OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • Resolve FQDNs accross openVPN site-to-site
« previous next »
  • Print
Pages: [1]

Author Topic: Resolve FQDNs accross openVPN site-to-site  (Read 1984 times)

chemlud

  • Hero Member
  • *****
  • Posts: 2486
  • Karma: 112
    • View Profile
Resolve FQDNs accross openVPN site-to-site
« on: January 21, 2020, 05:25:42 pm »
Hi!
Basic setup
                10.0.0.1                                                                                      192.168.0.1
LAN1 --- OPNsense1 --------------------- openVPN site-to-site -------------- OPNsense2 --- LAN2
               abcd.home.arpa                                                                        wxyz.home.arpa

I want to reach a (local, LAN-only) email server on LAN1 from LAN2. Apparently sendmail does not accept the mailaddress as "user@[10.0.0.114]" , but only as "user@mail.abcd.home.arpa".

I tried to add domain overrides and add the remote nets to the ACL of unbounds on both opnsenses, according to this

https://forum.opnsense.org/index.php?topic=5901.msg24507#msg24507

OPNsense1
Code: [Select]
wxyz.home.arpa  192.168.0.1
OPNsense2
Code: [Select]
abcd.home.arpa  10.0.0.1

But when I configure the first domain override on any OPNsense, unbound stops when pressing "Apply" and won't start (even after reboot).

Is the problem that both sides of the tunnel have ".home.arpa" domain names?
« Last Edit: January 21, 2020, 05:31:05 pm by chemlud »
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....

chemlud

  • Hero Member
  • *****
  • Posts: 2486
  • Karma: 112
    • View Profile
Re: Resolve FQDNs accross openVPN site-to-site
« Reply #1 on: January 21, 2020, 05:55:00 pm »
Hmmm....

Quote
forapurpose on May 18, 2018

In case this issue on pages 7-8 is overlooked:

Because 'home.arpa.' is not globally scoped and cannot be secured using DNSSEC based on the root domain's trust anchor, there is no way to tell, using a standard DNS query, in which homenet scope an answer belongs. Consequently, users may experience surprising results with such names when roaming to different homenets.

To prevent this from happening, it could be useful for the resolver on the host to securely differentiate between different homenets and between identical names on different homenets. However, a mechanism for doing this has not yet been standardized and doing so is out of scope for this document. It is expected that this will be explored in future work.

https://news.ycombinator.com/item?id=17093337
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....

chemlud

  • Hero Member
  • *****
  • Posts: 2486
  • Karma: 112
    • View Profile
Re: Resolve FQDNs accross openVPN site-to-site
« Reply #2 on: January 24, 2020, 09:38:13 am »
Workaround:

https://stackoverflow.com/questions/6139032/sending-email-using-ip-address-instead-of-domain-name

 8)

(Question: why not using another mail program? Answer: mdadm only uses sendmail, apparently...)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.7 Legacy Series »
  • Resolve FQDNs accross openVPN site-to-site
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2