[ previous ] [ next ] [ threads ]
 
 From:  Jesse Guardiani <jesse at wingnet dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  DNS "proxy" over IPSec
 Date:  Fri, 17 Dec 2004 17:52:24 -0500
Hello,

192.168.1.1/24 is my LAN at work.
192.168.88.1/24 is my LAN at home.

The two are connected together by a m0n0wall -> m0n0wall
IPSec VPN. The m0n0wall at work runs 1.11 and the
m0n0wall at home runs 1.2b3.

In the interest of having my office network
m0n0wall's internal DNS available to my LAN
at home, I have attempted to set my m0n0wall at
home's DNS server to 192.168.1.1 in:
    System -> General Setup -> DNS Servers

In addition, as both locations connect to the
internet via PPPoE over ADSL, I have unchecked
the option:
    "Allow DNS server list to be overridden by DHCP/PPP on WAN"
On the same page.

I rebooted the home m0n0wall (the only one with
DNS changes), and a `cat /etc/resolv.conf` from
exec.php is showing "192.168.1.1" as the only
nameserver, but general DNS queries fail.

However, I *can* perform `dig` operations from my linux
machine at home, over the IPSec link, to the m0n0wall
at work, as illustrated below:

% dig @192.168.1.1 shannon.int.wingnet.net

; <<>> DiG 9.2.3 <<>> @192.168.1.1 shannon.int.wingnet.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58123
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;shannon.int.wingnet.net.       IN      A

;; ANSWER SECTION:
shannon.int.wingnet.net. 0      IN      A       192.168.1.35

;; Query time: 42 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Dec 17 17:28:31 2004
;; MSG SIZE  rcvd: 57


The home m0n0wall can no longer resolve internet domains
or my work's internal domains. Why would the DNS resolver
not work over an IPSec link?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net