iCloud Private Relay breaks pfSense Split DNS - be warned
-
After my opening post I discovered the solution to my own issue, so I changed the title and added the solution below.
Hi all,
I have a server running on the Local network (VLAN10). As I have mobile clients (laptops) that connect to that server outside and inside my network I configured DNS resolver split DNS as recommended on this forum.one local client (M1 MacBook Pro) keeps resolving a ping to the FQDN as the external (WAN) IP instead of the local IP. This rebellious MBP has worked well for months now, but two days ago I activated FileVault and after that this issue started. At least 7 other MacBooks resolve that ping to the local IP as normal. One of those also has FileVault enabled and works fine, so I doubt that FileVault has anything to do with it.
Meanwhile I wiped the entire drive, installed macOS from scratch (with FileVault) and then initially the ping resolved to the local IP. Hurray. After reinstalling some of my apps (synology drive, then carbon copy cloner, then Adobe creative suite, it’s back to the ping resolving to the WAN IP again. This breaks the synology drive client sync.
When I create a new user the ping resolves to local IP.Client DNS is on auto for all MacBooks and reads 192.168.10.1, just like it should.
Nslookup always returns local IP, even while the trouble MacBook pings to external IP.
Https access works fine on this local client ie when I type the FQDN in a web browser I can reach the server and all is well.
I know this doesn’t seem to be a pfsense issue, but I hope you could provide some troubleshooting suggestions.
Thanks a lot in advance.
Pete
-
@cabledude
Just wanted to add: first time the ping <domain> command takes a little longer than it should, as if it is trying to resolve the local IP but can't, then reverts to the public route.After the first ping, the consecutive pings go very fast, but I believe the ping resolution is retrieved from buffer/cache whereas the nslookup always queries a fresh set.
-
So I finally found out what is going on. After logging into iCloud I carelessly enabled Private Relay:
Apparently this breaks the Split DNS, though I don't know why.
After disabling Private Relay, all pings get back to resolving local IP and instantly my Synology Drive Client picks up syncing files where it left off...
This also perfectly accounts for the fact that only this client had this issue, as it was the only one out of 8 units that had Private Relay enabled.
Hope this helps others too.
-
@cabledude Private Relay is sort of like a VPN. It bypasses local DNS.
https://support.apple.com/en-us/HT212614 -
@steveits
Thank you Steve, that explanation makes perfect sense. I never realised it could mess up my setup but I learned the hard way, it took me two full days of troubleshooting, wiping the MacBook and rebuilding its setup before it dawned on me that it came down to my silly mistake. Oh well. At least it broadened my understanding of the way it works.
