OpenVPN - DNS issue / question

Started by mr.sarge, March 15, 2021, 11:38:53 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 15, 2021, 11:38:53 AM
Hello,

I recently activated OpenVPN with policy based routing. It works all except DNS query

I'm using the following DNS settings:
- System-> Settings -> General ->Networking ->DNS servers "8.8.8.8 / 8.8.4.4"
   - DNS server options "Allow DNS server list do be overridden by DHCP/PPP on WAN" -> UNCHECKED
   - Allow default gateway switching -> UNCHECKED
- Services -> Unbound DNS -> General
  - DNS Query Forwarding -> Enable Forwarding Mode -> CHECKED
  - Local Zone Type > transparent
  - Outgoing Network Interfaces > All (recommended)

DHCPv4 -> DNS servers -> BLANK -> USE SYSTEM DEFAULT DNS SERVERS

Problem: clients routed through the vpn tunnel are not able to resolve DNS host names until I set the DNS servers manually or with DHCP. It seems that "DNS Query Forwarding" (Unbound DNS) ist not working.

Is there an option and/or firewall rule that I'm still missing?

best regards,

Sarge
March 15, 2021, 12:04:41 PM #1
I'm no expert so someone with more experience will come along on that note my solution.

Firewall-Nat-portfoward click add
Interface lan tcp/iPad version ipv4
Protocol tcp/udp
Source you're alias for routing over vpn
Source port range from any to any
Destination any
Destination port range from dns to dns
Redirect target ip single host or network put you're vpn providers dns or any other dns directly below single host or network
Redirect target port select dns

That should be it save and apply.




March 23, 2021, 10:24:21 AM #2
hm, DNS portforwarding seems not the right solution to me.

Any ideas why "DNS Query Forwarding" ist not working with OpenVPN ?

Sarge
March 25, 2021, 12:12:26 PM #3
Unbound DNS works for me, using OPNsense 21.1.3_3-amd64. I'll describe my setup.

The client is directly connected to the OPNsense box. The box is used as gateway (internet through OpenVPN) and DNS. To make the DNS work, I changed some Unbound DNS configuration:

  • Enable: Enable Unbound: checked
  • Network Interfaces: selected the interface the client is connected on
  • DNS Query Forwarding: Enable Forwarding mode: checked
  • Outgoing Network Interfaces: selected the OpenVPN interface

I also added a firewall rule to the client's LAN interface, allowing incoming UDP:53 packets from the client's net to the LAN interface address.

In this setup, the client sends his DNS requests to the OPNsense box, so that Unbound DNS forwards the requests to the DNS server(s) configured via general system settings (like "8.8.8.8 / 8.8.4.4" in your example).

HTH
March 25, 2021, 03:33:07 PM #4 Last Edit: March 25, 2021, 03:42:35 PM by Inxsible
Quote from: mr.sarge on March 15, 2021, 11:38:53 AM
Hello,

I recently activated OpenVPN with policy based routing. It works all except DNS query

I'm using the following DNS settings:
- System-> Settings -> General ->Networking ->DNS servers "8.8.8.8 / 8.8.4.4"
   - DNS server options "Allow DNS server list do be overridden by DHCP/PPP on WAN" -> UNCHECKED
   - Allow default gateway switching -> UNCHECKED
- Services -> Unbound DNS -> General
  - DNS Query Forwarding -> Enable Forwarding Mode -> CHECKED
  - Local Zone Type > transparent
  - Outgoing Network Interfaces > All (recommended)

DHCPv4 -> DNS servers -> BLANK -> USE SYSTEM DEFAULT DNS SERVERS

Problem: clients routed through the vpn tunnel are not able to resolve DNS host names until I set the DNS servers manually or with DHCP. It seems that "DNS Query Forwarding" (Unbound DNS) ist not working.

Is there an option and/or firewall rule that I'm still missing?

best regards,

Sarge

In your VPN Server configuration did you set up Unbound as your DNS server for the VPN clients? The clients connecting via VPN need to know the address of Unbound which is usually your opnsense IP.

Also, since you are only using DNS forwarder, another option is to just use Dnsmasq instead of Unbound with Query Forwarder Mode
March 25, 2021, 04:41:24 PM #5
Quote from: Sheldon on March 25, 2021, 12:12:26 PM
Unbound DNS works for me, using OPNsense 21.1.3_3-amd64. I'll describe my setup.

The client is directly connected to the OPNsense box. The box is used as gateway (internet through OpenVPN) and DNS. To make the DNS work, I changed some Unbound DNS configuration:

  • Enable: Enable Unbound: checked
  • Network Interfaces: selected the interface the client is connected on
  • DNS Query Forwarding: Enable Forwarding mode: checked
  • Outgoing Network Interfaces: selected the OpenVPN interface

I also added a firewall rule to the client's LAN interface, allowing incoming UDP:53 packets from the client's net to the LAN interface address.

