OpenVPN DNS what am I doing wrong?

Started by tl5k5, March 13, 2019, 10:12:00 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 21, 2019, 06:55:06 PM #15
Quote from: bartjsmit on March 20, 2019, 08:14:24 AM

Do you have a fully populated reverse zone on your DNS server? Windows clients do a reverse lookup of the DNS server itself.

Try a packet capture on the client to see any failed lookups.

Bart...


I'm using Nethserver for DNS among other things.  Nethserver uses dnsmasq and the FQDN are in the /etc/hosts file.
Is there anything else in my dnsmasq setup I should look for?

I'm still working through wireshark.  When I know something I'll post it.

Thanks!
March 21, 2019, 09:58:00 PM #16
Wireshark shows the following when I run nslookup on the client:

OpenVPN local and VPN traffic allowed
395   40.241244   127.0.0.1   127.0.0.1   TCP   128   25340 → 52564 [PSH, ACK] Seq=352 Ack=1 Win=10233 Len=22
396   40.241276   127.0.0.1   127.0.0.1   TCP   84   52564 → 25340 [ACK] Seq=1 Ack=374 Win=1270 Len=0
nslookup returns pi-hole as server with local pi-hole IP address
No DNS info detected

OpenVPN VPN traffic only allowed
289   105.769055   127.0.0.1   127.0.0.1   TCP   128   25341 → 52578 [PSH, ACK] Seq=440 Ack=1 Win=10233 Len=22
290   105.769078   127.0.0.1   127.0.0.1   TCP   84   52578 → 25341 [ACK] Seq=1 Ack=462 Win=1270 Len=0
nslookup returns pi-hole as server with local pi-hole IP address
No DNS info detected


Viscosity local and VPN traffic allowed
47   31.517657   127.0.0.1   127.0.0.1   DNS   140   Standard query 0x0001 PTR 1.0.0.127.in-addr.arpa
48   31.517855   127.0.0.1   127.0.0.1   DNS   230   Standard query response 0x0001 PTR 1.0.0.127.in-addr.arpa PTR Viscosity
49   31.519132   127.0.0.1   127.0.0.1   DNS   150   Standard query 0x0002 PTR 21.x.x.192.in-addr.arpa
50   35.520116   127.0.0.1   127.0.0.1   DNS   84   Standard query 0xd161
nslookup returns Viscosity as the server with 127.0.0.1 IP address
DNS info detected but still no proper nslookup info returned on screen.
March 21, 2019, 11:13:42 PM #17
Does any DNS traffic make it to the Pi? None seems to go out from your traces
March 22, 2019, 05:09:09 PM #18 Last Edit: March 22, 2019, 05:45:45 PM by tl5k5
1. On the VM running OpenVPN, nslookup shows the pi-hole as the dns server...but wireshare shows no DNS traffic.
2. On a physical machine running OpenVPN, nslookup shows no name for the server but returns the proper remote DNS IP address.
     a. On the physical machine, OpenVPN local and remote traffic allowed = no wireshark traffic
     b. Also on the physical machine, OpenVPN all traffic tunneled = shows some MDNS traffic, but nothing returns.

This MDNS traffic seems to mainly be this:
2029   126.772892   10.222.77.6   224.0.0.251   MDNS   116   Standard query 0x0000 A wpad.local, "QM" question


This is really starting to wear on me.  Is there any hope or should I just use IP addresses???

UPDATE:
I've attached a wireshark screen capture of just the OpenVPN interface.  Maybe this will shed some light.
March 22, 2019, 08:19:23 PM #19
Troubleshooting this is tricky and mostly iterative.

If you can, set up a test environment that is much simpler. I.e. confirm that DNS works with OpenVPN and Unbound on OPNsense and then introduce elements from your setup until it breaks.

Bart...
March 22, 2019, 08:52:59 PM #20
This is a demo/lab setup.
I'll switch to Unbound on OPNsense to see what happens.
Thanks!
Print
Go Up Pages 1 2
User actions