OpenVPN DNS resolver issue

#1

Hi Everyone,

I use pfsense router and OpenVPN to connect my network from outside. Everything is workig fine via IP, but If i want to connect something useig the device DNS names resolving doesn’t work. I know this is DNS problem, but i don’t nkow how can i configure correctly.

My current configuration:


2019-05-02%2009_22_30-HP-2570P%20-%20TeamViewer

Thank you in advance,

Adam from Hungary

#2

Once connected, can you get a DNS response for a local address? You can test by using dig @192.168.111.1 SomeComputerOnYourNetwork and see what the response is. https://youtu.be/hYZY75xMjlY

#3

Tom’s video covers how easy DIG is, if you are on Windows and just want a quick command line to check

nslookup SomeComputerOnYourNetwork 192.168.111.1

It won’t give as much detail as dig, but will tell you if the server knows the IP.

1 Like
#4

Also, if you are using Windows 10 the “Windows Susbystem for Linux” is great and has dig.

#5

I did the test in local (everything is working as it should be) I can reach my test device (NAS) using the nas DNS name :

Connected via OpenVPN (I used my mobile internet for the test, but i got a same result whit the other internet). I can’t reach the NAS just only IP:

OpenvPN status window:

Someone has the same issue before: „I was having an issue using this tutorial with DNS. I had only configured my DNS server and it would not resolve my internal names when using the VPN. The trick is to use ACLs in Unbound (DNS resolver) to allow the VPN virtual network to connect.”
But I don’t know what he did whit the ACLs. I don’t want to make a mistake and create a security hole on my network.

Thank you in advance!
Adam

#6

Adam,
Both the Dig and NSLookup didn’t give you a valid “answer” or record. Dig should give you something like this:

;; ANSWER SECTION:
COMPUTERNAME	3600	IN	A	192.168.11X.X

I notice on the nslookup the name server fully resolved itself from you using the IP 192.168.111.1 it responded back with a named response of PAPPLAN-R1.PAPP.LAN

I am not expert at this, but whenever my DNS server wasn’t communicating properly I never got to it spit back name, just the IP

Are you sure an A record exists on the server to answer you back for papplan-nas 192.168.111.1

I don’t know how much this will prove…Im just running through troubleshooting steps in my head.

If you do:
dig @PAPPLAN-R1.PAPP.LAN google.com
And that works with an answer section…then I would say DNS resolution is working, you just have no record.

#7

I ran into this problem recently. I had to change the DNS Resolvers Interface from all to specific Interfaces plus localhost.

I’ll post screenshots when I get home from work.

#8

Hi Shane,

I got the following result:

#9

See to me you just don’t have any A record present for local devices. They don’t get there by magic, you have to create the record (or have something setup/enabled to allow clients to register their hostname and IP).

What is the DNS server?
PFSense?

This might help if it is PFSense:
https://docs.netgate.com/pfsense/en/latest/dns/unbound-dns-resolver.html#configuration

Lets say the client you want paplan-nas 192.168.111.51
Would need:
local-data: "papplan-ns.papp.lan A 192.168.111.51"

Please note: I don’t have, nor do I use PFSense, so please follow the docs guide or wait for Tom or others. I have only done DNS with BIND on Linux or Windows Server.

#10

I got a solution!

I checked the DNS records on my DNS server as you Shane and tbigs2011 suggested. My DNS server is my PFsense. So checked the DNS resolver settings and my test subject to the host overrides.

And it now the DNS resolving working on the VPN. I hope this not make a big security hole on my network. :stuck_out_tongue:

Thank you everyone!

#11

Awesome! I am excited you got it working! Sorry I have been swamped this week. I know I was pulling my hair out with this about two months ago. lol