Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why can't I resolve hostnames for devices on different VLANs?

    Scheduled Pinned Locked Moved General pfSense Questions
    19 Posts 5 Posters 2.6k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Online
      johnpoz LAYER 8 Global Moderator @imthenachoman
      last edited by

      @imthenachoman well if what you mean by resolve is broadcast for some host name and have it answer that is not going to work across vlans/networks

      Resolving via dns wouldn't matter what network/vlan your in. But this would be done via fqdn, ie host.domain.tld

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      I 1 Reply Last reply Reply Quote 0
      • I Offline
        imthenachoman @johnpoz
        last edited by

        @johnpoz

        I am not following?

        I have two VLANs and I have allowed traffic from VLAN 10 to VLAN 20.

        Wouldn't hostname resolution happen on pfSense? If I have a computer on VLAN 10 and I ping a computer on VLAN 20, it should be able to resolve the IP, no?

        C:\Users\nacho>ping cam_living_room
        Ping request could not find host cam_living_room. Please check the name and try again.
        
        C:\Users\nacho>nslookup 192.168.20.102
        Server:  UnKnown
        Address:  192.168.10.1
        
        *** UnKnown can't find 192.168.20.102: Non-existent domain
        
        C:\Users\nacho>ping 192.168.20.102
        
        Pinging 192.168.20.102 with 32 bytes of data:
        Reply from 192.168.20.102: bytes=32 time=3ms TTL=63
        Reply from 192.168.20.102: bytes=32 time=3ms TTL=63
        
        1 Reply Last reply Reply Quote 0
        • bingo600B Offline
          bingo600 @imthenachoman
          last edited by

          @imthenachoman
          DHCP is probably not registering your hosts in DNS.

          But Unbound and DHCP registering is another "Can of worms" , that you prob. don't want to open.

          /Bingo

          If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

          pfSense+ 23.05.1 (ZFS)

          QOTOM-Q355G4 Quad Lan.
          CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
          LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

          I 1 Reply Last reply Reply Quote 0
          • I Offline
            imthenachoman @bingo600
            last edited by

            @bingo600 said in Why can't I resolve hostnames for devices on different VLANs?:

            don't want to open

            Why?

            I swear this worked before. I had a PFS box before but it broke. So I got a new one and did a brand new install using the latest version.

            I feel like there is some setting I am not setting properly...

            bingo600B 1 Reply Last reply Reply Quote 0
            • bingo600B Offline
              bingo600 @imthenachoman
              last edited by bingo600

              @imthenachoman
              How many ways can a a host be resolved on a pfSense ?

              L3
              1: DNS
              2: mDNS (Avahi)

              L2
              3: Broadcast
              4: Netbios

              If it worked across vlans , it is prob. 1 or 2

              Re: DHCP registering in unbound , requires Unbound to restart on each DHCP "add" , leading to sitewide DNS outage during the restart.

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              1 Reply Last reply Reply Quote 0
              • stephenw10S Offline
                stephenw10 Netgate Administrator
                last edited by

                Are you using pfSense for DHCP on both VLANs?

                Are you registering dhcp leases in unbound? (not enabled by default)

                Are you using the same domain on both VLANs?
                When you try to ping 'cam_living_room' that host tries to resolve it by appending it's own domain on the end unless you've send it some other search domain to use. So is it actually trying to resolve the host using the correct FQDN?

                Steve

                1 Reply Last reply Reply Quote 0
                • I Offline
                  imthenachoman
                  last edited by

                  I figured out what was wrong. For some reason the Register DHCP leases in the DNS Resolver setting was unchecked. I checked it and now it works as expected.

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG Offline
                    Gertjan @imthenachoman
                    last edited by

                    @imthenachoman said in Why can't I resolve hostnames for devices on different VLANs?:

                    For some reason the Register DHCP leases in the DNS Resolver setting was unchecked. I checked it

                    You've opened the can of worms.

                    The issue now is, that for every device that requests or renews a DHCP lease, unbound will get restarted.
                    If you have many hosts using DHCP, you will detect 'something isn't right' as your network seems to stutter. Observing closely will show you that the DNS is out. Because it's restarting 'all the time'.
                    This is on one the the reasons pfBlockerNG doesn't want to have this option checked :

                    78f3a432-2a30-42f5-b04f-1a533e78913d-image.png

                    Just be aware of this effect.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Mmm, only in Python mode though, as it says there.

                      I run with DHCP clients registered and with pfBlocker/DNS-BL running and have never seen an issue. I have 25-30 hosts.

                      Steve

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG Offline
                        Gertjan @stephenw10
                        last edited by

                        @stephenw10

                        Yeah .... I somewhat presumed that, when you use pfBlockerNG, you want "all" the DNS details, and the python script is the way to do so.
                        Regex blocking, log details, policy DNS facilities, this can only be done when unbound is given a callback function, the pfBlockerNG "python mode" script.

                        I dealt with Resolver's "DCHP Client Registered" option myself : I declared all known LAN devices that I have to access with Static DHCP MAC leases. And done.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Online
                          johnpoz LAYER 8 Global Moderator @Gertjan
                          last edited by

                          @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                          I declared all known LAN devices that I have to access with Static DHCP MAC leases. And done.

                          I am a fan of this myself - while its a bit tedious to get started with if you have lots of devices. Overall I think this is the most bullet proof method. Stuff I want to resolve, temporary devices that might join my network. wifi guest for example - or some box working on, etc. I don't really care or need to resolve this to some fqdn.

                          Once the device is going to be on my network ongoing - then just setup a reservation for it. done and done ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • GertjanG Offline
                            Gertjan @johnpoz
                            last edited by

                            Makes me wonder ....

