pfsense, dnsmasq & source interfaces

I’m having issues with dnsmasq on my pfsense router being unable to contact an overridden nameserver because they’re not being sourced from an interface that has an ipsec policy. For example, I have the following config:

Main Office Router A: LAN address: 192.168.1.1/24 WAN address: 24.1.2.3

Remote Office Router B: LAN address: 192.168.2.1/24 WAN address: 64.1.2.3

The two sites are connected by an ipsec tunnel. My internal nameserver serving the domain “company.local” is at 192.168.1.10.

Since the remote office is on the other side of the world, I want to use the ISP nameservers for internet resolution, but send all resolutions for company.local through the tunnel to 192.168.1.10.

When dnsmasq sends the packet to 192.168.1.10, however, it uses the default route and sends the packet out of the WAN interface and not through the tunnel. My first thought was to instruct dnsmasq to use the LAN interface as its source address, such as:

/usr/local/sbin/dnsmasq -l /var/dhcpd/var/db/dhcpd.leases -s remote.company.local --server=/company.local/[email protected]

Indeed that works, but web UI doesn’t allow for that sort of syntax, afaik.

Failing that, I tried adding a bogus route on Router B in hopes that the packet will be redirected through the ipsec tunnel before actually being transmitted on the LAN interface. I added a static route for 192.168.1.10/32 to the gateway 192.168.1.1. This appears to work, so my problem is resolved for now. It doesn’t seem to be a particularly elegant solution, however.