DNS Logging

[spetrillo]

Hello all,
I am trying to determine why DNS resolution is not happening over a Wireguard S2S tunnel. Where should I be looking for this?

Thanks,
Steve

[bartjsmit]

Hi Steve, does DNS lookup work from the shell? E.g. host opnsense.org. <your.dns.server.ip>

[spetrillo]

If I do this for my local DNS server it responds but if I do it for the DNS server on the far side of the tunnel it comes back not found. I can ping the IP of the DNS but DNS resolution is not working.

[spetrillo]

Let me provide a bit more information....

At site A(petrillo.home) my Unbound config is as follows:

1) Services/Unbound/General/Outgoing Network Interfaces: FIOS(WAN), Home_Wireguard(WG Interface)
2) Services/Unbound/Advanced/Private Domains: petrillo.home(site A), nsc.home(Site B)
3) Services/Unbound/Query Forwarding: domain(nsc.home), address(10.0.1.1), port(53)

At site B(nsc.home) my Unbound config is as follows:

1) Services/Unbound/General/Outgoing Network Interfaces: FIOS(WAN), NSC_Wireguard(WG Interface)
2) Services/Unbound/Advanced/Private Domains: nsc.home(site A), petrillo.home(Site B)
3) Services/Unbound/Query Forwarding: domain(petrillo.home), address(192.168.1.1), port(53)

On both sides of the tunnel I have one WG rule, which is under Firewall/Rules/Wireguard (Group). This is open to all...nothing is being blocked at this time, so I would assume all ports are open and passing over the tunnel. I feel like this is where I am making the wrong assumption, but I do not know what log to look at and see if I can determine if there are any errors on the tunnel.

I hope this helps...

[spetrillo]

Do I need to set a gateway for this tunnel, so OPNsense knows it can exit out this interface?

[bartjsmit]

If I do this for my local DNS server it responds but if I do it for the DNS server on the far side of the tunnel it comes back not found. I can ping the IP of the DNS but DNS resolution is not working.

Are you allowing TCP and UDP 53? DNS needs both. I can't see the gateway being required, since the ping would fail if the routing was bad

[spetrillo]

You have hit the 64K question...and I suspect my problem in some form.

So now do I port forward across the tunnel? Why does ping work when I am not pushing any ports across? I assumed that the everything was passing across the tunnel?

[bartjsmit]

Port forward implies NAT - you should just be able to route and allow. Anything in your deny logs? After that it's packet capture, I reckon.

[spetrillo]

So a bit more progress...

Using the DNS lookup functionality I am able to query the far side DNS server for an IP on that side and it resolves! That was a major step forward...so now it was about getting this functionality back to the PCs on the near side.

All PCs on the near side use Pi-Hole as DNS. When I nslookup from my PC its telling me that Pi-Hole sees it as a non-existent domain. So now I need to solve why Pi-Hole is the bottleneck.

[bartjsmit]

You can do the conditional forwarding on pi-hole (assuming it can resolve over the tunnel).

On the pi-hole settings, select DNS and scroll down to conditional forwarding. Set the local domain CIDR to 192.168.1.0/24, the "DHCP" server to 10.0.1.1 and the "Local" domain name to nsc.home.

If you have more than one domain on the far side, you need to dive into the guts of pi-hole: https://www.grahamwatts.co.uk/knowledge/pihole-conditional-forwarding.

Good luck!

Bart...

[spetrillo]

You can do the conditional forwarding on pi-hole (assuming it can resolve over the tunnel).

On the pi-hole settings, select DNS and scroll down to conditional forwarding. Set the local domain CIDR to 192.168.1.0/24, the "DHCP" server to 10.0.1.1 and the "Local" domain name to nsc.home.

If you have more than one domain on the far side, you need to dive into the guts of pi-hole: https://www.grahamwatts.co.uk/knowledge/pihole-conditional-forwarding.

Good luck!

Bart...

Youre a good man Bart! Setting the conditional forward works and I can now resolve across the VPN. This is big! Now I have to make the same changes on the far side. One last question on the Pi-Hole front. Does having an upstream DNS server pointing to the far side DNS server do anything?

[bartjsmit]

Glad it worked!

I would keep name resolution local as much as possible from a performance and resilience viewpoint. E.g. if your remote ISP croaks, your local network could be either degraded or down.

Bart...