@ivanjrx Moderators can change the status for solved

@johnpoz

Alright so I was able to do some more testing, and it is pretty bizarre compared to what I believe should be expected behavior.

I've checked a countless times at this point to ensure the MAC from my primary box is set on the WAN interface of the secondary box. I would expect that my modem can not tell the difference between the two boxes, and both pfsense boxes should be able to grab the same IP from my modem if I disable the WAN interface on one of them, or even perhaps both simultaneously, though I would expect issues in that scenario.

Here are the steps I took with the results:

On pfsense primary, put down WAN interface via ifconfig in SSH session Physically plug ethernet cable from pfsense secondary into trunk port 5 on switch Pfsense secondary shows WAN connection as up, but doesn't receive an IP address Unplug pfsense secondary from trunk port 5, and plug it into trunk port 1 (where pfsense primary was previously plugged in) Pfsense secondary obtains an IP quickly (without modem reboot) and has connectivity - With a different IP address! Unplug pfsense secondary from trunk port 1, replace pfsense primary into trunk port 1. - Pfsense primary grabs the previous IP.

I could see it possibly being a switch configuration issue, though I've been over that a dozen times as well. That would not explain pfsense secondary getting a different IP though. My best guess is MAC spoofing is not working somewhere between the interface and modem.

So I updated the resolv.conf file and everything is resolving correct now. But I don't see anything reflecting differently in the UI. So my question, is there a way to persist unique settings in resolv.conf for local DNS to point to local, 127.0.0.1 from unbound forward listed IPs? Once I made this change above, I updated to the latest version, rebooted and my changes are not gone, resolv.conf matches the same forward IPs stated in the UI (screenshot) and in unbound.conf

Thanks

@lparker yeah - they are not redirecting 8.8.8.8 maybe... But how would pfsense redirect traffic to itself, especially when you stated you don't have any redirection setup.. And if it was - why would it not redirect 8.8.8.8?

You can't do an outbound nat on your wan to yourself..

Sorry but asking 1.2.3.4 for dns and getting an answer is clearly redirection of dns.. period.. Here is an idea - why don't you stop unbound completely.. Now do your query to 1.2.3.4 as your test.

Look at your +trace you did from before

advantechwifi.com. 0 IN A 199.38.182.75 advantechwifi.com. 0 IN A 199.38.182.52 ;; Received 78 bytes from 199.9.14.201#53(b.root-servers.net) in 36 ms

There is no possible way the root server answered with that.. The root servers don't have such info.. So your saying pfsense somehow redirect outbound traffic to itself, and answered with that info? After a restart of unbound how would it have that info in its cache?

Do you even have serve zero setup - that is not a default setting..

unbound.jpg

To prove it to yourself - turn off the unbound service.. Make sure pfsense isn't listening on 53 with netstat or something, now do your directec query tests.. query 1.2.3. 4 etc..

@droidus said in Local DNS resolution & blocking of a domain & pfblockerng:

such as the ones surrounding them?:

You should always be as specific as possible with rules.. This firewall is not specific to be honest. If this is your lan net, that would be the IP it would be talking to for dns, ie lan address. Why would something on your lan be talking to say opt X on pfsense IP for dns? or you wan IP? "This firewall" is an alias that has all the IPs on pfsense.

Do you use this lan net as a transit network? How would something be talking to your lan interface from the lan net coming from any IP other than lan net? There is no reason to have any as the source, unless the interface is a transit network, and even then it should be limited to the IPs as source, why would you not know your downstream networks using this interface as a transit..

Also what client would be using dot? (853) Clients use doh, dot is more for resolvers or forwarders to use.. Also for you to use dot from a client do you have that setup with cert that your clients would trust?

What do you have behind pfsense that is using dot? And for that matter why would you need to encrypt dns queries across your own network?

@marchand-guy Since DNSSEC was mentioned above, just note it should be disabled when forwarding.
https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS
"Disable Enable DNSSEC Support if enabled.
DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures."

@Gertjan said in Dns resolver problem:

showing the user that he wanted to visit a blocked web site is impossible

Never say that ;)

But yeah its pretty freaking difficult to do with https, you would have to generate on the fly a cert that matches where he was wanting to go www.somewhere.tld and also that browser would have to trust the CA that created said cert on the fly.

And if the site was using something like pinning, and he had been there before - again he prob going to scream at you that this cert isn't right, etc.

