Netgate SG-1000 microFirewall

Author Topic: DNS Resolver fails when IPsec VPN is connected  (Read 164 times)

0 Members and 1 Guest are viewing this topic.

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
DNS Resolver fails when IPsec VPN is connected
« on: January 02, 2018, 02:14:09 pm »
Hi
I have DNS Resolver installed and running.
The dashboard shoes my DNS server as 127.0.0.1

DNS Resolver is configured for All internal and external interfaces.
As far as I can tell DNS resolves correctly until my IPsec VPN connects.

The VPN is connecting me to the office which seems to work well. I have rules allowing several devices to route from the LAN to the office but all other devicess are blocked from the VPN.

On the IPsec rules I have allowed access to specific devices and all others are blocked.

Once the VPN connects then DNS fails to resolve.
Can anyone suggest what to check and how to resolve this.

Thanks
« Last Edit: January 02, 2018, 03:37:46 pm by zMaliz »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: DNS Resolver fails when IPsec Von is connected
« Reply #1 on: January 02, 2018, 02:17:18 pm »
What are your IPsec traffic selectors (phase 2 networks) ??
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: DNS Resolver fails when IPsec Von is connected
« Reply #2 on: January 02, 2018, 02:38:08 pm »
Thanks for the reply. I'm not sure what you need.

Phase2 is configured as

Tunnel IPv4
LAN Subnet
NAT/BINAT none

Network 192.168.9.0/24
Protocol ESP
AES 256bits SHA1

Is that what is needed ?
Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: DNS Resolver fails when IPsec Von is connected
« Reply #3 on: January 02, 2018, 03:14:27 pm »
Yeah. That shouldn't impact DNS resolver at all.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: DNS Resolver fails when IPsec VPN is connected
« Reply #4 on: January 02, 2018, 03:38:36 pm »
Any idea why his doesn't work ?
I can get logs tomorrow if that helps.

Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: DNS Resolver fails when IPsec VPN is connected
« Reply #5 on: January 02, 2018, 04:15:17 pm »
What logs?

Do basic DNS troubleshooting and see where the failure is.

dig/drill are your friends there.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: DNS Resolver fails when IPsec VPN is connected
« Reply #6 on: January 02, 2018, 04:45:21 pm »
For a test I've disabled the IPSec VPN and restarted DNS Resolver.

I still don't get any resolution using the server address as 127.0.0.1
All testing is done via SSH direct on the pfSense server.

Quote
dig bbc.co.uk
; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
;; global options: +cmd
;; connection timed out; no servers could be reached

drill bbc.co.uk
Error: error sending query: Could not send or receive, because of network error

nslookup
> server 8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53

> bbc.co.uk
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 151.101.128.81
Name:   bbc.co.uk
Address: 151.101.192.81
Name:   bbc.co.uk
Address: 151.101.0.81
Name:   bbc.co.uk
Address: 151.101.64.81
Name:   bbc.co.uk
Address: 2a04:4e42:200::81
Name:   bbc.co.uk
Address: 2a04:4e42::81
Name:   bbc.co.uk
Address: 2a04:4e42:400::81
Name:   bbc.co.uk
Address: 2a04:4e42:600::81

> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> bbc.co.uk
;; connection timed out; no servers could be reached
>


After a couple of minutes DNS resolves and NOTHING has been changed.

Quote
dig bbc.co.uk

; <<>> DiG 9.11.1-P1 <<>> bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30606
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbc.co.uk.                     IN      A

;; ANSWER SECTION:
bbc.co.uk.              47      IN      A       151.101.64.81
bbc.co.uk.              47      IN      A       151.101.128.81
bbc.co.uk.              47      IN      A       151.101.0.81
bbc.co.uk.              47      IN      A       151.101.192.81

;; AUTHORITY SECTION:
bbc.co.uk.              19      IN      NS      ns3.bbc.co.uk.
bbc.co.uk.              19      IN      NS      ns4.bbc.co.uk.
bbc.co.uk.              19      IN      NS      ns3.bbc.net.uk.
bbc.co.uk.              19      IN      NS      ns4.bbc.net.uk.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 02 22:42:52 GMT 2018
;; MSG SIZE  rcvd: 182


drill bbc.co.uk

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 64161
;; flags: qr rd ra ; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; bbc.co.uk.   IN      A

;; ANSWER SECTION:
bbc.co.uk.      40      IN      A       151.101.64.81
bbc.co.uk.      40      IN      A       151.101.128.81
bbc.co.uk.      40      IN      A       151.101.0.81
bbc.co.uk.      40      IN      A       151.101.192.81

;; AUTHORITY SECTION:
bbc.co.uk.      12      IN      NS      ns3.bbc.co.uk.
bbc.co.uk.      12      IN      NS      ns4.bbc.co.uk.
bbc.co.uk.      12      IN      NS      ns3.bbc.net.uk.
bbc.co.uk.      12      IN      NS      ns4.bbc.net.uk.

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Tue Jan  2 22:42:59 2018
;; MSG SIZE  rcvd: 171


nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> bbc.co.uk
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   bbc.co.uk
Address: 151.101.64.81
Name:   bbc.co.uk
Address: 151.101.128.81
Name:   bbc.co.uk
Address: 151.101.0.81
Name:   bbc.co.uk
Address: 151.101.192.81
Name:   bbc.co.uk
Address: 2a04:4e42:600::81
Name:   bbc.co.uk
Address: 2a04:4e42::81
Name:   bbc.co.uk
Address: 2a04:4e42:200::81
Name:   bbc.co.uk
Address: 2a04:4e42:400::81

Can you advise how I look into this further to see why it stopped and then started resolving DNS ?

Thanks

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: DNS Resolver fails when IPsec VPN is connected
« Reply #7 on: January 02, 2018, 10:49:04 pm »
No idea. something in your routing changing, perhaps. What are the WAN settings? Any Multi-WAN? What are your DNS Resolver settings?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline zMaliz

  • Jr. Member
  • **
  • Posts: 59
  • Karma: +2/-0
    • View Profile
Re: DNS Resolver fails when IPsec VPN is connected
« Reply #8 on: January 03, 2018, 03:55:25 am »
I made a slight change to the DNS Resolver configuration last night.

I changed Network Interfaces & Outgoing Network Interfaces from ALL and selected the specific interfaces needed.
I also disabled the DHCP Registration & Static DHCP options.

Since then it's been resolving fine. I'll keep monitoring but so far so good..

Thanks