OPNsense FWs Connected via S2S VPN

[spetrillo]

I am managing two OPNsense firewalls, that are connected via a Wireguard S2S setup. Each firewall is part of its own private domain. How can I exchange DNS information between the firewalls, so I can resolve a FQDN at site B from site A?

[Maurice]

Unbound query forwarding. At site A, forward queries for domain B to DNS server B. At site B, forward queries for domain A to DNS server A.

Cheers
Maurice

[spetrillo]

Thanks for confirming Query Forwarding is the place. I thought so but wanted confirmation.

[spetrillo]

Ok so I had the right query forwarding in place, but I cannot resolve a site B FQDN from site A. My DNS server in my DHCP points to the Unbound DNS server on the OPNsense firewall. Is there anything I can look at in Unbound, to see if its resolving the query or passing it?

[Maurice]

I'd first test whether you can actually access DNS server B from site A. At site A, go to Interfaces: Diagnostics: DNS Lookup and enter a site B FQDN and DNS server IP address.

[spetrillo]

Strange....DNS Lookup gets nothing but if I ping the DNS server at site B(10.0.1.1) it responds to my firewall at site A(192.168.1.1).

This is really confusing to me...

[Maurice]

Maybe Unbound ACLs are enabled?

[spetrillo]

No ACLs in place and default action is to allow.

Under Unbound/Advanced there is a config option for private domains, so I filled it in on both firewalls. Site A has its domain listed first and then Site B domain name. Site B its reversed.

[Maurice]

No need to manually add private domains, query forwarding automatically does this.

So still no joy?

[spetrillo]

No joy in Mudville!

So another question. Site B's fw is actually behind an ISP router. Do I need to port forward 53 on the ISP router, like I did with the port for the WG connection?

[Maurice]

No! You want to tunnel DNS through WireGuard, why would you open port 53 to the world?

Running out of ideas. Unbound network interfaces are set to 'All (recommended)'?

[spetrillo]

I didn't mean on the ISP router. Should I forward port 53 across the WG interface in OPNsense?

[Maurice]

Do I need to port forward 53 on the ISP router [...]?

I didn't mean on the ISP router.

Okay then.

Should I forward port 53 across the WG interface in OPNsense?

Sorry, I have no idea what you mean.

You have started a bunch of threads about setting up WireGuard, none if which are marked as solved. Which implies your tunnel might not yet be properly set up, tested and fully working. Before you dive into the upper layers (like DNS), you should make sure the foundation is solid.

Last post, good luck.

[spetrillo]

As mentioned the S2S connection is stable and I can pass IPs back and forth. What does not seem to work is the DNS aspect of this, even with the forwarder in place on both sides. DNS Lookup on OPNsense seems to indicate a network error, so that's why I asked about port forwarding 53 through the WG interface in OPNsense.

Anyways thank you for your time...onwards and upwards to a solution.