DNS Forwarder for subdomain doesn't appear to be working

bnoeafk

I've got two sites both running the latest pfSense and I have an IPSec VPN between them. Each site has their own independent domain name (east.mycorp.com) and (west.mycorp.com) and at each site I have a WWW server set up (www.east.mycorp.com) and (www.west.mycorp.com).  On both boxes I have their respective ISPs DNS servers set up in System > General Setup > DNS Servers, and DNS Resolver enabled, no port defined (therefore 53), all interfaces, all outbound interfaces, DHCP registration and DHCP static registration turned on. I also have a domain override enabled on each system that points to the other pfsense box for the other subdomain, therefore:

• WEST pfSense (192.168.27.1) has

  • a domain override for east.mycorp.com pointing to 192.168.9.1

  • a host override set up for www.west.mycorp.com resolving to 192.168.27.199

• EAST pfSense (192.168.9.1) has

  • a domain override for west.mycorp.com pointing to 192.168.27.1

  • a host override set up for www.east.mycorp.com resolving to 192.168.9.199

On my EAST network, I attempt an nslookup for www.west.mycorp.com and I don't get any resolution.  During my testing (from a client) I check nslookup www.west.mycorp.com 192.168.9.1 and I get a denied message, so I turned on an access list on WEST pfSense to permit lookups from 192.168.9.0/24, after which my nslookup www.west.mycorp.com 192.168.9.1 successfuly resolves to 192.168.27.199.  :D Happy days, I've solved it I thought. Not so fast, bnoeafk…

Multiple attempts to use my EAST pfSense to forward the resolution to the WEST doesn't seem to work, from the clients or from pfSense itself (Diagnostics > DNS Lookup). SSH'ing into the box and running unbound-control lookup www.west.mycorp.com reports back that there is "no delegation from cache; goes to configured roots"

I've tried a number of things (turning on / off DNS Querying Forwarding was suggested from https://doc.pfsense.org/index.php/Unbound_DNS_Resolver) but that doesn't appear to have helped either.  Now obviously I need this to work from both sites, but at the moment I'm just trying to get EAST to read WEST's host overrides so that I can get on with life.

Anyone have any pointers or see where I'm going so drastically wrong?

Your humble servant,

bnoeafk.

Derelict

I see you have all outbound interfaces selected.

I know when using OpenVPN you have to source the queries from something that is included in a remote network at the other side. I have mine set to LAN here.

You would probably need to source it from something in the local side of a phase 2 entry.

You can log into the firewall and use drill to see what's going on.

For example, on EAST

drill -I 192.168.9.1 @192.168.27.1 something.west.mycorp.com

-I is the source address of the query and @ is the name server to query.

This has the side effect of queries needing to go through NAT when going out WAN (instead of just having a source address of WAN address) but I am pretty sure it's the only way.

And IPSec firewall rules at the destination side (WEST in this example) have to pass the traffic, naturally.

bnoeafk

Derelict,
Many thanks for your help. I've set the Outgoing Network Interfaces to LAN and now it's working just perfectly. I really appreciate this!

bnoeafk

luckman212

I may have asked this question before in another thread (sorry if it has already been answered – I am an old man!) but what are the ramifications if any of doing this? It seems that setting Unbound's outgoing interface to LAN just fixes everything up in most cases, I am wondering why the default behavior is to set it to "ALL".