Unable to resolve kali.download
-
I have a proxmox with a couple of VMs. I use pfSense as a firewall for them. I have a Kali VM, which is unable to DNS resolve "kali.download". It is able to resolve all other dns queries. I use the pfSense LAN interface as the kali's DNS server and have DNS resolver enabled. Issue is very strange and I do not know how to fix or troubleshoot. If I query kali.download from the pfsense itself it resolves, just not as the Kali client.
-
@jrather are you using any pfblocker lists that would block that?
If dns gui is able to resolve it using itself 127.0.0.1 then any client should be able to resolve it as well - even you were using pfblocker with block lists.
Is pfsense resolving it to the correct place - I show it resolving as below
-
I do not know what pfblocker is so I would say no.
-
Query you show, is the same for me via the pfSense GUI. Just not getting that response on the Kali VM.
-
@jrather well then your VM isn't using pfsense as its dns would be what I would think what is happening, there is nothing out of the box that would prevent a client from resolving what pfsense can clearly resolve, if using pfsense as its dns.
You sure your client is using pfsense as its dns?
Here is a query directly to pfsense ip - resolves just fine.
is your VM showing 127.0.0.53 as its dns if you do a dig, or host or nslookup on it - if so then your not really sure where its asking..
-
Unchecking DNSSEC, Enable DNSSEC Support in DNS Resolver seemed to solve it.
-
@jrather I would think that more just a restart of unbound vs dnssec since that kali.download isn't dnssec enabled.
-
Well I am not sure why disabling DNSSEC fixed it. But my proxmox is behind a Netgear router (The Netgear gets DNS from a pi-hole outside it's WAN port). So the WAN port on the pfsense uses the Netgear as it's DNS. In my scenario, I do not think a DNSSEC query matters since the Netgear and proxmox are internal my real WAN connection. Reading the setting, it referred enabling DNSSEC when using the root servers directly. I do not do that, so disabling it on the pfsense to get it to work is fine with me.
-
@jrather said in Unable to resolve kali.download:
it referred enabling DNSSEC when using the root servers directly
If your are forwarding to anywhere on pfsense, then yeah dnssec shouldn't be enabled - where you forward either does dnssec or it doesn't.
That setting really only has any real use if your actually resolving, ie talking to roots. If your forwarding then that setting is more likely to cause issues than anything else.
Both those records are not dnssec signed anyway, and I use dnssec since I resolve.. And not having any issues resolving it.