Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
DNS fails to resolve on internal host connected to a VPN
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNS fails to resolve on internal host connected to a VPN (Read 1960 times)
fullhavoc
Newbie
Posts: 4
Karma: 0
DNS fails to resolve on internal host connected to a VPN
«
on:
July 17, 2023, 05:00:44 pm »
I have Unbound DNS working internally.
The problem I am having is that when I connect to my work's AnyConnect VPN, that computer can no longer resolve DNS for local entries. My co-workers have confirmed that this is not an issue for them, so this seems specific to me and OPNSense.
I can still ping my firewall and computers on my network, however I cannot NSLOOKUP or PING by hostname any of my local devices.
❯ nslookup homeassistant
;; Got SERVFAIL reply from 10.3.245.11, trying next server (# This is fine, that's work's DNS server)
;; Got SERVFAIL reply from 10.3.245.12, trying next server (# This is fine, that's work's DNS server)
Server: 192.168.144.1 (# This is my local firewall running OPNSense, I can ping this IP while connected to AnyConnect VPN)
Address: 192.168.144.1#53
** server can't find homeassistant: NXDOMAIN (# I am getting this error regardless of whether I use the hostname or the FQDN).
On my firewall I have a floating rule for DNS:
Protocol:IPv4 UDP Source:* Port: Destination:This Firewall Port:53 (DNS) Gateway:*
I've tried a variety of things to get this working over the past week, but no matter what I try "server can't find *hostname*: NXDOMAIN, just won't go away when connected to AnyConnect VPN.
Please let me know your thoughts and what config information I can provide to help clarify.
Thank you all ahead of time.
Logged
CJ
Hero Member
Posts: 832
Karma: 30
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #1 on:
July 17, 2023, 05:52:07 pm »
Your coworkers have local DNS names on their network that they can resolve? Or just that DNS works for them.
What VPN client and OS are you using? Most likely your work VPN is pushing out their own DNS server in order to do filtering and internal company lookups.
This means that the DNS queries are going over the VPN and OPNSense won't see them. You need to look at how the client and OS are configured and add your OPNSense IP as an additional DNS server.
That said, is there a reason you're doing local lookups on a work machine? Mixing work and home isn't a good idea and can cause you problems down the line.
Logged
Have Answer, Will Blog
fullhavoc
Newbie
Posts: 4
Karma: 0
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #2 on:
July 17, 2023, 06:07:17 pm »
My co-workers have local DNS names on their network that they can resolve.
VPN Client is: AnyConnect v4.10.05085
OS: MacOS 13.4.1
Yes work is most certainly pushing out their own DNS, hence the 10.3.245.11 and 10.3.245.12 failures in the nslookup, however it does then try my DNS server: 192.168.144.1 which should return a reply, but instead returns an error.
❯ cat /etc/resolv.conf
search *work*.net *me*.home
nameserver 10.3.245.11
nameserver 10.3.245.12
nameserver 192.168.144.1
Since my name server is listed in my resolv.conf I shouldn't have to add it as an additional server, MacOS knows it's there, and is trying to use it based off of the nslookup error.
Is there a reason for needing my internal DNS?: yes, I use Universal Control with my Work Laptop, iPad, and Personal Laptop, this gives me extra screen real estate without needing to add additional monitors or other nonsense to my already small desk. Additionally it allows me to enforce separation between my work/personal devices as I can access my personal music and socials on my personal laptop, hence avoiding the need to sign in to said apps on my work laptop.
All that being said, I appreciate someone suggesting diligence in separating work/home, generally I do everything I can to abide by a similar mentality. Universal Control is an asset in that regard, since it is only sharing mice/keyboard and clipboard, I can reduce the cross-pollination between work and home devices.
Logged
CJ
Hero Member
Posts: 832
Karma: 30
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #3 on:
July 18, 2023, 01:39:17 pm »
What happens if you run
Code:
[Select]
nslookup homeassistant 192.168.144.1
? Same with the FQDN.
What do the OPNSense Unbound logs say? There are a bunch of things you can turn on such as logging queries, replies, failure reasons, etc. You'll want to note the changes you make as you don't want to leave them on due to the performance impact.
I've seen far too many bad things happen from people who don't understand what they're asking for so I try to provide context and guidance as I help them. Hopefully I can prevent future problems.
