I'm using pfSense with OpenVPN for more a decade now. Also intensively used many services from pfSense (DNS resolver, DHCP, HA Proxy, SquidGuard, firewall of course...) In short - I do have some experience. But now decided to try replacing OpenVPN with WireGuard...
I've created a tunnel at pfSense side, configured Windows client, and it connects successfully. I can access (almost) all the servers behind the pfSense. But then I've noticed something very, very strange with DNS behavior. I will have to quickly describe my environment to explain the problem. So I have:
- Split DNS setup (internal DNS resolves to private addresses while the public DNS resolves to public ones).
- Internal DNS servers are two Zentyal domain controllers (in the network behind the pfSense). They are authoritative name servers for the main domain "mydomain.com".
- These two are configured to forward DNS queries for other domains to DNS Resolver at pfSense. (I have a few more domains configured in DNS Resolver because it's much, much more user-friendly and better than Zentyal DNS.)
- Finally, DNS Resolver further forwards queries for domains that are not resolved to an external DNS.
DNS request -> Zentyal DNS (172.16.0.1) -> pfSense DNS Resolver (172.16.1.1) -> External DNS
Bit weird setup, I admit, but it was working for years now.
When I connect my Windows 11 machine by using OpenVPN, I can do nslookup for any domain (the main or another) without any problem. But when I disconnect OpenVPN and connect WireGuard, I can query only the main domain:
nslookup web.mydomain.com
Server: zentyal-1.mydomain.com
Address: 172.16.0.1
Name: web.mydomain.com
Address: 172.16.2.5
But when I query any other domain (handled by DNS Resolver or external DNS), I'm getting "query refused" error:
nslookup google.com
Server: zentyal-1.mydomain.com
Address: 172.16.0.1
*** zentyal-1.mydomain.com can't find google.com: Query refused
Very same request when I'm connected by using OpenVPN:
nslookup google.com
Server: zentyal-1.mydomain.com
Address: 172.16.0.1
Non-authoritative answer:
Name: google.com
Addresses: 2a00:1450:4001:80f::200e
142.250.185.142
Obviously in both cases the same DNS server (zentyal-1) receives the request, and the same server responds. Once with "query refused", and once with the successful response. It looks that DNS Resolver refuses to answer to Zentyal when I'm connected via WireGuard.
My WireGuard client config:
[Interface]
PrivateKey = XXXX=
Address = 172.16.26.2/24
DNS = 172.16.0.1
[Peer]
PublicKey = YYYYY=
AllowedIPs = 172.16.0.0/16
Endpoint = 1.2.3.4:51820
And this isn't the end of the strange behavior. I'm experiencing "query refused" problem only in command prompt, with nslookup. It looks that browsers are not affected with this problem at all. (nslookup cannot get google.com, but Firefox opens it without problem.) First I thought that it's some kind of DNS leak, and that browsers are querying some local DNS. But to my full surprise it looks that this isn't the case. Browser is getting DNS response for a domain handled by DNS Resolver, with private IP, meaning that the response had to come from behind pfSense (from DNS Resolver)...
Huhhhhhhh
Any ideas? Sorry for long text... Thanks!
