OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • DNS override with source IP "hides" DNS server from LAN
« previous next »
  • Print
Pages: [1]

Author Topic: DNS override with source IP "hides" DNS server from LAN  (Read 3205 times)

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
DNS override with source IP "hides" DNS server from LAN
« on: August 15, 2016, 01:37:04 pm »
Hey,

I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.

I think an example shows more than all the explanation:

LAN IP: 10.2.0.1/16 (re0)
IPsec tunnel to: 10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq: 10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense: 10.1.1.1 255.255.255.255 via 10.2.0.1 re0

Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.

BR
Manuel
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.7 Legacy Series »
  • DNS override with source IP "hides" DNS server from LAN
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2