Bug #13454
closed
Enabling DoT (DNS over TLS) breaks IPSec VPN DNS
0%
Description
Using pfsense plus 22.05 (current newest). Among other services, we run DNS and 'road warrior' IPSec VPN. Setup has worked well for years.
Recently, we turned on DoT for local clients. i.e. enabled the "Respond to incoming SSL/TLS queries from local clients" checkbox. Inside the LAN, it works great! TCP port 853 is opened, and DoT works according to tests with `kdig`. Plain old DNS still works too.
Alas, for those connected from home by IPSec VPN, plain old DNS is totally broken, UDP port 53 appears closed according to both an `nmap` scan and tests with `kdig`.
If we disable the DoT checkbox, DNS works again. We redo the port scan and UDP port 53 is back open.
There are two related (and unanswered) forum posts:
https://forum.netgate.com/topic/174247/enabling-dot-dns-over-tls-breaks-ipsec-vpn-dns
Updated by Jim Pingle about 2 years ago
- Status changed from New to Not a Bug
That is a problem with your configuration or combination of options chosen. It's not a bug, but there is a change in behavior when enabling DNS over TLS, the resolver can no longer respond from the address clients use, but will respond from the closest address. See #13393 for example.
It's a limitation in Unbound, and your clients should be using a different address on the firewall than they are now for UDP-based DNS.
Updated by Sean McBride about 2 years ago
Thanks Jim. We have it working now.
I created https://redmine.pfsense.org/issues/13456 with suggestions to improve the docs based on our experience trying to get this working.