DNS Resolver Not Working/Logging
-
So I'm working on setting up my pfsense router for installation. So my issue is I'm not able to reach the server hogwarts.lan (its a NAS). Best I can tell everything that needs to be in place is or at the very least is so wide open so as to not be a problem. Relevant screen shots of information that might be asked is included but if there is something else that might help let me know and I can provide.
GBookPro:~ johnsoga$ nslookup hogwarts.lan Server: 192.168.60.1 Address: 192.168.60.1#53 Name: hogwarts.lan Address: 192.168.130.20 GBookPro:~ johnsoga$ ping hogwarts.lan ping: cannot resolve hogwarts.lan: Unknown host GBookPro:~ johnsoga$ dig hogwarts.lan +trace ; <<>> DiG 9.10.6 <<>> hogwarts.lan +trace ;; global options: +cmd ;; Received 17 bytes from 192.168.60.1#53(192.168.60.1) in 69 ms GBookPro:~ johnsoga$ ifconfig en8 | grep -w inet inet 192.168.60.3 netmask 0xffffff00 broadcast 192.168.60.255In trying to see where this dns lookup might be going wrong I notice that none of the looksup show up in the DNS Resolver logs and I cannot figure out how to get them to show
-
@johnsoga is Resolver listening on All interfaces?
Nslookup working and not logging, while dig fails, sounds like it’s being cached but I don’t think it can do that on its own. Did you try restarting your client device?
-
@steveits haven't tried restarting the client device (macbook pro connected to caldigit hub providing Ethernet port), but I don't think that's the issue may restart if desperation hits
-
Decided to try a capture since I have no idea why the DNS Resolver logs on the pfSense device doesn't show logs for these local domain queries. Seemed like some like some kind permission issue or something. So I went back into the DNS Resolver setting looking for anything that seemed permission related noticed the ACL section so started poking around in there. Now I just feel stupid because its working after enabling the following:
GBookPro:~ johnsoga$ dig hogwarts.lan ; <<>> DiG 9.10.6 <<>> hogwarts.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2148 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;hogwarts.lan. IN A ;; ANSWER SECTION: hogwarts.lan. 3600 IN A 192.168.130.20 ;; Query time: 64 msec ;; SERVER: 192.168.60.1#53(192.168.60.1) ;; WHEN: Mon Jan 16 21:46:39 EST 2023 ;; MSG SIZE rcvd: 57I actually tried setting it to just "allow" and that didn't work. Only seems to work when using the "allow snoop" option. I assume based of the description that this is implying that dig is always by default issuing a recursive or non-recursive query? Admittedly to me the still frustrating part is that these query still doesn't show in the logs. Is it not possible to get it to record local domain queries?
-
@steveits said in DNS Resolver Not Working/Logging:
@johnsoga is Resolver listening on All interfaces?
Nslookup working and not logging, while dig fails, sounds like it’s being cached but I don’t think it can do that on its own. Did you try restarting your client device?
yup
-
@johnsoga so it needed an ACL? Does that interface have a gateway? Internal interfaces should be allowed.
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-acls.htmlNot sure about the log Q, sorry.
-
@steveits said in DNS Resolver Not Working/Logging:
@johnsoga so it needed an ACL? Does that interface have a gateway? Internal interfaces should be allowed.
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-acls.htmlNot sure about the log Q, sorry.
Hmmm good catch I see what you mean from the documentation:
"By default, IPv4 and IPv6 networks residing on internal interfaces of this firewall are permitted. Additional networks must be allowed manually."
I would think this interface would considered internal idk how/where that configuration is made, but to answer your question, nope, no gateway.
