[SOLVED] DNS refuses clients in one subnet behind wireguard site-to-site tunnel

[chemlud]

Hi again!

Have an ISP with lousy DNS, so I use DNS from another OPNsense (Unbound, DNSSEC and DoT configured) at the end of an openVPN tunnel, working fine.

I switched this tunnel to Wireguard site-to-site and now I have one subnet on the lousy DNS-site, that resolves just fine via wireguard and the remote DNS on the OPNsense.

In a second subnet (added to the same wireguard End Point), I have two clients, a notebook and a raspberry pi, which both use the remote DNS server (I can check from resolv.conf, dnsmasq) and the requests reach the unbound in the remote OPNsense, as I can see in package capture.

HOWEVER, the unbound always replies with "REFUSED"

Code Select Expand

1 0.000000 aaa.bbb.ccc.3 xxx.yyy.zzz.1 DNS 82 Standard query 0x8e14 A conncheck.opensuse.org

Code Select Expand

2 0.024239 xxx.yyy.zzz.1 aaa.bbb.cc.3 DNS 54 Standard query response 0x8e14 Refused

...or this here, another example:

Code Select Expand

1 0.000000 aaa.bbb.ccc.2 xxx.yyy.zzz.1 DNS 95 Standard query 0x999d SRV _http._tcp.raspbian.raspberrypi.org

Code Select Expand

3 0.023408 xxx.yyy.zzz.1 aaa.bbb.ccc.2 DNS 54 Standard query response 0x999d Refused

to both clients, no matter what these two clients request.

Any idea what is going wrong here?

[Gauss23]

Services: Unbound DNS: Access Lists

Are all of your networks listed here?

[chemlud]

Good point!

There is at the lower end an entry with the domain name of the remote OPNsense and there is only the subnet listed that works just fine.

So I add the second subnet and it should work? :-D

[chemlud]

Works! Very nice.

I added the second subnet to the wireguard config after the connection was up and running, so the second net was not automagically added to this Access List. Reboot didn't help...

Many thanks, made my day! :-D