DNS forwarding issue

Started by kozistan, February 18, 2025, 08:54:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2025, 08:54:17 PM
Hello,

I'm having an issue with my internal DNS running on Samba AD, which is in a different segment than the queried DNS servers.

Code Select
nslookup nic.cz
;; reply from unexpected source: 10.10.0.11#53, expected 10.10.0.12#53
;; reply from unexpected source: 10.10.0.11#53, expected 10.10.0.13#53
Server: 10.10.0.11
Address: 10.10.0.11#53
I have configured port forwarding in OPNsense according to this guide, but instead of querying 127.0.0.1, I use a host alias "DNS-Services" that includes my internal Samba DNS servers (10.10.0.11, 10.10.0.12, 10.10.0.13).

Port Forwarding Settings:
   •   Interface: vlan0.10
   •   Protocol: TCP/UDP
   •   Destination / Invert: Checked
   •   Destination: vlan0.10 net
   •   Destination Port: DNS
   •   Redirect target IP: DNS-Services
   •   Redirect target port: DNS
   •   NAT reflection: Disabled

I tested bypassing OPNsense and configured L3 on the switch, and everything started working. This makes me confident that the issue is on the firewall.

Could you point me in the right direction and help me identify where I'm making a mistake?
February 18, 2025, 11:06:39 PM #1
Quote from: kozistan on February 18, 2025, 08:54:17 PMI use a host alias "DNS-Services" that includes my internal Samba DNS servers (10.10.0.11, 10.10.0.12, 10.10.0.13).
Is the alias of the type "hosts"?

Quote from: kozistan on February 18, 2025, 08:54:17 PMInterface: vlan0.10
Is this the correct interface?
This one, the clients are connected to?

Quote from: kozistan on February 18, 2025, 08:54:17 PMRedirect target IP: DNS-Services
Did you try to explicitly set the pool options to "round robin"?
February 19, 2025, 07:58:26 AM #2 Last Edit: February 19, 2025, 08:34:56 AM by kozistan
Hi and thanks for reply

QuoteIs the alias of the type "hosts"?
Yes it is

QuoteIs this the correct interface?
This one, the clients are connected to?
This is also correct, iface has a static IP and kea is serving dhcp on that segment.

QuoteDid you try to explicitly set the pool options to "round robin"?
yes, round robin with sticky address and also the default option, what, based on the docu, "round robin" is

--

Also would be good to mention that once my DNS server iface is tagged at the Proxmox level, it is working.
Once I tag the segment whit-in the KVM it's acting as described reply from unexpected source.
Proxmox's Open vSwitch is set as simple L2, so L3 routing is only OPNsense doing.

QuoteI tested bypassing OPNsense and configured L3 on the switch, and everything started working
Whatever level i tag the iface this is working
February 19, 2025, 10:41:35 AM #3
Quote from: kozistan on February 19, 2025, 07:58:26 AMAlso would be good to mention that once my DNS server iface is tagged at the Proxmox level, it is working.
Once I tag the segment whit-in the KVM
Can you discribe this more clearly, please?

Quote from: kozistan on February 19, 2025, 07:58:26 AMt's acting as described reply from unexpected source.

This might indicate an asymmetric routing issue.

Run a packet capture on the client side Interface and sniff the DNS traffic to see, what's really going on.
February 19, 2025, 11:27:11 AM #4 Last Edit: February 19, 2025, 11:31:08 AM by kozistan
QuoteCan you discribe this more clearly, please?

Certainly, there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM.

Proxmox level:
Code Select
/etc/pve/nodes/pve/qemu-server/XXXXX.conf
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0,tag=10
Code Select
dc01 ~
> # nmcli connection show
NAME    UUID                                  TYPE      DEVICE
enp6sXX  XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  ethernet  enp6sXX
KVM level:
Code Select
/etc/pve/nodes/pve/qemu-server/XXXXX.conf
net0: virtio=XX:XX:XX:XX:XX:XX,bridge=vmbr0
Code Select
> # nmcli connection add type vlan con-name vlan0.10 ifname vlan0.10 dev enp6sXX id 10

> # nmcli device status
DEVICE      TYPE      STATE                  CONNECTION
vlan0.10    vlan      connected              vlan0.10

Code Select
> # nmcli connection show
NAME        UUID                                  TYPE      DEVICE
vlan0.10    XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX  vlan      vlan0.10
QuoteThis might indicate an asymmetric routing issue.

Run a packet capture on the client side Interface and sniff the DNS traffic to see, what's really going on.
Will try later today
February 19, 2025, 12:02:09 PM #5
I don't know the "KVM level". Never used it.

Another option is to let OPNsense itself tag the packets and remove the VLAN settings from the virtual interface.
But in all cases you have to enable "VLAN awareness" on the Proxmox bridge.
February 19, 2025, 04:51:14 PM #6
Same thing, being called different ways. From reading the thread "there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM."

- directly on the interface in the virtualizer =  let OPNsense itself tag the packets and remove the VLAN settings from the virtual interface

and of course the expected "opposite":

- "KVM level" = VLAN tagging by the hypervisor (KVM in this case) and OPN blissfully unaware
February 19, 2025, 05:24:44 PM #7
What's a segment tag?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 19, 2025, 05:27:28 PM #8
QuoteWhat's a segment tag?
vlan, network segmentation
February 19, 2025, 05:39:14 PM #9
Quote from: cookiemonster on February 19, 2025, 04:51:14 PMSame thing, being called different ways. From reading the thread "there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM."

- directly on the interface in the virtualizer =  let OPNsense itself tag the packets and remove the VLAN settings from the virtual interface

and of course the expected "opposite":

- "KVM level" = VLAN tagging by the hypervisor (KVM in this case) and OPN blissfully unaware

This was just a answer for @viragomann, didn't want to get much into it. This does not have anything to do with my issue because firewall can see the VLAN and is accessible, just wanted to be clear with the whole setup. Anyway, my problem is still ongoing and have no idea what I'm doing wrong.
February 19, 2025, 05:40:20 PM #10
thought that much, how the OP is referring to a VLAN network segment (tagged).
February 19, 2025, 05:43:33 PM #11
Quote from: kozistan on February 19, 2025, 05:39:14 PM
Quote from: cookiemonster on February 19, 2025, 04:51:14 PMSame thing, being called different ways. From reading the thread "there are at least two ways to assign a segment tag to an interface. Either directly on the interface in the virtualizer or by using a bridge and tagging the segment directly in KVM."

- directly on the interface in the virtualizer =  let OPNsense itself tag the packets and remove the VLAN settings from the virtual interface

and of course the expected "opposite":

- "KVM level" = VLAN tagging by the hypervisor (KVM in this case) and OPN blissfully unaware

This was just a answer for @viragomann, didn't want to get much into it. This does not have anything to do with my issue because firewall can see the VLAN and is accessible, just wanted to be clear with the whole setup. Anyway, my problem is still ongoing and have no idea what I'm doing wrong.

And I get that. Problem was that your terminology was throwing people off. This (intended to help by the way) was to standardise language so you get the help faster, not to suggest that you don't know what the terms mean. You were just using different ones that people weren't necessarily expecting.
February 19, 2025, 05:48:29 PM #12
Sorry about that, I just wanted to be as clear as possible, and... At least now we know.
Print
Go Up Pages1
User actions