If it was easy it would really break the whole end to end trust thing ;) its not impossible but yeah the client is doing everything it can to know that the https connection is trusted and secure from the client to the server.. Now if you control the client and get him to trust certs you create, then sure pretty easy to do mitm.. But it also become resource hungry creating certs on the fly for any fqdn the client might be going to.

@johnpoz I don't know :( I thought let me give it a try, that NULL IP thing is so random.

@viragomann the problem is I have no idea which DNS each client is using. Some use ISP DNS, others Google, others OpenDNS, others quad 9.. and so on. And some clients are from others countries..

In this case, i think the best option is let the clients use internet through VPN.

Thanks for your help. I really appreciate it!

Update-> I was able to resolve the DNS issues as stated above by selecting DNS Resolution Behavior = Use Local DNS (127.0.0.1), fallback to remote DNS servers (Default), and, thanks to @viragomann's comment about enabling the DNS query forwarding mode in the DNS Resolver settings, I am finally getting somewhere!

Now- I have two DNS addresses for my VPN (PIA), and two DNS addresses for my WAN (Cloudflare's DNServers), and the correct Gateway is selected for each. Now when I conduct a DNS leaktest, it shows me pfSense is resolving to both Cloudflare and to the PIA DNS addresses...? Firstly, I'm just happy that my ISP's DNS is no longer being resolved. Secondly, I guess I'm wondering if DNSleaktest.com is showing both because different devices on my LAN are using different gateways to resolve DNS queries or is it that my device which is being directed to use the VPN(PIA) gateway is actually resolving to all of the DNS addresses? I'm hoping it's the former and not the latter! Thanks.

@DavidIr I just tried configuring Azure DNS in Dynamic DNS and I am seeing the same. I am on version 23.05-RELEASE.

The record exists already in the zone, I am trying to get pfsense to keep it up-to-date.

Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _update() ending. Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkStatus() ending. Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: phpDynDNS (test.<mydomain.com>): (Unknown Response) Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: phpDynDNS (test.<mydomain.com>): PAYLOAD: 400 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkStatus() starting. Jun 3 16:32:37 php-fpm 13896 </html> Jun 3 16:32:37 php-fpm 13896 </body>\x0d Jun 3 16:32:37 php-fpm 13896 </div>\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</p>\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DispatchOperationRuntime.DeserializeInputs(MessageRpc& rpc)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.UriTemplateDispatchFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.DemultiplexingDispatchMessageFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.SingleBodyParameterMessageFormatter.DeserializeRequest(Message message, Object[] parameters)\x0d Jun 3 16:32:37 php-fpm 13896 at System.ServiceModel.Dispatcher.SingleBodyParameterDataContractMessageFormatter.ReadObject(Message message)\x0d Jun 3 16:32:37 php-fpm 13896 at System.Runtime.Serialization.Json.DataContractJsonSerializer.ReadObject(XmlDictionaryReader reader, Boolean verifyObjectName)\x0d Jun 3 16:32:37 php-fpm 13896 <p> at System.Runtime.Serialization.XmlObjectSerializer.ReadObjectHandleExceptions(XmlReaderDelegator reader, Boolean verifyObjectName, DataContractResolver dataContractResolver)\x0d Jun 3 16:32:37 php-fpm 13896 <p>The server encountered an error processing the request. The exception message is 'There was an error deserializing the object of type Microsoft.WindowsAzure.Dns.Frontend.Common.DataStructures.API.Dns.CsmResourceRecordsPackageBody. The value '' cannot be parsed as the type 'Int64'.'. See server logs for more details. The exception stack trace is: </p>\x0d Jun 3 16:32:37 php-fpm 13896 <p class="heading1">Request Error</p>\x0d Jun 3 16:32:37 php-fpm 13896 <div id="content">\x0d Jun 3 16:32:37 php-fpm 13896 <body>\x0d Jun 3 16:32:37 php-fpm 13896 </head>\x0d Jun 3 16:32:37 php-fpm 13896 <style>BODY { color: #000000; background-color: white; font-family: Verdana; margin-left: 0px; margin-top: 0px; } #content { margin-left: 30px; font-size: .70em; padding-bottom: 2em; } A:link { color: #336699; font-weight: bold; text-decoration: underline; } A:visited { color: #6699cc; font-weight: bold; text-decoration: underline; } A:active { color: #336699; font-weight: bold; text-decoration: underline; } .heading1 { background-color: #003366; border-bottom: #336699 6px solid; color: #ffffff; font-family: Tahoma; font-size: 26px; font-weight: normal;margin: 0em 0em 10px -20px; padding-bottom: 8px; padding-left: 30px;padding-top: 16px;} pre { font-size:small; background-color: #e5e5cc; padding: 5px; font-family: Courier New; margin-top: 0px; border: 1px #f0f0e0 solid; white-space: pre-wrap; white-space: -pre-wrap; word-wrap: break-word; } table { border-collapse: collapse; border-spacing: 0px; font-family: Verdana;} table th { border-right: 2px white solid; border-bottom: 2px white solid; font-weight: bold; background-color: #cecf9c;} table td { border-right: 2px white solid; border-bottom: 2px white solid; background-color: #e5e5cc;}</style>\x0d Jun 3 16:32:37 php-fpm 13896 <title>Request Error</title>\x0d Jun 3 16:32:37 php-fpm 13896 <head>\x0d Jun 3 16:32:37 php-fpm 13896 <html xmlns="http://www.w3.org/1999/xhtml">\x0d Jun 3 16:32:37 php-fpm 13896 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">\x0d Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Data: <?xml version="1.0" encoding="utf-8"?>\x0d Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: date: Sat, 03 Jun 2023 14:32:37 GMT Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-routing-request-id: GERMANYWESTCENTRAL:20230603T143237Z:62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-correlation-request-id: 62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-request-id: 62223bf7-3bc2-40d0-ba3a-8f0576793a0c Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-powered-by: ASP.NET Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: server: Microsoft-IIS/10.0 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-ms-ratelimit-remaining-subscription-resource-requests: 11999 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: strict-transport-security: max-age=31536000; includeSubDomains Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: x-content-type-options: nosniff Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: content-type: text/html Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: content-length: 3221 Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: cache-control: private Jun 3 16:32:37 php-fpm 13896 /services_dyndns_edit.php: Response Header: HTTP/2 400 Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _update() starting. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS (test.<mydomain.com>): running get_failover_interface for wan. found pppoe0 Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): <myip> extracted from local system. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS azure (test.<mydomain.com>): _checkIP() starting. Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Dynamic DNS: updatedns() starting Jun 3 16:32:35 check_reload_status 436 Syncing firewall Jun 3 16:32:35 php-fpm 13896 /services_dyndns_edit.php: Configuration Change: admin@192.168.20.199 (Local Database): Dynamic DNS client configured.

