Bind not answering to openvpn peer

  • I seem to have a strange problem for which I can't seem to find an answer with google.

    I've got two networks with pfsense box between the modem and the network
    I've got bind running on both for some internal domains and lookup / cache the rest
    I've got the two networks connected via openvpn between the pfsense boxes

    local domain lookups within either network work
    local domain lookups from any computer within either network to the bind service running on the remote pfsense box works
    local domain lookups from either pfsensebox to the other box just time out.

  • You need to check the logs or trace/tcpdump where it is being dropped. Could be firewall blocking or bind not configured to allow query from certain ip. Difficult to say with the information given.
    Can you ping from pfsense to pfsense over openvpn? I remember something changing a while back where my lan had access to the remote network over openvpn, but no connectivity from the pfsense box to the remote gateway! Turned out I needed to revert from Hybrid Nat to manual and then it just worked.

  • It'll source that traffic from the IP nearest the destination, the OpenVPN tunnel IP. Need to allow BIND to answer that.

  • tcp dump was showing dns requests from the firewall where using the openvpn ip and across the networks their respective network address.

    Even though I had allowed bind to answer to the openvpn ip it still didn't work.
    There doesn't seem to be an option to let bind specifically listen on the openvpn interface, but even adding this by hand didn't work.

    I have now solved it by putting NAT on hybrid and forcing the lan ip to be used when requesting port 53 over the vpn.
    This works, but is not really elegant….

Log in to reply