3 Domains, 3 DNS servers, 3 locations, only 1 DNS responding

adresner · April 17, 2023, 5:25am

Hi everyone,

3 networks in 3 locations connected over wireguard vpn.
10.0.3.0/24 - thisdomain.asia
10.0.2.0/24 - thisdomain.us
192.168.1.0/24 - thisdomain.com

10.0.3.0/24 - thisdomain.asia, pfsense, DNS is pfsense resolver
10.0.2.0/24 - thisdomain.us, pfsense, DNS is pfsense resolver
192.168.1.0/24 - thisdomain.com, pfsense, Active Directory (with DNSSEC)

Have made 2 configuration changes.

In the GUI, under DNS, Local DNS, I pointed each domain to the correct DNS server
I edited the dnsmasq.conf file in /etc by adding the following lines but it didn't seem to do anything. The change in the GUI resulted in the requests going to the right server.
server=/thisdomain.com/192.168.1.24
server=/thisdomain.us/10.0.2.1
server=/thisdomain.asia/10.0.3.1

I open the logs in pihole.log and can see the requests being directed to the correct DNS server. However the only server that is responding with the answer is my Domain Controller. The 2 remote DNS resolvers on those 2 PFSense boxes are not sending a response.

Is it that I have to create separate conf files for each domain?
Is it that pfsense and or pi-hope isn't configured correctly so the communication is breaking down?

If I don't have the pi-hole in place, my pfsense box at 192.168 successfully redirects DNS requests to the 2 remote locations. It's only the pi-hole that can't seem to get response from the remote DNS resolvers.

Thank you for your support

Bucking_Horn · April 17, 2023, 6:39am

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

adresner · April 17, 2023, 7:04am

Thank you and here you go
https://tricorder.pi-hole.net/02VoxIU5/

Bucking_Horn · April 17, 2023, 8:26am

I'm not sure whether I understand your intention correctly here?

Local DNS records won't forward resolution of a given domain to a specific DNS server.
Rather, they define the DNS reply for a query for a given domain.

So if a client would request resolution of thisdomain.asia, Pi-hole would reply with 10.0.3.1 straight away. It would not forward that query to 10.0.3.1 for a reply.

You'd need the equivalent of Pi-hole's Conditional Forwarding to achieve that, and that would require a custom dnsmasq configuration file.

Obviously, you are aware of that, but your settings are only partially correct:

*** [ DIAGNOSING ]: contents of /etc

-rw-r--r-- 1 root root 126 Apr 17 03:06 /etc/dnsmasq.conf
   conf-dir=/etc/dnsmasq.d
   server=/thisdomain.com/192.168.1.24
   server=/thisdomain.us/10.0.2.1
   server=/thisdomain.asia/10.0.3.1

What's worse, you seem to have damaged Pi-hole's own configuration in the process.

I note the absence of any of Pi-hole's own configuration files from your debug log.
There should at least have been /etc/dnsmasq.d/01-pihole.conf and /etc/dnsmasq.d/06-rfc6761.conf.

To fix that, you could try running pihole -r and choosing Repair.

I'd also recommend to move those server lines into a separate custom file under /etc/dnsmasq.d/, e.g. /etc/dnsmasq.d/42-wireguard-remotes.conf.

That file should also configure reverse lookups, e.g.

server=/thisdomain.asia/10.0.3.1
rev-server=10.0.3.0/24,10.0.3.1

Even with those corrections, this may not be enough to sort your remote connection issue.
Your debug log doesn't show any wireguard interfaces, and your Pi-hole host machine also lacks dedicated routes to your 10.0.2.1 and 10.0.3.1 networks:

*** [ DIAGNOSING ]: Network routing table
   default via 192.168.1.1 dev eth0 proto static 
   192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.98

This could only work if you had a dedicated wireguard gateway running at 192.168.1.1 that would know how to correctly route traffic between your different subnets.

Note that this would essentially be a networking/routing issue, so you'd have to look beyond Pi-hole for advice on how to best address that.

adresner · April 17, 2023, 9:15am

Thank you so much for that amazing response. I am going to try your suggestions (from a fresh install)

Amazing how much damage I did in 1 hour after install I can see those 2 files in the dnsmasq.d folder, but maybe something happened. I can wipe out that VM and start from scratch.

A little bit more info, I have tried the same config here at thisdomain.asia and DNS replies are coming in from 2 of the 3 locations. thisdomain.com is responding and thisdomain.asia (which is local)

Apr 17 09:00:39: query[A] w38.thisdomain.com from 10.0.3.50
Apr 17 09:00:39: forwarded w38.thisdomain.com to 192.168.1.24
Apr 17 09:00:39: reply w38.thisdomain.com is 192.168.1.184

The wireguard connections are being handled by pfsense at all 3 locations. Firewall rules are all the same. DNS resolution working well between hosts and the firewall over the tunnels for 2 years now. Even at times, Pi-Hole. If you can...here is the output from .asia https://tricorder.pi-hole.net/skEUAnPL/

Regards

adresner · April 22, 2023, 9:18am

Solved.

Fresh Install.
nano /etc/dnsmasq.d/42-wireguard-remotes.conf
Setup.. for all 3 domains
server=/thisdomain.asia/10.0.3.1
rev-server=10.0.3.0/24,10.0.3.1

On remote PFsense, added remote subnets to resolver access list control

On remote AD DNS, responds already (thats why the 192.168.1.24 was the only one responding and other 2 were not coming back because of the lack of access control within PFSEnse

Pi--Hole Settings:
Respond only on interface eth0

Untick (this works both ticked and unticked)
Never forward non-FQDN A and AAAA queries
Never forward reverse lookups for private IP ranges

system · May 13, 2023, 9:19am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.