pfSense OpenVPN DNS Resolution

Question

It seems that my problem is a common issue, and I've read several answers on Server Fault, but I can't seem to get my issue figured out.

One of my clients is running pfSense 2.1.4, at an internal IP address of 10.1.10.1. The local network is 10.1.10.0/24. The DHCP server is a Synology NAS device at 10.1.10.2. All file shares are accessible in the local network on Windows client machines by going to \\nnh which is the NAS (10.1.10.2).

OpenVPN is running on pfSense, and remote clients are able to successfully connect. However, after connecting, you can access the NAS at \\10.1.10.2, clients can't connect via using the short DNS name (nor the FQDN) of \\nnh, or \\nnh.local, respectively.

OpenVPN is running in TUN mode on the UDP protocol (but this doesn't make a difference after you're actually connected, right?) It is configured to provide a "default domain name to clients" of nnh.local. Additionally, it's configured to provide only 1 DNS server to the client, 10.1.10.2.

Finally, for good measure, in the Advanced Configuration of the OpenVPN server on pfSense, I have this line of code:

push "dhcp-option DNS 10.1.10.2"

It's obvious to me that the DNS server is being properly assigned to the client - below is the output of ipconfig /all on my Windows 7 client when I connect to the VPN. But DNS name resolution for the file share / NAS at \\nnh (\\10.1.10.2) is still not working, and I can't figure it out.

I've reviewed OpenVPN and DNS. How to? and Local domain DNS resolution not working using OpenVPN on a pfSense box.

C:\Users\David>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Develop-CENTS
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : nnh.local

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : nnh.local
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-94-49-12-A7
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ed68:d270:ca2:3076%28(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.1.5.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : Wednesday, July 02, 2014 9:42:41 AM
   Lease Expires . . . . . . . . . . : Thursday, July 02, 2015 9:42:41 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 10.1.5.5
   DHCPv6 IAID . . . . . . . . . . . : 285278100
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-36-D0-79-48-5D-60-3B-CF-5B

   DNS Servers . . . . . . . . . . . : 10.1.10.2
                                       10.1.10.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection 2:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter
   Physical Address. . . . . . . . . : 6A-5D-60-3B-CF-5B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : JMicron PCI Express Gigabit Ethernet Adapter
   Physical Address. . . . . . . . . : 20-CF-30-6A-59-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
   Physical Address. . . . . . . . . : 48-5D-60-3B-CF-5B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2600:1004:b11f:24e:7599:d89b:b76c:2471(Preferred)
   Temporary IPv6 Address. . . . . . : 2600:1004:b11f:24e:5050:5e70:6fb:f2cd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::7599:d89b:b76c:2471%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.43.132(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, July 02, 2014 9:42:22 AM
   Lease Expires . . . . . . . . . . : Wednesday, July 02, 2014 10:42:22 AM
   Default Gateway . . . . . . . . . : fe80::9218:7cff:fe48:faa2%10
                                       192.168.43.1
   DHCP Server . . . . . . . . . . . : 192.168.43.1
   DNS Servers . . . . . . . . . . . : 192.168.43.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Any suggestions?

Answer 1

Just to answer the question fully and formally.

When working with FQDN/DNS on devices that can act as a DNS server, they need to have static records created.

In cases where you setup Active Directory, DHCP, and DNS together using Microsoft's services all together, entries are normally created on their own.

The best way to debug DNS issues are to check the DNS Service and ensure entries exist.

Answer 2

Looking at the above I think your domain suffix search list should just be .local and not nnh.local. This is most probably the reason you had to create an entry for nnh.nnh.local, because the client would append nnh.local to the relative host nnh, giving nnh.nnh.local.

You should be able to check this with the following command on the machine you want to connect from:

nslookup -d nnh

And then look at the QUESTIONS: to see how it's trying to resolve the host.

Of course, you might really want the domain to be nnh.local! In which case you have done the right thing creating the additonal DNS entry, but I thought it might help to explain why you needed to create it.