accross the VPN tunnel. It should know the route with the routing table, but in reality it kind of struggle. Or at least, I didn't get something.

    Anyway, DNS Forwarder is my way to go now.
    Hope it helps someone else.