Posted: Thu Sep 02, 2021 14:41 Post subject: [SOLVED]Cant use DNS server that is behind VPN connection
What I'm trying to do:
We purchased a new building and we need to get it connected to our main buildings internal network. I have a SOPHOS UTM9 box that has a VPN server running on it and the goal is to use a router that has a VPN client and use that to bridge the new buildings network into the main building.
Setup:
We purchased a netgear ac1900 router (r7000) and I flashed it with DD-WRT v3.0-r47282 std (08/30/21). I configured the OpenVPN client using
Those were the only changes I made to the stock settings. I am also using the stock DHCP settings. I don't know if those need to be changed to get DNS to work.
Issue:
I can connect to our VPN server, and I can ping IP addresses, but I cannot ping domain names that are behind the VPN connection. I don't get any DNS resolution for our internal network. I did notice in the logs that it does have dhcp-option DNS 10.1.1.6 and dhcp-option DNS 10.1.1.8 being pushed to the vpn client which are our internal DNS servers
Last edited by nathanoliver60097 on Thu Sep 02, 2021 18:20; edited 1 time in total
If you have DNS rebind protection enabled on the dd-wrt router (which I believe is the default), and your DNS server returns private IPs (which is usually the case), then DNSMasq on the dd-wrt router will NOT return those private IPs when you query that DNS server. It's intended to prevent rebind attacks.
Under Services->DNSMasq, try setting "No DNS Rebind" to disable and see if it helps.
Of course, it's better if this is enabled if you intend to access resources on the internet. In that case, you could leave it enabled, and instead add the following directive to Additional DNSMasq Options to allow the return of private IPs only for your workplace domain name.
but that didn't change anything. I also tried setting No DNS Rebind to disabled, but that did not work as well and I was also still able to resolve internet names.
I'm pretty sure hsdl.il.comcast.net is the DNS server for the comcast modem that is connected to the WAN port of the router. Our internal domain name is fabrikind.com. I've tried ping name_of_machine and ping name_of_machine.fabrikind.com and both of those fail.
The setup is:
main building comcast modem -> SOPHOS UTM9 box running VPN server -> internal network
Second building comcast modem -> Netgear Router running VPN client -> internal network
and then the DNS server sits behind the SOPHOS box. We have two, 10.1.1.6 and 10.1.1.8 are thier local IP's.
What happens if you issue a DNS lookup to a hostname (unqualified and qualified w/ the domain name fabrikind.com ) on the router itself (using ssh/telnet) and specifically referencing either of those DNS servers?
nslookup hostname 10.1.1.6 and nslookup hostname 10.1.1.8 both failed but nslookup hostname.fabrikind.com 10.1.1.6 and nslookup hostname.fabrikind.com 10.1.1.8 both worked. Tried pinging machines with the fully qualified name and it now works on my windows machine that's just plugged into the router. I must not have tried the full name when I tested after disabling "No DNS Rebind" as that is still disabled.
I think I should be okay moving forward. I need to debug an issue we are having with IP phones, but at least domain names now resolve. I'm also going to try re-enabling "No DNS Rebind" and adding in the additional directive "rebind-domain-ok=mycompanydomain.com"
Yeah, I used "rebind-domain-ok=fabrikind.com" in the router. Adding fabrikind.com to the domain field also worked great. I no longer need to fully qualify the names. Thanks again for the help.