DNS Forwarder for subdomain doesn't appear to be working

  • I've got two sites both running the latest pfSense and I have an IPSec VPN between them. Each site has their own independent domain name (east.mycorp.com) and (west.mycorp.com) and at each site I have a WWW server set up (www.east.mycorp.com) and (www.west.mycorp.com).  On both boxes I have their respective ISPs DNS servers set up in System > General Setup > DNS Servers, and DNS Resolver enabled, no port defined (therefore 53), all interfaces, all outbound interfaces, DHCP registration and DHCP static registration turned on. I also have a domain override enabled on each system that points to the other pfsense box for the other subdomain, therefore:

    On my EAST network, I attempt an nslookup for www.west.mycorp.com and I don't get any resolution.  During my testing (from a client) I check nslookup www.west.mycorp.com and I get a denied message, so I turned on an access list on WEST pfSense to permit lookups from, after which my nslookup www.west.mycorp.com successfuly resolves to  :D Happy days, I've solved it I thought. Not so fast, bnoeafk…

    Multiple attempts to use my EAST pfSense to forward the resolution to the WEST doesn't seem to work, from the clients or from pfSense itself (Diagnostics > DNS Lookup). SSH'ing into the box and running unbound-control lookup www.west.mycorp.com reports back that there is "no delegation from cache; goes to configured roots"

    I've tried a number of things (turning on / off DNS Querying Forwarding was suggested from https://doc.pfsense.org/index.php/Unbound_DNS_Resolver) but that doesn't appear to have helped either.  Now obviously I need this to work from both sites, but at the moment I'm just trying to get EAST to read WEST's host overrides so that I can get on with life.

    Anyone have any pointers or see where I'm going so drastically wrong?

    Your humble servant,


  • LAYER 8 Netgate

    I see you have all outbound interfaces selected.

    I know when using OpenVPN you have to source the queries from something that is included in a remote network at the other side. I have mine set to LAN here.

    You would probably need to source it from something in the local side of a phase 2 entry.

    You can log into the firewall and use drill to see what's going on.

    For example, on EAST

    drill -I @ something.west.mycorp.com

    -I is the source address of the query and @ is the name server to query.

    This has the side effect of queries needing to go through NAT when going out WAN (instead of just having a source address of WAN address) but I am pretty sure it's the only way.

    And IPSec firewall rules at the destination side (WEST in this example) have to pass the traffic, naturally.

  • Derelict,
    Many thanks for your help. I've set the Outgoing Network Interfaces to LAN and now it's working just perfectly. I really appreciate this!


  • I may have asked this question before in another thread (sorry if it has already been answered – I am an old man!) but what are the ramifications if any of doing this? It seems that setting Unbound's outgoing interface to LAN just fixes everything up in most cases, I am wondering why the default behavior is to set it to "ALL".

Log in to reply