DNS Over IPSec VPN Tunnel for Local Host Returns Server Failed


For my network setup I have two networks, location 1 and location 2. They are connected via an IPSec Tunnel, formally between two pfSense firewalls, and currently between 1 OPNsense and 1 pfSense firewall. I’m currently migrating to OPNsense so this is the reason for the mismatch.

I want to be able to resolve the FQDNs of my devices on the remote network from each end. For example, In network 1 I want to be able to resolve the FQDN of a Network Attached Storage device in network 2. This can be done easily with unbound, and I’ll walk through the setup for that shortly.

I had this working before but in my new setup I kept getting a “Server Failed” error. When I would use Wireshark to capture the packets, I could see the DNS request and response coming from the DNS.1.domain DNS server on network 1 when it should be forwarding the request to the DNS.2.domain server.

The Solution

In the end, what was causing this error for me was a misconfiguration on the Outgoing Network Interfaces. My assumption was that I only needed the WAN interface available for this purpose but it prevented using other interfaces when using the domain overrides I had configured which will use local interfaces.

Configuring Domain Overrides for Local Name Resolution

The main things that need to be configured are the domain overrides so that your local DNS server knows to forward the lookup to the remote DNS server.

Both pfSense and OPNsense provide GUI access to the domain override configuration for unbound.

In OPNsense navigate to Services–>Unbound DNS–>Overrides

Domain Override for DNS Lookups

In Domain, enter the subdomain and domain you are using (or just a different domain). My remote firewall and DNS server’s IP is so I provide that here. (Our hosts making DNS requests to 2.domain will use automatically).

Domain Override for Reverse DNS Lookups

It’s also really nice to be able to perform reverse DNS lookups as well. This means if I do nslookup I can get back a hostname. In order to do this we need to also configure the reverse lookup in the Domain overrides. Since I want this to apply to the entire subnet, I need do use 1.10.in-addr.arpa. Note that the IP address portion is provided in reverse order. Also note, that because I’m doing a /16 I’m only specifying the first 2 octets (10.1) in the address. If I were to do a /24 it would look like “0.1.10.in-addr.arpa”. You probably want to be more precise and if you don’t have a lot of subnets it’s easy to add individual /24’s as overrides rather than a single /16 block like I’m doing here. I’ll probably go back later and specify the subnets that I’m actually using later for precision’s sake.


Thanks to these posts which pointed me in the right direction!






Agent[31] is a Cyber Pyscho. He might be doing home network, cybersecurity, or surfing the cyberwebs. Reach into his cybernet and glean some (hopefully) useful information.