No local DNS on IPSec



  • Ok, so I have a mobile tunnel setup which works great, except that even though the DNS settings issued by the IPSec tunnel are correct, no local hosts will resolve.  It works when I do it manually over the tunnel by doingnslookup officeserver 10.10.5.253(where 10.10.5.253 is my local DNS server), but if I just try```
    nslookup officeserver



  • What client? Seems the client just isn't setting your DNS server to the one across the VPN.



  • Mac OS X.  It is setting the DNS server because I can see it in the Network settings of the VPN connection.  Both the DNS server and the search domain are being set correctly.

    I can also see the DNS request from the client in the firewall log (not blocked).



  • Probably the default domain in that case. Outside of nslookup, when you lookup "officeserver", the Mac will append its default domain. Say that's example.com, its lookup will be officeserver.example.com.



  • Hi CMB, thanks for your reply.  The default domain is also set correctly in the VPN client.  Also, if I try to resolve the FQDN of the office server, it still doesn't work over the VPN.  Any other clues?



  • Packet capture what DNS requests are going out from the client, it's sending some judging by your description, what is it sending and what reply is it getting?



  • Ok, here's the result of the packet capture on the IPSec interface.  The client is 10.10.9.1 and the DNS is the pfSense box itself, 10.10.5.253:

    04:20:52.236714 (authentic,confidential): SPI 0xc148b405: IP 10.10.9.1.65330 > 10.10.5.253.53: UDP, length 40
    04:20:52.266992 (authentic,confidential): SPI 0x0e3497fe: IP 10.10.5.253.53 > 10.10.9.1.65330: UDP, length 115
    
    


  • That shows you're getting a request across and getting a reply. Turn up the verbosity and you'll be able to see the contents of the request and reply. Or download the resulting pcap and open it in Wireshark.



  • Ok, I had a look in Wireshark but can't really figure out what's going on.  I've attached the capture for you to look at if you're willing. (change from .jpg to .cap)

    packetcapture.jpg



  • So it's looking up hostname "xserve2.acctv.com.aup\004". That looks like the client bug that Apple fixed semi-recently, I think in El Capitan, where it was appending p plus some bunk data to the end of the default domain it obtained from the VPN server. A couple of us recently confirmed that was fixed in OS X, is that client up to date?

    There is a workaround, if you add a second domain to the search list (say example.com), it'll only break the second domain.



  • Thanks for replying.  I noticed the extraneous info as well but didn't realise it wasn't normal.  The client is up to date (fully-patched El Capitan) and I added a second dummy domain, but it didn't seem to make any difference.  Any other clues?



  • @mattbodman:

    Ok, so I have a mobile tunnel setup which works great, except that even though the DNS settings issued by the IPSec tunnel are correct, no local hosts will resolve.

    I just had this issue yesterday.  I set up an IPsec VPN and everything worked fine except DNS resolution.  I could ping things by IP but not by name.  Pulled my hair out for hours trying to resolve it.  Finally, I rebooted the pfSense box out of frustration.  That worked.  No idea why, but it did.  I replicated the issue just to verify.  Deleted the VPN setup and recreated it.  Had the same DNS issue.  Rebooting the router fixed it.  Works great now.  No idea why, but maybe it will work for you too?



  • remove your DNS Default Domain from your mobile client IPSEC configuration and add it manually on the client's VPN DNS Domain configuration. This should work.



  • @Tramii:

    @mattbodman:

    Ok, so I have a mobile tunnel setup which works great, except that even though the DNS settings issued by the IPSec tunnel are correct, no local hosts will resolve.

    I just had this issue yesterday.  I set up an IPsec VPN and everything worked fine except DNS resolution.  I could ping things by IP but not by name.  Pulled my hair out for hours trying to resolve it.  Finally, I rebooted the pfSense box out of frustration.  That worked.  No idea why, but it did.  I replicated the issue just to verify.  Deleted the VPN setup and recreated it.  Had the same DNS issue.  Rebooting the router fixed it.  Works great now.  No idea why, but maybe it will work for you too?

    Thanks for posting; I know this is an older thread but this was the answer I needed. Maybe it would have worked to restart the DNS Resolver as well, but rebooting the router fixed this issue for me.


Log in to reply