OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: circlenaut on April 30, 2018, 07:50:55 pm

Title: Resolving DNS over Site-to-Site VPN connection
Post by: circlenaut on April 30, 2018, 07:50:55 pm
I've setup a site-to-site VPN connection between OPNsense servers A (server) and B (client) connecting networks A-Net0, A-Net1, A-Net2 to B-Net0.

VPN and firewalls are properly configured. I can ping clients within any net on Server B to any net on Server A and vice-versa.

I've setup DNS using unbound with overrides (same overrides on both servers) on both Servers A and Server B pointing to various servers through networks under both server A and server B. This way I'm able to resolve DNS properly though to any server on all networks from any client on all networks. A few of these servers that have internal overrides under Server A networks also face the internet though port forwarding of virtual IPs.

This is fine for now, as long as the VPN connection is up; but I'm wondering if there's a way to route DNS request from clients under network B-net0 for internet facing servers under network A-Net2 that have internal overrides to public DNS i.e if the VPN connection goes down.

Right now if the VPN connection goes down then clients under network B-Net0 cannot resolve servers under network A-Net2 even though these servers under A-Net2 face the internet and resolve under public DNS.

I've tried enabling the "forward DNS queries" in unbound on Server B, disabling all overrides on Server B and setup DNS servers in general settings pointing first to Server B, then Server A then but I still have the same issue as above.

I've also disabled Unbound on Server B, enabled DNAmasq (forwarder) and set DNS servers in general for Server B as: Server B, Server A, This didn't work. I then tried enabling "rolling dns connection" but that didn't work. I finally tried removing Server B from the general DNS settings so the orders are: Server A then and that worked. But the issue now is that page loading times have increased significantly when clients under B-Net0 access servers on A-Net2; probably because it's taking a long time to find that the first DNS server does not resolve before going to the next server that does.

I'm inclined to keep the unbound override setup that works and hope I respond quickly to downed VPN connections.

Any thoughts? Please let me know if something's not clear.