NordVPN DNS servers seems to be down from my end but are apparently npt
-
while you're talking about DNS and how pfsense can be configured with it, I wonder why my VLAN300 clients cannot do DNS resolution unless I manually specify the DNS servers in the DHCP server of that interface?
The tooltip below the DNS text fields in the DHCP server page says
Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.I left them blank. Since Unbound is NOT running on VLAN300 (I want VLAN300 to completely bypass DNSBL and be straight to the "outside" world) I'd expect the servers configured on the System / General Setup page to be provided to the clients of VLAN300 for DNS resolution.
If I copy the DNS servers from the General Setup into the DHCP settings of VLAN300, everything works as expected. Do I need to setup FW rules or NAT stuff for this to work?
-
@pftdm007 said in NordVPN DNS servers seems to be down from my end but are apparently npt:
Do I need to setup FW rules
or NAT stufffor this to work?Sure but do it like I and now you did, provide a DNS server like 8.8.8.8 and there shouldn't be any DNS leak.
-
Okay but why are the system DNS servers not being passed on to the clients??? the tooltip is clear
Leave blank to use the system default DNS serversIts NOT working. Is it a bug in pfsense?
-
@pftdm007 said in NordVPN DNS servers seems to be down from my end but are apparently npt:
Is it a bug in pfsense?
no... it is a bug in your rulemaking. ^^
-
-
@pftdm007 Here is a hint.
-
Yes what you're showing me is what I had. Somehow, DNS resolution on the clients of that VLAN is not working. I see the amount of states going up in the rules but still clients cant resolve FQDN's..
From one of the linux client I can confirm the DNS server is indeed the VLAN interface (DHCP) IP (192.168.2.1 in that case).
mint@linuxmint:~$ nmcli dev show | grep DNS IP4.DNS[1]: 192.168.2.1The first rule with the 25/81 KiB (states) is the one I am trying to make work. Also note Unbound is not running on that VLAN.
Its like client requests for DNS resolution are indeed going thru pfsense and thru the FW rule but somehow are being blocked after that.
To test, I made a NAT rule to redirect any DNS requests to 8.8.8.8 but no improvements.
I confirm the clients can ping IP's on the internet. I tried with Google's IP:
PING 142.251.32.67 (142.251.32.67) 56(84) bytes of data. 64 bytes from 142.251.32.67: icmp_seq=1 ttl=118 time=19.9 ms 64 bytes from 142.251.32.67: icmp_seq=2 ttl=118 time=16.4 ms 64 bytes from 142.251.32.67: icmp_seq=3 ttl=118 time=18.5 ms 64 bytes from 142.251.32.67: icmp_seq=4 ttl=118 time=16.6 ms 64 bytes from 142.251.32.67: icmp_seq=5 ttl=118 time=18.3 ms 64 bytes from 142.251.32.67: icmp_seq=6 ttl=118 time=18.2 ms ^C --- 142.251.32.67 ping statistics --- 6 packets transmitted, 6 received, 0% packet loss, time 5051ms rtt min/avg/max/mdev = 16.395/17.980/19.874/1.182 ms -
@pftdm007 But why? Why is unbound not running on your DMZ-VLAN, no wonder DNS is not working.
-
@bob-dig I was hoping not to open that can of worms but oh well ;)
I am running pfB+DNSBL on the other VLAN's but I didnt want to run it on VLAN_DMZ because it was interfering with my work laptop and equipment.
The only (easiest) solution was not to run unbound on VLAN_DMZ and manually pass DNS servers to its clients, effectively bypassing Unbound completely (and DNSBL at the same time).
Now DNSBL has python group policies which can be used to exclude IP's from it, I tried (really tried) to use it but it just kept bugging ans causing all kind of issues. So I reverted back to bypassing Unbound.
Now the only difference is that I am trying to "automate" the config a bit by having the system DNS servers (System > General Setup) automatically passed on to the clients of VLAN_DMZ when they request a lease.
Let me ask you a different question:
What does pfsense do if something is specified in these fields? Knowing how pfsense uses whats specified in these fields would help me understand how the routing happens.
-
@pftdm007 If left empty, it will be that pfSense interface. If filled, that will be given to the DHCP-Clients.
Not that complicated.
I don't know what happens when you disable unbound only on this interface, probably nothing > no more DNS. -
@bob-dig Make sense now that I read the tooltip differently. When the tooltip says "...if DNS Forwarder or Resolver is enabled" they mean enabled VS disabled from a service perspective and not on a per-interface basis.... That's what I misinterpreted.
That's be nice to be able to NOT run unbound on an interface and serve system DNS servers. IMO the DHCP server should pass DNS servers in the following order:
If DNS fields are populated use their settings; Otherwise If unbound is running on the interface use interface IP Else pass system DNS serversThat's probably more of an improvement idea than anything else. For now (and probably forever) I have copied the system DNS servers onto the DHCP fields for DMZ and I'm back to normal.
Sorry about the confusion. Funny how something can be interpreted differently... Thanks for your patience @Bob-Dig !
