Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
DNS override with source IP "hides" DNS server from LAN
« previous
next »
Print
Pages: [
1
]
Author
Topic: DNS override with source IP "hides" DNS server from LAN (Read 5547 times)
8191
Jr. Member
Posts: 83
Karma: 4
DNS override with source IP "hides" DNS server from LAN
«
on:
August 15, 2016, 01:37:04 pm »
Hey,
I've discovered a weird problem with the DNS forwarder's override feature, when using the "Source IP" field for the override definition: OPNsense adds a static route for the DNS server configured in the override using the "Source IP" as a gateway (i.e. itself). This now allows the DNS forwarder to reach the DNS server using the "Source IP", but also has a weird implication to all other hosts behind the OPNsense trying to reach the DNS server: they believe the DNS server is in the same subnet as themselves, since OPNsense is sending an ICMP redirect triggered by the static route.
I think an example shows more than all the explanation:
LAN IP:
10.2.0.1/16 (re0)
IPsec tunnel to:
10.1.0.0/16 (via re2, WAN)
DNS override of dnsmasq:
10.1.1.1@10.2.0.1 (=Source IP: 10.2.0.1)
Route added by OPNsense:
10.1.1.1 255.255.255.255 via 10.2.0.1 re0
Host 10.2.1.8/16 wants to reach 10.1.1.1: sends IP packet to OPNsense 10.2.0.1 (IP dest=10.1.1.1, 10.2.0.1 is def. gw.); OPNsense responds with ICMP redirect to re0; 10.2.1.8 sends ARP request for 10.1.1.0 to its subnet (10.2.0.0/16), which obviously never gets answered.
BR
Manuel
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
16.7 Legacy Series
»
DNS override with source IP "hides" DNS server from LAN