OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: dgiorgio on August 02, 2017, 08:15:02 am

Title: Resolve DNS by VPN
Post by: dgiorgio on August 02, 2017, 08:15:02 am

I have two networks, in VPN "IPSEC"

172.16.0.0/24
172.16.0.1 - opnsense
172.16.0.50 - zabbix-ct
172.16.0.108 - repository-ct

172.16.10.0/24
172.16.10.1 - opnsense2
172.16.10.10 - gameserver-ct
172.16.10.51 - storage-ct

Zabbix-ct ping in repository-ct
Gameserver-ct ping storage-ct

But zabbix-ct does not ping gameserver-ct
Ping works if you put the IP, but the name does not.

Title: Re: Resolve DNS by VPN
Post by: franco on August 02, 2017, 08:40:22 am

You can set local overrides for the remote VPN hosts on OPNsense, or tell your clients in the local attached networks where the DNS server is on the other side of the VPN tunnel (if they are allowed to respond to requests over VPN).


Cheers,
Franco

Title: Re: Resolve DNS by VPN
Post by: dgiorgio on August 12, 2017, 09:02:45 pm

If I have 10 networks in VPN, do I need to put the DNS of the 10 networks in the DHCP of all the networks?

Title: Re: Resolve DNS by VPN
Post by: dgiorgio on August 28, 2017, 06:39:08 am

After much searching, I solved it.

Server: 172.16.0.1
Dnsmasq DNS > Advanced

Code: [Select]

server=/#/172.16.10.1
Server: 172.16.10.1
Dnsmasq DNS > Advanced

Code: [Select]

server=/#/172.16.0.1
Now, the DNS servers can resolve themselves.

Title: Re: Resolve DNS by VPN
Post by: dgiorgio on August 28, 2017, 07:25:18 am

It is not totally solved.
Even with this configuration above, I need to add the DNS of the other network.
So if I have 10 networks, I need to put 10 DNS on the DHCP server.

This is not what I want.

I'm looking at google, similar cases with multiple dhcp and multiple dns.

I'm trying to do something like that.
http://www.linksysinfo.org/index.php?threads/dns-queries-over-openvpn-site-to-site.69941/

Title: Re: Resolve DNS by VPN
Post by: jwe on August 28, 2017, 03:01:39 pm

YOu could build up a central DNS Server for all you networks.
Then you can tell the DHCP Server to update this dns server with dynamic dns.

In OPNSense this setting is in DHCP-Server Settings, named:
"Enable registration of DHCP client names in DNS."

Title: Re: Resolve DNS by VPN
Post by: dgiorgio on August 28, 2017, 04:26:18 pm

How do I do this?
I'll leave opnsense 172.16.0.1 as central dns.

How do I configure 172.16.10.1

I've enabled the option.

In the first field I put "service.local"
In the second field "172.16.0.1"

Title: Re: Resolve DNS by VPN
Post by: jwe on August 28, 2017, 06:54:36 pm

neither dnsmasq or unbound allow dynamic dns updates

in my case, i am using a windows dns for this task.

i have also seen that powerdns may allow dynamic dns updates.

Title: Re: Resolve DNS by VPN
Post by: dgiorgio on August 28, 2017, 07:11:30 pm

Getting added manually is not a very practical task.

To put multiple DNS in dhcp, also not very practical.

How to synchronize two DNS?

It is possible?

Or how do I do to the network 172.17.0.1 DNS, automatically add the network DHCP 172.16.10.1

Title: Re: Resolve DNS by VPN
Post by: dgiorgio on August 30, 2017, 09:54:13 pm

How do I make dnsmasq add the "dnsmasq-hosts" of all servers?

Code: [Select]

root@OPNSENSE-VM:/usr/local/opnsense # ps aux | grep dnsmasq
nobody          30001   0.0  0.2 1081472  4680  -  I    Mon01       0:14.34 /usr/local/sbin/dnsmasq --all-servers --rebind-localhost-ok --stop-dns-rebind -H /var/etc/dnsmasq-hosts ........

How do I put multiple "dnsmasq-hosts"?
Share on nfs

ex:

Code: [Select]

dnsmasq -H /var/etc/dnsmasq-hosts;172.16.10.1:/var/etc/dnsmasq-hosts 

Title: Re: Resolve DNS by VPN
Post by: Ciprian on August 31, 2017, 12:52:03 am

Very very very simple :) :

Domain overrides for every network that has its own DNS. What other way could exist, but to ask the DNS that knows about hosts in that network? And being a private network, your ISP's DNS wouldn't know. Nor Google DNS... Nor OpenDNS... :)

Case you use Unbound, don't forget to add the according access lists (ACLs).

The only remaining option would be to have only one and single DNS resolver for all networks, but since VPN is involved, what would you do if the connection breaks down?

Very very very important!!! (!)

1. You will never have proper DNS resolution in between networks with dedicated DNS resolvers/ servers if you don't use FQDN with different domain names or subdomain prefixes. Hostname-only resolution is not possible between networks which have their own DNS servers (not without "host override", but if domain override is a pain, I don't dare to even consider host override for every other client in every other network, on each and every other DNS resolver).
So, set a domain name in "System | Settings | General"!!!

2. Use domain name overrides for both names and IPs (forward and reverse) - now this would be a PITA, wouldn't it?  ;D
  myfirst.net                   172.16.0.1
  0.16.172.in-addr.arpa    172.16.0.1
  mysecond.net               172.16.10.1
  10.16.172.in-addr.arpa  172.16.10.1

3. Don't forget about ACLs if you use Unbound DNS. Oh, wait... Did I mention it already? :D

Good Luck

PS I have 1 HQ having a DNS server and 2 branch offices without a DNS server, each with many /24, /22 or even /21 network segments. For each building there is only 1 OPNsense, with OpenVPN S2S connection between HQ and each branch. I have summarized all segments in each building and setup the domain overrides exactly as explained above. It works! :)

I strongly consider for the near future to implement a DNS server in each branch location and to do DNS zone/ site replication, but until then I managed to have name-to-IP (forward) and IP-to-name (reverse) resolution just fine, from every building to any building.