Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why can't I resolve hostnames for devices on different VLANs?

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 5 Posters 2.6k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      imthenachoman
      last edited by

      I have a fresh pfSenese installation with 3 VLANs, paired with a Unifi switch and AP.

      Everything works as expected except resolving hostnames for devices on another VLAN.

      I can resolve IPs for devices on the same VLAN.

      What could be wrong?

      johnpozJ bingo600B 2 Replies Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator @imthenachoman
        last edited by

        @imthenachoman well if what you mean by resolve is broadcast for some host name and have it answer that is not going to work across vlans/networks

        Resolving via dns wouldn't matter what network/vlan your in. But this would be done via fqdn, ie host.domain.tld

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        I 1 Reply Last reply Reply Quote 0
        • I Offline
          imthenachoman @johnpoz
          last edited by

          @johnpoz

          I am not following?

          I have two VLANs and I have allowed traffic from VLAN 10 to VLAN 20.

          Wouldn't hostname resolution happen on pfSense? If I have a computer on VLAN 10 and I ping a computer on VLAN 20, it should be able to resolve the IP, no?

          C:\Users\nacho>ping cam_living_room
          Ping request could not find host cam_living_room. Please check the name and try again.
          
          C:\Users\nacho>nslookup 192.168.20.102
          Server:  UnKnown
          Address:  192.168.10.1
          
          *** UnKnown can't find 192.168.20.102: Non-existent domain
          
          C:\Users\nacho>ping 192.168.20.102
          
          Pinging 192.168.20.102 with 32 bytes of data:
          Reply from 192.168.20.102: bytes=32 time=3ms TTL=63
          Reply from 192.168.20.102: bytes=32 time=3ms TTL=63
          
          1 Reply Last reply Reply Quote 0
          • bingo600B Offline
            bingo600 @imthenachoman
            last edited by

            @imthenachoman
            DHCP is probably not registering your hosts in DNS.

            But Unbound and DHCP registering is another "Can of worms" , that you prob. don't want to open.

            /Bingo

            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

            pfSense+ 23.05.1 (ZFS)

            QOTOM-Q355G4 Quad Lan.
            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

            I 1 Reply Last reply Reply Quote 0
            • I Offline
              imthenachoman @bingo600
              last edited by

              @bingo600 said in Why can't I resolve hostnames for devices on different VLANs?:

              don't want to open

              Why?

              I swear this worked before. I had a PFS box before but it broke. So I got a new one and did a brand new install using the latest version.

              I feel like there is some setting I am not setting properly...

              bingo600B 1 Reply Last reply Reply Quote 0
              • bingo600B Offline
                bingo600 @imthenachoman
                last edited by bingo600

                @imthenachoman
                How many ways can a a host be resolved on a pfSense ?

                L3
                1: DNS
                2: mDNS (Avahi)

                L2
                3: Broadcast
                4: Netbios

                If it worked across vlans , it is prob. 1 or 2

                Re: DHCP registering in unbound , requires Unbound to restart on each DHCP "add" , leading to sitewide DNS outage during the restart.

                If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                pfSense+ 23.05.1 (ZFS)

                QOTOM-Q355G4 Quad Lan.
                CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Are you using pfSense for DHCP on both VLANs?

                  Are you registering dhcp leases in unbound? (not enabled by default)

                  Are you using the same domain on both VLANs?
                  When you try to ping 'cam_living_room' that host tries to resolve it by appending it's own domain on the end unless you've send it some other search domain to use. So is it actually trying to resolve the host using the correct FQDN?

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • I Offline
                    imthenachoman
                    last edited by

                    I figured out what was wrong. For some reason the Register DHCP leases in the DNS Resolver setting was unchecked. I checked it and now it works as expected.

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG Offline
                      Gertjan @imthenachoman
                      last edited by

                      @imthenachoman said in Why can't I resolve hostnames for devices on different VLANs?:

                      For some reason the Register DHCP leases in the DNS Resolver setting was unchecked. I checked it

                      You've opened the can of worms.

                      The issue now is, that for every device that requests or renews a DHCP lease, unbound will get restarted.
                      If you have many hosts using DHCP, you will detect 'something isn't right' as your network seems to stutter. Observing closely will show you that the DNS is out. Because it's restarting 'all the time'.
                      This is on one the the reasons pfBlockerNG doesn't want to have this option checked :

                      78f3a432-2a30-42f5-b04f-1a533e78913d-image.png

                      Just be aware of this effect.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Mmm, only in Python mode though, as it says there.

                        I run with DHCP clients registered and with pfBlocker/DNS-BL running and have never seen an issue. I have 25-30 hosts.

                        Steve

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG Offline
                          Gertjan @stephenw10
                          last edited by

                          @stephenw10

                          Yeah .... I somewhat presumed that, when you use pfBlockerNG, you want "all" the DNS details, and the python script is the way to do so.
                          Regex blocking, log details, policy DNS facilities, this can only be done when unbound is given a callback function, the pfBlockerNG "python mode" script.

                          I dealt with Resolver's "DCHP Client Registered" option myself : I declared all known LAN devices that I have to access with Static DHCP MAC leases. And done.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator @Gertjan
                            last edited by

                            @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                            I declared all known LAN devices that I have to access with Static DHCP MAC leases. And done.

                            I am a fan of this myself - while its a bit tedious to get started with if you have lots of devices. Overall I think this is the most bullet proof method. Stuff I want to resolve, temporary devices that might join my network. wifi guest for example - or some box working on, etc. I don't really care or need to resolve this to some fqdn.

                            Once the device is going to be on my network ongoing - then just setup a reservation for it. done and done ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • GertjanG Offline
                              Gertjan @johnpoz
                              last edited by

                              Makes me wonder ....