(private info redacted from logs)

@SteveITS I used the second option you mentioned.

But the problem is that the "domain override" was not working. As @viragomann mentioned, I needed to set the Active Directory DNS in "General Setup" and activate forward option in the DNS Resolver.

After that, I configured the OpenDNS IP (208.67.222.222) in the Active Directory forwarder.

Everything is working now, including the NAT rules that were conflicting.

FYI, everything is working. After additional checks, it was necessary to activate the DNS resolver like this:

text alternatif

@Johan1974NL

If this device is somewhat recent and a wifi device, and uses the MAC randomizer, this will mean it will use a random IP also.
Because : as soon as the MAC changes, the IP changes.

Blocking a moving target : hummmm, that's a no go.

The only feasible option is : bloc 'something' for the entire LAN using the option Dobby_ listed.

@GameHoundsDev I’m not sure actually.

So it didn’t work recreating the interface with a /24 mask?

It seems DHCP/PXE implemention is somehow broken in current v 2.6.0. In my setup there is no any VLAN, but EFI machines are requesting "BIOS" boot file from TFTP server. I think it worked normally in some previous version.

@jamesjose03

What is a VM here, pfsense and some other guest - just pfsense? Just some guest vm you have running on what proxmox, esix, virtualbox, hyper-v, qemu ?

What are you restarting exactly? The dns that is provided by dhcp - your saying pfsense is not handing that out? In the dhcp offer? Did the client ask for it?

Lets see your dhcp packet capture.. Example - here is a dhcp exchange..

dhcpjpg.jpg

You can see in the discover and request client asking for dns, and in the offer and ack the dhcp server sending the info.

So your saying even though the dhcp client asks for dns - the dhcp server is not sending it?

But then you restart "network" which means what exactly? Reboot the vm, reboot the host, disable enable some interface either physical or virtual? Some other network reset in the os like "netsh int ip reset" in windows?

@KimbleWorshack Great that you could resolve this. 23.05 seems to fix all other bugs for me aswell.