Resolve FQDNs accross openVPN site-to-site

Started by chemlud, January 21, 2020, 05:25:42 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 21, 2020, 05:25:42 PM Last Edit: January 21, 2020, 05:31:05 PM by chemlud
Hi!
Basic setup
                10.0.0.1                                                                                      192.168.0.1
LAN1 --- OPNsense1 --------------------- openVPN site-to-site -------------- OPNsense2 --- LAN2
               abcd.home.arpa                                                                        wxyz.home.arpa

I want to reach a (local, LAN-only) email server on LAN1 from LAN2. Apparently sendmail does not accept the mailaddress as "user@[10.0.0.114]" , but only as "user@mail.abcd.home.arpa".

I tried to add domain overrides and add the remote nets to the ACL of unbounds on both opnsenses, according to this

https://forum.opnsense.org/index.php?topic=5901.msg24507#msg24507

OPNsense1
Code Select
wxyz.home.arpa  192.168.0.1

OPNsense2
Code Select
abcd.home.arpa  10.0.0.1


But when I configure the first domain override on any OPNsense, unbound stops when pressing "Apply" and won't start (even after reboot).

Is the problem that both sides of the tunnel have ".home.arpa" domain names?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 21, 2020, 05:55:00 PM #1
Hmmm....

Quoteforapurpose on May 18, 2018

In case this issue on pages 7-8 is overlooked:

Because 'home.arpa.' is not globally scoped and cannot be secured using DNSSEC based on the root domain's trust anchor, there is no way to tell, using a standard DNS query, in which homenet scope an answer belongs. Consequently, users may experience surprising results with such names when roaming to different homenets.

To prevent this from happening, it could be useful for the resolver on the host to securely differentiate between different homenets and between identical names on different homenets. However, a mechanism for doing this has not yet been standardized and doing so is out of scope for this document. It is expected that this will be explored in future work.

https://news.ycombinator.com/item?id=17093337
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
January 24, 2020, 09:38:13 AM #2
Workaround:

https://stackoverflow.com/questions/6139032/sending-email-using-ip-address-instead-of-domain-name

8)

(Question: why not using another mail program? Answer: mdadm only uses sendmail, apparently...)
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions