The pfSense Store

Author Topic: DNS forwarder not working  (Read 23658 times)

0 Members and 1 Guest are viewing this topic.

Offline jonnytabpni

  • Full Member
  • ***
  • Posts: 287
  • Karma: +0/-0
    • View Profile
DNS forwarder not working
« on: March 11, 2009, 05:35:22 pm »
Hi folks.

My friend and I are connected to each other using 2 pfsense boxes using IPSEC. I host a Windows DNS server for the domain xyz.local. On my friend's side, he just uses his pfsense box as his DNS server and uses .local as his domain.

When he tried and uses the DNS forwarder to foward all request for xyz.local to my Windows DNS server, it doesn't resolve...

Any ideas?

Changing his domain from .local to .somethingelse doesn't seem to help.

He has to manually add each host to his list to be able to resolve hosts on my side.

Cheers

Offline GruensFroeschli

  • Little Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5423
  • Karma: +86/-3
  • No i will not fix your computer!
    • View Profile
Re: DNS forwarder not working
« Reply #1 on: March 13, 2009, 11:52:32 am »
How exactly are you trying to forward all requests for xyz.local to the windows DNS server?
Via the
"Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain."
At the bottom of the page?
We do what we must, because we can.

Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

Offline Bern

  • Full Member
  • ***
  • Posts: 135
  • Karma: +0/-0
    • View Profile
Re: DNS forwarder not working
« Reply #2 on: March 13, 2009, 11:57:29 am »
Does it resolve if he queries your DNS server directly?

Let's say he's on 192.168.1.x and your DNS server is 192.168.2.1, does this work:

nslookup something.xyz.local 192.168.2.1

Offline jonnytabpni

  • Full Member
  • ***
  • Posts: 287
  • Karma: +0/-0
    • View Profile
Re: DNS forwarder not working
« Reply #3 on: March 13, 2009, 06:18:45 pm »
Hi Bern,

Thanks for your help.

Your idea trying it directly DOES indeed work.

It's just when using the "Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain." in pfsense, it doesn't work.

Any ideas?

Cheers
« Last Edit: March 13, 2009, 06:42:50 pm by jonnytabpni »

Offline Sateetje

  • Newbie
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: DNS forwarder not working
« Reply #4 on: March 25, 2009, 04:51:50 am »
I have the same problem. The "override an entire domain" doesn't work if the DNS server is on the other site (IPSec tunnel). I think that the DNS resolving resolves directly on the WAN interface, so the address 192.168.2.1 isn't known. It doens't goes through the IPSec tunnel. I'll hope you understand, but I don't know a solution.

Offline nniemeyer

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: DNS forwarder not working
« Reply #5 on: April 21, 2009, 06:31:11 pm »
I am seeing the same issue, does anyone have a solution? Both firewalls connected via IPSec. 

FirewallA.domainA - pfsense version 1.2.2
FirewallB.domainB - pfsense version 1.2.2 - Setting domain override within the DNS forwarder to point to the LAN carp address on FirewallA

Specifying within nslookup to use the carp address from Firewall A as the DNS server works, and resolves hostname.domainA correctly.
However, when trying to rely upon the override, Firewall B appends it's domain to the end of the request, trying to resolve hostname.domainA.domainB, which of course doesn't and shouldn't exist.

Any ideas?

Thanks,
Nick

Offline Itwerx

  • Full Member
  • ***
  • Posts: 101
  • Karma: +1/-0
    • View Profile
Re: DNS forwarder not working
« Reply #6 on: April 25, 2009, 12:31:49 am »
Without actually trying it out in the lab, I'd say this sounds more like a routing or NAT issue.

Offline Briantist

  • Full Member
  • ***
  • Posts: 221
  • Karma: +1/-0
  • p-p-p-purple!
    • View Profile
    • briantist.com
Re: DNS forwarder not working
« Reply #7 on: June 08, 2009, 08:46:55 pm »
I got this very situation to work. I created an IPSec VPN tunnel to my job, and in order to get xyz.local requests to work, I used the DNS forwarder. The trick was to set a static route in the system static routes. So in your case, your friend would set a static route on his LAN interface, with destination network being the ones exposed via VPN (192.168.2.0/24), and the gateway being his own pfSense address on the LAN (192.168.1.1?). Then in DNS forwarder, you can set the authoritative address to the real address of the DNS server (192.168.2.1 or whatever). I successfully did this with two different IPSec tunnels simultaneously with no ill effects or routing issues.

Hopefully someone can help me though. I just changed my VPN tunnel so that I now use OpenVPN, and this method no longer works. I have tried all different combinations of DNS forwarder settings, static route settings, etc. I can't seem to figure it out. Can anyone help? Should I post a new thread?

Offline franklookyou

  • Newbie
  • *
  • Posts: 11
  • Karma: +2/-0
    • View Profile
Re: DNS forwarder not working
« Reply #8 on: June 11, 2009, 08:51:19 pm »
Admittedly this was with the 1.2 release, but I experimented with that exact setup (AD, site-to-site, OVPN) -- it worked fine and I don't recall any difficulties in getting it working.

So, it at least was possible.

Offline blackb1rd

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
Re: DNS forwarder not working
« Reply #9 on: June 27, 2009, 05:50:40 am »
Well, for me this issue still exists. Resolving directly over the IPsec tunnel works fine, but the specified override for xyz.local doesn't. Running 1.2.3-RC1.
Also tried Briantist suggestion by adding a static route for the /24 remote end subnet, pointed at the local LAN GW, no success either.
« Last Edit: June 27, 2009, 05:53:19 am by blackb1rd »

Offline jratzo

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: DNS forwarder not working
« Reply #10 on: July 03, 2009, 11:14:16 am »
Did you try setting in on his NIC card also? In the advanced settings of IPv4, then under the DNS tab, dns suffix? have him set it to your domain.