Logged
Have Answer, Will Blog
fullhavoc
Newbie
Posts: 4
Karma: 0
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #4 on:
July 18, 2023, 02:03:25 pm »
Ooo interesting:
❯ nslookup homeassistant 192.168.144.1
Server: 192.168.144.1
Address: 192.168.144.1#53
Name: homeassistant.*me*.home
Address: 192.168.144.22
❯ nslookup homeassistant.*me*.home 192.168.144.1
Server: 192.168.144.1
Address: 192.168.144.1#53
Name: homeassistant.*me*.home
Address: 192.168.144.22
I definitely don't know why that is a thing, I would assume that if my name server is listed then it should treat them all equally.
Logging is currently at it's default settings, I'll turn on:
Log Queries
Log Replies
Tag Queries and Replies
Log local actions
Log SERVFAIL
❯ nslookup homeassistant
;; Got SERVFAIL reply from 10.3.245.11, trying next server
;; Got SERVFAIL reply from 10.3.245.12, trying next server
Server: 192.168.144.1
Address: 192.168.144.1#53
** server can't find homeassistant: NXDOMAIN
Logs:
2023-07-18T07:51:40-04:00 Informational unbound [21790:3] reply: 192.168.144.112 homeassistant.*me*.home. A IN NOERROR 0.000000 1 59
2023-07-18T07:51:40-04:00 Informational unbound [21790:3] info: *me*.home. transparent 192.168.144.112@51118 homeassistant.*me*.home. A IN
2023-07-18T07:51:40-04:00 Informational unbound [21790:3] query: 192.168.144.112 homeassistant.*me*.home. A IN
2023-07-18T07:51:40-04:00 Informational unbound [21790:1] reply: 192.168.144.112 homeassistant.*me*.home. A IN NOERROR 0.000000 1 59
2023-07-18T07:51:40-04:00 Informational unbound [21790:1] info: *me*.home. transparent 192.168.144.112@64916 homeassistant.*me*.home. A IN
2023-07-18T07:51:40-04:00 Informational unbound [21790:1] query: 192.168.144.112 homeassistant.*me*.home. A IN
I'm surprised to see that it's only returning Informational severity, when all severities are selected.
"I've seen far too many bad things happen from people who don't understand what they're asking for" Oh yeah, always safer to ask the question rather than assuming that they know. Best to air on the side of educational.
Logged
CJ
Hero Member
Posts: 832
Karma: 30
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #5 on:
July 18, 2023, 02:11:23 pm »
You don't need to select multiple levels. Just pick Debug and it will automatically show everything.
What shows in the logs when you do a FQDN?
What does
Code:
[Select]
scutil --dns | grep 'nameserver'
show?
Logged
Have Answer, Will Blog
fullhavoc
Newbie
Posts: 4
Karma: 0
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #6 on:
July 18, 2023, 02:25:51 pm »
❯ nslookup homeassistant.*me*.home
Server: 10.3.245.11
Address: 10.3.245.11#53
** server can't find homeassistant.*me*.home: NXDOMAIN
❯ nslookup homeassistant.*me*.home 192.168.144.1
Server: 192.168.144.1
Address: 192.168.144.1#53
Name: homeassistant.*me*.home
Address: 192.168.144.22
2023-07-18T08:22:49-04:00 Informational unbound [68854:5] reply: 192.168.144.112 homeassistant.*me*.home. A IN NOERROR 0.000000 1 59
2023-07-18T08:22:49-04:00 Informational unbound [68854:5] info: *me*.home. transparent 192.168.144.112@61504 homeassistant.*me*.home. A IN
2023-07-18T08:22:49-04:00 Informational unbound [68854:5] query: 192.168.144.112 homeassistant.*me*.home. A IN
❯ scutil --dns | grep '*me*.home'
search domain[1] : *me*.home
search domain[0] : *me*.home
search domain[0] : *me*.home
search domain[1] : *me*.home
❯ scutil --dns | grep '192.168.144.1'
nameserver[2] : 192.168.144.1
nameserver[0] : 192.168.144.1
nameserver[2] : 192.168.144.1
nameserver[0] : 192.168.144.1
nameserver[0] : 192.168.144.1
nameserver[2] : 192.168.144.1
Logged
CJ
Hero Member
Posts: 832
Karma: 30
Re: DNS fails to resolve on internal host connected to a VPN
«
Reply #7 on:
July 19, 2023, 03:23:10 pm »
The nameserver piece was just to get the nameserver lines, not your IP.
I think your problem may be mac related. Here's something I stumbled across that seems related to the issue you're having.
https://rakhesh.com/powershell/vpn-client-over-riding-dns-on-macos/
Apparently, macs do weird things with DNS so nslookup and dig aren't good testing tools. Hopefully that link will help you get things working.
Logged
Have Answer, Will Blog
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.1 Legacy Series
»
DNS fails to resolve on internal host connected to a VPN