The pfSense Store

Author Topic: Is there a way to do split DNS with road warriors? TinyDNS?  (Read 1377 times)

0 Members and 1 Guest are viewing this topic.

Offline ryan29

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
I have a very simple OpenVPN setup:

- clients are road warriors
- it's routed
- it's split (only traffic to the target LAN goes through the VPN)
- road warriors are pushed a DNS server
- the server is using the built in DNS forwarder

When I connect as a road warrior from a client machine all DNS queries go to the VPN and the VPN resolves all of them.  Is there an easy way to have the VPN answer queries for hosts that have been added to the forwarder and reject all other requests?  I'll clarify:

Assume I have the following overrides in the DNS forwarder and that they point to IPs on my target LAN:

host1.site.localnet
host2.site.localnet

I want road warriors to be able to use those hosts, so I need to push DNS to them.  However, for anything besides those two hosts, I want the road warriors to use their local DNS server(s).

I tried to use TinyDNS (as follows), but I must be doing something wrong.  My first steps are:

1) Install TinyDNS
2) Bind TinyDNS to 127.0.0.1.
3) Use TinyDNS wizard to set up 'site.localnet' as the domain.
4) Add 'A' records for my hosts.
5) Update DNS in general settings:
5a) First entry is 127.0.0.1.
5b) Second entry is 208.67.222.222 (OpenDNS).
5c) Third entry is 208.67.220.220 (OpenDNS).
6) Enable DNS forwarder, without any overrides.

After that, I can SSH into my pfsense box and use the dig command to check the DNS.  It works like I would expect.  For example, host1.site.localnet gets resolved by 127.0.0.1 while google.ca gets resolved by 208.67.222.222.

However, when I switch to my local machine, none of the local hosts get resolved correctly.  It's as if the DNS forwarder refuses to use 127.0.0.1 for DNS and skips straight to 208.67.222.222.  I tried taking 127.0.0.1 out of my DNS and using the built in DNS forwarder to delegate the site.localnet domain to 127.0.0.1, but that didn't work either.  I'm not sure if that's a proper setup anyway, so I didn't spend too much time on it.

Is there an easier way of accomplishing what I want?

Edit: Here are some screenshots that show what I was trying to do with TinyDNS.  It works like I expect when I'm connected to the VPN.

http://imgur.com/a/bGZgW
« Last Edit: July 13, 2011, 12:52:52 pm by jptech »