                            Why doesn't unbound come with a 'written by Netgate, Python scripts' that rereads (refreshes) a dhcp 4+6 leases file (based on a signal, or file size time stamps, a regularly) ?
                            Please guys, just a small Python script ?! This will bury this issue for good, and we have best of both worlds. Let's nuke that dhcpleases process for good.
                            I presume (a lot, I know) that unbound can 'host' several callback Python scripts.
                            We'll have one option less in the Resolver settings, DHCP clients with a valid host name are locally registered in the DNS, period.
                            Less fuss in pfBlockerNG.

                            Not wondering, I know, I'm out of subject here - sorry for that.

                            edit : Humm : dnsmasq would still have to use dhcpleases, I guess.
                            But who is using dnsmasq these days ? ;)

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            stephenw10S 1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator @Gertjan
                              last edited by

                              @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                              But who is using dnsmasq these days ? ;)

                              A surprising number of people. šŸ˜‰

                              GertjanG 1 Reply Last reply Reply Quote 0
                              • GertjanG Offline
                                Gertjan @stephenw10
                                last edited by Gertjan

                                @stephenw10

                                Because they have to feed their pi-hole ?
                                Because they have this need to to feed the big-data DNS corporations ?

                                Both are fine to me, although I suspect that often the second choice is take by the 'I've seen some one doing that also - dono why' reason.

                                I've nothing against dnsmasq or the forwarding way of DNS, in the past, pfSense was also forwarding out of the box, unbound was added later on. As we all were learned (told ?) to 'chain on to the ISP DNS' (for probably very valid reasons, very valid in the past).

                                I'm more a 'let works out of the box' guy. Not because 'Netgate' has build in this typical setup, but because t makes sense if you think (a lot - I'm getting slow ) about it.
                                Take the DNS for example : It's 2021 now, and somewhere in de 90ties was told how a typical DNS system should work in "network". With the root, tld and name servers and such.
                                Years after that, ISP started popping out of the ground, Internet became something public, and all kind of 'patched' system where used to make it work for everybody.
                                Also, their is a mutual exlcusive choice to make : Forwarding and Doh, or DNSSEC, as we can't have both. I tend to chose for the last one.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Online
                                  johnpoz LAYER 8 Global Moderator @Gertjan
                                  last edited by johnpoz

                                  @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                  Forwarding and Doh, or DNSSEC, as we can't have both.

                                  Well you can "have" dnssec and forwarding - just forward to resolver that does dnssec ;) Many of them do it already. So dnssec is being done - but do you trust where your forwarding is always the big question.

                                  You don't have to ask for it - if where your forwarding to is doing dnssec - it is being done regardless if ask for it or not.

                                  example
                                  Does Quad9 implement DNSSEC?

                                  Yes. Quad9 provides DNSSEC validation on our primary resolvers.

                                  9.9.9.9, 149.112.112.112
                                  2620:fe::fe, 2620:fe::9

                                  In addition we validate DNSSEC on our EDNS enabled service.

                                  9.9.9.11, 149.112.112.11
                                  2620:fe::11, 2620:fe::fe:11

                                  This means that for domains that implement DNSSEC security, the Quad9 system will cryptographically ensure that the response provided matches the intended response of the domain operator. In the event of a cryptographic failure, our system will not return an answer at all. This ensures protection against domain spoofing or other attacks that attempt to provide false data. Learn more about DNSSEC here: https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en

                                  https://www.quad9.net/support/faq/

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • I Offline
                                    imthenachoman
                                    last edited by

                                    You guys have me so lost now.

                                    @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                    The issue now is, that for every device that requests or renews a DHCP lease, unbound will get restarted.
                                    If you have many hosts using DHCP, you will detect 'something isn't right' as your network seems to stutter. Observing closely will show you that the DNS is out. Because it's restarting 'all the time'.

                                    Okay. I will see if it creates an issue for me. Is it possible to create some kind of static mapping? There is only one host on VL20 that I want DNS name resolution to work for from VL10. What should I do?

                                    @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                    This is on one the the reasons pfBlockerNG doesn't want to have this option checked :

                                    Good to know. I was going to setup pfBlockerNG next. I guess I will have to uncheck that box.

                                    @stephenw10 said in Why can't I resolve hostnames for devices on different VLANs?:

                                    Mmm, only in Python mode though, as it says there.

                                    How can I check if I am in Python mode? Does this mean I am using Python mode?

                                    7f29e3fb-4f07-4080-93f5-7598ad2f9d59-image.png

                                    @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                    I dealt with Resolver's "DCHP Client Registered" option myself : I declared all known LAN devices that I have to access with Static DHCP MAC leases. And done.

                                    Is that the same as "static mapping"? I assume so but I'm still learning so I want to confirm.

                                    @gertjan said in Why can't I resolve hostnames for devices on different VLANs?:

                                    Why doesn't unbound come with a 'written by Netgate, Python scripts' that rereads (refreshes) a dhcp 4+6 leases file (based on a signal, or file size time stamps, a regularly) ?

                                    I know Python. Is there some existing file that does this that I could use to refactor to be more efficient (threaded)?

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S Offline
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      Yes, DHCP static mapping is what's being discussed here.
                                      https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv4.html#static-mappings

                                      You can set Unbound to resolve those separately and it doesn't require continually restarting the service.

                                      Steve

                                      I 1 Reply Last reply Reply Quote 1
                                      • I Offline
                                        imthenachoman @stephenw10
                                        last edited by

                                        @stephenw10 Great. Thank you!

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.