Pihole + Pfsense + Openvpn - Internal DNS resolution issues

Help
1

Hi all,

I use Pfsense configured with OpenVPN to connect my network from outside and I've configured Pi-hole as my DNS server.
Pi-hole has some internal domain records, as shown below:

pihole
pihole1233×869 90.9 KB

I've also configured Pi-hole to resolve domains requests coming from outside the network, as shown below:

pi-hole-dnsmasq
pi-hole-dnsmasq1251×871 141 KB

The below is my pfsense general configuration:

pfsense-general
pfsense-general1908×2154 295 KB

Pfsense Openvpn Server configuration:

pfsense-openvpn-server
pfsense-openvpn-server1908×5642 541 KB

Pfsense Openvpn Client Export:

pfsense-openvpn-client export
pfsense-openvpn-client export1908×2272 293 KB

Currently I've configured Pfsense DHCP to provide DNS server as my Pi-Hole.
On my Pfsense both DNS Forwarder and DNS resolvers are disabled.

Debugging:
I can ping my pi-hole when I'm connected via Openvpn, however, I am not able to resolve domains.
When i use dig and specify which DNS server (pihole) to use then I'm able to resolve internal domains.

Could you please help me to fix this issue?
Thanks

2

Note that .local is reserved for usage by the mDNS protocol and should not be used for plain DNS.
You should consider changing your local domain to something different, even if it's not related to your issue.

That sounds as if your OpenVPN wouldn't push your Pi-hole's IP address to be used by OpenVPN clients.

Please provide the output for the following commands, run from a connected OpenVPN client.

nslookup pi.hole

nslookup pi.hole <Your Pi-hole host's IP address here>

where you substitute <Your Pi-hole host's IP address here> with an IP address proper.

3

Hi, thanks for letting me know about .local reservations for mDNS.
I will change it.

I also agree with your suggestion. It seem to be that OpenVPN is not pushing Pi-hole's IP address as DNS server.
Please find below the output requested:

image
image565×261 36.7 KB

I also performed additional check with wireshark:

image
image1386×132 38.6 KB

The DNS request is performed via the default interface and not through my TUN interface.

4

Was that lookup issued from an OpenVPN client as requested, or was it run from the machine hosting Pi-hole?

The first nslookup shows that machine to use a local stub resolver at 127.0.0.53.
That's ok for a client for caching puposes, as long as that resolver would use the correct upstream name servers.
In case of a client, that should be Pi-hole.
In case of your Pi-hole host, any upstream matching your preferences would do.

If the stub resolver works as intended, you may consider taking a look at our OpenVPN guide for configuration examples that may help you in getting OpenVPN to push Pi-hole to its clients.

5

The lookup was issued from an OpenVPN client.
I went through the OpenVPN guide, I increased the verbosity of client logs and setup the following on OpenVPN server:

push "dhcp-option DNS <ip address of my pihole>" #push dhcp DNS server
push "redirect-gateway def1 bypass-dhcp"  #only route dns via VPN

Then I restarted my OpenVPN server and connected via the client but the issue is still the name.

6

Have you figured how your 127.0.0.53 resolver fits in yet?

It seems that it is neither using Pi-hole nor would it honor your OpenVPN connection settings.

You also may want to consider forums specialising in getting an OpenVPN client to play along with whatever that local resolver of yours actually is.

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.