OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: burn2 on September 30, 2022, 10:18:02 am

Title: Question about DNS configuration + ipsec
Post by: burn2 on September 30, 2022, 10:18:02 am
Hello,
I am not sure i am on the good forum category, but did not find where to put that as it's related to DNS and not IPSEC.
I have got a question about how to do dns cache/Conf for a remote site with opnsense.
First of all here is the contexte.

On the remote site (let's name it SITE B) i have got:
FAI modem
OPnsense firewall
Lan

On the office (let's name it SITE A) i have got:
Firewall (not opnsense)
Lan
3 DNS Server for my domain
AD server and file share etc.


An ipsec point is in place between SITE A and B and works.
In system settings, general, i put all the server list (the 3 home dns server + the FAI modem)


What i want to do:
I wan t all the computer from site B, have an answer from the 3 DNS server from site A, and if the Site A is down (for exemple ipsec is down) use the default internet gatteway so if the tunnel is down i continue to have internet access.


What i am using for the moment is to put one of of the DNS server from site A + opnsense ip on the DHCP settings LAN on SITE B.
It works, but that's not good.
If the only server i put is rebooting, i lost the access from site B to all the network of site A (no dns answer)
From the opnsense firewall, if i try to ping a computer name that the DNS Server from site A now, it does not works (whereas it works for the computer on LAN)


What i imagine that should be:
On lan DHCP, i should only have opnsense ip as DNS, and that should be opnsense that cache answer and ask to 1 of the 3 server to have the answer if it does not have on cache.
And if none of the 3 server answer, ask to the "default" dns that is to say the FAI box.
Is that possible?
Is there a way to do that?

Thank's a lot.
Title: Re: Question about DNS configuration + ipsec
Post by: burn2 on September 30, 2022, 10:31:07 am
Seems to have some part of answer here:
https://forum.opnsense.org/index.php?topic=8505.0

But that make my doupt about the possibility to use opnsense for caching answer and ask to other dns server when it does not have the answer.

EDIT2:
https://forum.opnsense.org/index.php?topic=6332.msg26951#msg26951
Seems to explain exactly what i want:
Quote
Let's assume Dnsmasq DNS forwarder or Unbound DNS resolver is enabled and no DNS server addresses are configured in the DHCP service or Static ARP for specific clients.
In this case, the DHCP clients get the IP address of the OPNsense interface configured as DNS server, and any DNS queries will be handeled by Dnsmasq or Unbound.

The difference between Dnsmasq and Unbound is that Dnsmasq will forward all DNS queries to the upstream DNS servers (the ones that are configured at System ==> Settings ==> General), and not cache the result, while Unbound will also query the upstream DNS servers just like DNSmasq, but will also store the result in local cache for faster serving subsequent similar queries.