Active Directory DNS and IPsec tunnels

It is common to have IPsec tunnels site-to-site in a multi-location business.


For example, if we have these two sites, Site A and Site B

:white_check_mark: Site A LAN segment containing AD is reachable from Site B LAN segment.
:white_check_mark: Site B Internet connectivity (DNS) is functional
:white_check_mark: Site A Internet connectivity (DNS) is functional
:x: Site B Endpoints cannot resolve any AD DNS that is forwarded to Site A
:x: Site B pfSense® gateway is unable to reach the AD Controller in Site A


Static Route Workaround

Follow the direction here to configure a static route for the firewall. This has to be done on both sides.

VTI Tunnels

Ensure that the firewall on each end allows DNS traffic from the VTI subnet.

The muscle will use the default interface for the route to make the forwarding rule queries.