Split DNS over OpenVPN

Networking & Firewalls
1

Hello

I need some help with pfsense + OpenVPN + Split DNS, according to the last post of this topic, I started to change me settings:

I have a working VPN with all DNS request over the OpenVPN connection to the company DNS (internal on pfsense), request to non company DNS are blocked.

To get SpliotDNS to work I enbaled DNS Default Domain and set the domain to the mycompany.org, the DNS was already set to the company DNS, in this case the DNS request to non internal DNS are not longer blocked, fine, but the request for all the internal domains (mycompany.org, service.mycompany.org) are not send to the company DNS.

So i start searching why and followed the OpenVPN Troubleshooting DNS

I am missing the IPv4 DNS on the OpenVPN connection and the ConnectionSpecificSuffix on the OpenVPN connection. I can reach the company DNS nslookup service.mycompany.org 10.110.3.1 works, but nslookup service.mycompany.org only request DNS on local LAN

How to get the SplitDNS to work, what did i miss?

If you need more information, please ask.

BdT
Varmandra

ipconfig /all

grafik
grafik907×781 53.7 KB

(other DNS-Suffix on Ethernet-Adapter Ethernet then the company)

netsh namespace show effectivepolicy

grafik
(in the moment theNameServer is dobble becaus I set it on the VPN Server and second time in the client config)

Get-NetIPConfiguration

grafik

Get-DnsClientServerAddress

grafik
grafik812×341 7.51 KB

Get-DnsClientNrptPolicy

grafik

Get-DnsClientNrptRule

grafik

Get-DnsClient

grafik
grafik971×115 4.28 KB

2

If you use a managed switch I wouldn’t bother with split DNS, just setup a vlan with all the traffic exiting from the VPN.

3

The problem is, that a special service request a DNS record, depend on the ISP you have, you get different answers, if you are in home office, and the request is send over the VPN yout get the answer for the ISP from the office, if you got the same ISP no Problem, but if you have an other ISP this service don’t work.

That’s my problem, and there ist no way to change somthing on the service or software.

BdT
Varmandra

4

Little confusing, I made one change to the OpenVPN config dhcp-option DOMAIN mycompany.org

I use a tool (DNSQuerySniffer from NirSoft) to take a look to the DNS requests. (wireshark will work too. but it is a lillte more complex)

If I do a nslookup inside powershell, I got the answer from my local DNS, and for company domains I got no answer (because all of them are not know to public DNS) I can see this request on the local LAN interface.

When I check chrome://net-internals/#dns I got an correct answer for company domains and I can see the DNS request in the OpenVPN LAN

So for me it look like the SplitDNS works, for Browser (Chrome, Firefox, Edge) and some other software (putty, winscp, explorer)
The nslookup command in cmd (or powershell) don’t use the splitDNS, so after long searching and trying, it seems to works like I want to.

BdT
Varmandra