                              Why doesn't unbound come with a 'written by Netgate, Python scripts' that rereads (refreshes) a dhcp 4+6 leases file (based on a signal, or file size time stamps, a regularly) ?
                              Please guys, just a small Python script ?! This will bury this issue for good, and we have best of both worlds. Let's nuke that dhcpleases process for good.
                              I presume (a lot, I know) that unbound can 'host' several callback Python scripts.
                              We'll have one option less in the Resolver settings, DHCP clients with a valid host name are locally registered in the DNS, period.
                              Less fuss in pfBlockerNG.

                              Not wondering, I know, I'm out of subject here - sorry for that.

                              edit : Humm : dnsmasq would still have to use dhcpleases, I guess.
                              But who is using dnsmasq these days ? ;)

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              stephenw10S 1 Reply Last reply Reply Quote 0
                              • stephenw10S Offline
                                stephenw10 Netgate Administrator @Gertjan
                                last edited by

                                @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                But who is using dnsmasq these days ? ;)

                                A surprising number of people. šŸ˜‰

                                GertjanG 1 Reply Last reply Reply Quote 0
                                • GertjanG Offline
                                  Gertjan @stephenw10
                                  last edited by Gertjan

                                  @stephenw10

                                  Because they have to feed their pi-hole ?
                                  Because they have this need to to feed the big-data DNS corporations ?

                                  Both are fine to me, although I suspect that often the second choice is take by the 'I've seen some one doing that also - dono why' reason.

                                  I've nothing against dnsmasq or the forwarding way of DNS, in the past, pfSense was also forwarding out of the box, unbound was added later on. As we all were learned (told ?) to 'chain on to the ISP DNS' (for probably very valid reasons, very valid in the past).

                                  I'm more a 'let works out of the box' guy. Not because 'Netgate' has build in this typical setup, but because t makes sense if you think (a lot - I'm getting slow ) about it.
                                  Take the DNS for example : It's 2021 now, and somewhere in de 90ties was told how a typical DNS system should work in "network". With the root, tld and name servers and such.
                                  Years after that, ISP started popping out of the ground, Internet became something public, and all kind of 'patched' system where used to make it work for everybody.
                                  Also, their is a mutual exlcusive choice to make : Forwarding and Doh, or DNSSEC, as we can't have both. I tend to chose for the last one.

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ Online
                                    johnpoz LAYER 8 Global Moderator @Gertjan
                                    last edited by johnpoz

                                    @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                    Forwarding and Doh, or DNSSEC, as we can't have both.

                                    Well you can "have" dnssec and forwarding - just forward to resolver that does dnssec ;) Many of them do it already. So dnssec is being done - but do you trust where your forwarding is always the big question.

                                    You don't have to ask for it - if where your forwarding to is doing dnssec - it is being done regardless if ask for it or not.

                                    example
                                    Does Quad9 implement DNSSEC?

                                    Yes. Quad9 provides DNSSEC validation on our primary resolvers.

                                    9.9.9.9, 149.112.112.112
                                    2620:fe::fe, 2620:fe::9

                                    In addition we validate DNSSEC on our EDNS enabled service.

                                    9.9.9.11, 149.112.112.11
                                    2620:fe::11, 2620:fe::fe:11

                                    This means that for domains that implement DNSSEC security, the Quad9 system will cryptographically ensure that the response provided matches the intended response of the domain operator. In the event of a cryptographic failure, our system will not return an answer at all. This ensures protection against domain spoofing or other attacks that attempt to provide false data. Learn more about DNSSEC here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

                                    https://www.quad9.net/support/faq/

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • I Offline
                                      imthenachoman
                                      last edited by

                                      You guys have me so lost now.

                                      @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                      The issue now is, that for every device that requests or renews a DHCP lease, unbound will get restarted.
                                      If you have many hosts using DHCP, you will detect 'something isn't right' as your network seems to stutter. Observing closely will show you that the DNS is out. Because it's restarting 'all the time'.

                                      Okay. I will see if it creates an issue for me. Is it possible to create some kind of static mapping? There is only one host on VL20 that I want DNS name resolution to work for from VL10. What should I do?

                                      @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                      This is on one the the reasons pfBlockerNG doesn't want to have this option checked :

                                      Good to know. I was going to setup pfBlockerNG next. I guess I will have to uncheck that box.

                                      @stephenw10 said in Why can't I resolve hostnames for devices on different VLANs?:

                                      Mmm, only in Python mode though, as it says there.

                                      How can I check if I am in Python mode? Does this mean I am using Python mode?

                                      7f29e3fb-4f07-4080-93f5-7598ad2f9d59-image.png

                                      @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                      I dealt with Resolver's "DCHP Client Registered" option myself : I declared all known LAN devices that I have to access with Static DHCP MAC leases. And done.

                                      Is that the same as "static mapping"? I assume so but I'm still learning so I want to confirm.

                                      @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                      Why doesn't unbound come with a 'written by Netgate, Python scripts' that rereads (refreshes) a dhcp 4+6 leases file (based on a signal, or file size time stamps, a regularly) ?

                                      I know Python. Is there some existing file that does this that I could use to refactor to be more efficient (threaded)?

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S Offline
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Yes, DHCP static mapping is what's being discussed here.
                                        https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#static-mappings

                                        You can set Unbound to resolve those separately and it doesn't require continually restarting the service.

                                        Steve

                                        I 1 Reply Last reply Reply Quote 1
                                        • I Offline
                                          imthenachoman @stephenw10
                                          last edited by

                                          @stephenw10 Great. Thank you!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.