In this setup, the client sends his DNS requests to the OPNsense box, so that Unbound DNS forwards the requests to the DNS server(s) configured via general system settings (like "8.8.8.8 / 8.8.4.4" in your example).

HTH

Hi Sheldon!

perfekt, this worked for me also! Thanks a lot for your tip!

best regards,

Sarge
March 25, 2021, 04:44:16 PM #6
Sarge
Quote from: Inxsible on March 25, 2021, 03:33:07 PM

In your VPN Server configuration did you set up Unbound as your DNS server for the VPN clients? The clients connecting via VPN need to know the address of Unbound which is usually your opnsense IP.

Also, since you are only using DNS forwarder, another option is to just use Dnsmasq instead of Unbound with Query Forwarder Mode

Hello,

thanks for you answer. The clients should use only the DNS servers provided in the general settings. Dnsmasq I didn't use yet but the solution from Sheldon worked like a charm!

regards,

Sarge
March 26, 2021, 09:22:03 AM #7
Quote from: Sheldon on March 25, 2021, 12:12:26 PM
Unbound DNS works for me, using OPNsense 21.1.3_3-amd64. I'll describe my setup.

I also added a firewall rule to the client's LAN interface, allowing incoming UDP:53 packets from the client's net to the LAN interface address.

In this setup, the client sends his DNS requests to the OPNsense box, so that Unbound DNS forwards the requests to the DNS server(s) configured via general system settings (like "8.8.8.8 / 8.8.4.4" in your example).

HTH

Hi,

I also added a firewall rule to the LAN (and VLAN) interface UDP 53 IN to destination "LAN Address" and DNS resolution for the hosts that will be routed throught the VPN tunnel worked without problems.

In the evening suddenly for the other hosts (that goes directly in the internet) DNS query for some websites (amazon) did not work anymore. This ist the first time I have this kind of problem. After I set the custom DNS with DHCP it worked again. Can this issue be Unbound DNS related?

regards,

Sarge
March 26, 2021, 10:41:42 AM #8
Quote from: mr.sarge on March 26, 2021, 09:22:03 AM
In the evening suddenly for the other hosts (that goes directly in the internet) DNS query for some websites (amazon) did not work anymore. This ist the first time I have this kind of problem. After I set the custom DNS with DHCP it worked again. Can this issue be Unbound DNS related?

I am not that familiar with Unbound DNS, so I don't know if or how this could be related.

As far as I understand this, it shouldn't make any difference whether a client's internet access is VPN wrapped or not. The only condition should be that the firewall allows access from all involved clients to the Unbound DNS.

If I had such a problem, I would increase the log level of Unbound DNS and maybe even activate query logging. With the combination of the firewall's log and Unbound DNS's log I would try to figure out, what is going on.
March 26, 2021, 04:50:08 PM #9
Hi,

the problem with "amazon" is the different DNS query result from OPNsense and for example google DNS-Server (see attachment). What can this be the cause?

regards,

Sarge
March 27, 2021, 10:15:27 PM #10
Are you asking why different nameservers provide different results for the same query?

As far as I know, at least one reason is the DNS server's location. Youtube is a good example, video streaming requires high bandwidth and you don't want to route that half around the globe, when you have a mirror server near your location.

Another reason I can think of is load balancing.
March 28, 2021, 04:50:20 PM #11 Last Edit: March 29, 2021, 08:40:02 AM by mr.sarge
Quote from: Sheldon on March 27, 2021, 10:15:27 PM
Are you asking why different nameservers provide different results for the same query?


No, I'm asking why the nameserver from OPNsense (192.168.1.254) forwarded to Google DNS 8.8.8.8 in my configuration (?) provide different results as direct DNS query to Google DNS
March 31, 2021, 07:49:35 PM #12
I missed something here. Are you using OPNsense only as OpenVPN client or also as OpenVPN server?
March 31, 2021, 07:52:31 PM #13
Quote from: Sheldon on March 31, 2021, 07:49:35 PM
I missed something here. Are you using OPNsense only as OpenVPN client or also as OpenVPN server?
Hi,

yes, only as OpenVPN client for some hosts (policy based routing) and of course as firewall, DHCP server


Gesendet von iPhone mit Tapatalk
April 01, 2021, 12:47:09 PM #14
Do you always get the same results for www.amazon.de when you ask Google DNS directly?

Just an idea: I assume you do not get the same results from Google DNS, when you repeat your query later. Thus asking your OPNsense DNS might provide slightly different results, depending on its own cache.

Services -> Unbound DNS -> Statistics -> Total: There is a counter called "Cache hits". As far as I understand this, when you send a query to OPNsense DNS and you get a cache hit, the response can be different from what Google DNS would reply to you.
Print
Go Up Pages1 2
User actions