Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS - Unable to reverse lookup internet address

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 3 Posters 677 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by michmoor

      Hello everyone,
      Need some help in diagnosing a DNS problem. It doesnt seem to be a specific pfSense problem but its strange.

      Background: I have Squid Proxy running with LightSquid for reporting. Since being enabled i notice majority of the internet addresses just come back as the IP. DNS resolution is not working. I made sure that resolution is set for DNS in the LightSquid reporting and local names of clients does resolve just not internet destinations.

      Tshoot:
      284bb4cf-82eb-4e00-8f5a-799217aa1079-image.png

      What you see above is just a snippet of the report. Mostly all sites are not resolvable. Where things get weird is when i hop on to my Windows client and resolve some of the IPs i get a return.
      822e17eb-e7ad-4e9a-a4a0-f2983815a230-image.png

      When i dig using pfSense as the upstream server i just get a SOA record.

       dig @192.168.50.254 17.253.27.202
      
      ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @192.168.50.254 17.253.27.202
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56387
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1332
      ;; QUESTION SECTION:
      ;17.253.27.202.                 IN      A
      
      ;; AUTHORITY SECTION:
      .                       3600    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2023082200 1800 900 604800 86400
      
      ;; Query time: 12 msec
      ;; SERVER: 192.168.50.254#53(192.168.50.254) (UDP)
      ;; WHEN: Tue Aug 22 10:16:46 EDT 2023
      ;; MSG SIZE  rcvd: 117
      
      

      Even stranger, if i use google or cloudflare or quad9 i get the same SOA record back.

      Im assuming pfSense uses its local cache or the configured upstream DNS to resolve the names in Squid but can anyone explain why my Windows client which does use pfsense as its gateway and dns gets entries back but pfsense and other DNS servers have no record which i just dont believe.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      M johnpozJ 2 Replies Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @michmoor
        last edited by michmoor

        Could be part of the problem but I noticed going to a website - https://www.squid-cache.org/Doc/config/tls_outgoing_options/ - resolves to an ipv6 address which Squid complains, correctly so, that it doesnt have a route to.

        5a24e26f-b280-47a1-b51d-a705a5cf0f6f-image.png

        Yet when i dig on that domain name i dont get an IPv6 address returned.

        ~$ dig squid-cache.org
        
        ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> squid-cache.org
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19890
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 65494
        ;; QUESTION SECTION:
        ;squid-cache.org.               IN      A
        
        ;; ANSWER SECTION:
        squid-cache.org.        60      IN      A       104.130.201.120
        
        ;; Query time: 132 msec
        ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
        ;; WHEN: Tue Aug 22 10:59:31 EDT 2023
        ;; MSG SIZE  rcvd: 60
        
        dig @9.9.9.9 squid-cache.org
        
        ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> @9.9.9.9 squid-cache.org
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25841
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 1232
        ;; QUESTION SECTION:
        ;squid-cache.org.               IN      A
        
        ;; ANSWER SECTION:
        squid-cache.org.        60      IN      A       104.130.201.120
        
        ;; Query time: 164 msec
        ;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
        ;; WHEN: Tue Aug 22 11:01:37 EDT 2023
        ;; MSG SIZE  rcvd: 60
        
        
        

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @michmoor
          last edited by

          @michmoor said in DNS - Unable to reverse lookup internet address:

          ;; QUESTION SECTION:
          ;17.253.27.202. IN A

          You asked if there was an A record, there would not be an A record for an IP, but there could be a ptr..

          ;202.27.253.17.in-addr.arpa.    IN      PTR
          
          ;; ANSWER SECTION:
          202.27.253.17.in-addr.arpa. 43200 IN    PTR     uschi5-vip-bx-004.b.aaplimg.com.
          

          if you want to use dig to look for ptr use the -x option

          $ dig -x 17.253.27.202

          nslookup will normally auto do that for you.. if you set debug on nslookup and then do your check you will see it actually doing a ptr if you ask for just an IP.

          $ nslookup
          Default Server:  pi.hole
          Address:  192.168.3.10
          
          > set debug
          > 17.253.27.202
          Server:  pi.hole
          Address:  192.168.3.10
          
          ------------
          Got answer:
              HEADER:
                  opcode = QUERY, id = 2, rcode = NOERROR
                  header flags:  response, want recursion, recursion avail.
                  questions = 1,  answers = 1,  authority records = 0,  additional = 0
          
              QUESTIONS:
                  202.27.253.17.in-addr.arpa, type = PTR, class = IN
              ANSWERS:
              ->  202.27.253.17.in-addr.arpa
                  name = uschi5-vip-bx-004.b.aaplimg.com
                  ttl = 43000 (11 hours 56 mins 40 secs)
          
          ------------
          Name:    uschi5-vip-bx-004.b.aaplimg.com
          Address:  17.253.27.202
          

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          M 1 Reply Last reply Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @johnpoz
            last edited by

            @johnpoz You're right! Thank you for pointing that out.
            But why isnt pfSense resolving for LightSquid

            7f07dce9-1c0e-4730-bff7-ba856bccce57-image.png

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @michmoor
              last edited by

              @michmoor said in DNS - Unable to reverse lookup internet address:

              But why isnt pfSense resolving for LightSquid

              Not sure, I don't use proxy - haven't used proxy on my home network since I had 2 teenage boys in the house ;) You know what sort of shit they were looking for hehehe, best way to block that sort of thing was with proxy back in the day.. If had to do it today, prob just use dns blocking.

              Proxies can be useful if you want to block stuff via a full url, say https://www.somesite.tld/otherthing, but you did want to allow say https://www.somesite.tld/allowedthing/whatever

              But from an educated guess is why its not working, is the mechanism that tries to resolve it is asking for an A on an IP, which there isn't normally ever going to be a A record for that..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              M 1 Reply Last reply Reply Quote 0
              • M
                michmoor LAYER 8 Rebel Alliance @johnpoz
                last edited by

                @johnpoz said in DNS - Unable to reverse lookup internet address:

                Not sure, I don't use proxy - haven't used proxy on my home network since I had 2 teenage boys in the house ;) You know what sort of shit they were looking for hehehe, best way to block that sort of thing was with proxy back in the day.. If had to do it today, prob just use dns blocking.

                LOL. So i got my 11 year old, 8 and 4. So not there yet but the days are flying by. I'll ping you for Squid advice in the next few years. haha.

                I would use DNS blocking buttttt. Squid at least tells me where everyone is going. Funny enough i did had to block some programming..Roku Kids something. Wife did not want them watching it so i went right into Squid reports to find that domain and blocked it. So it did have a good use case there.
                Also you got squid guard so i can be more targeted in which device i want to really cut off at the knees.

                Firewall: NetGate,Palo Alto-VM,Juniper SRX
                Routing: Juniper, Arista, Cisco
                Switching: Juniper, Arista, Cisco
                Wireless: Unifi, Aruba IAP
                JNCIP,CCNP Enterprise

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Works OK here:

                  [23.05.1-RELEASE][admin@4100-2.stevew.lan]/root: dig -x 17.253.27.202
                  
                  ; <<>> DiG 9.18.13 <<>> -x 17.253.27.202
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29328
                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                  
                  ;; OPT PSEUDOSECTION:
                  ; EDNS: version: 0, flags:; udp: 512
                  ;; QUESTION SECTION:
                  ;202.27.253.17.in-addr.arpa.	IN	PTR
                  
                  ;; ANSWER SECTION:
                  202.27.253.17.in-addr.arpa. 43122 IN	PTR	uschi5-vip-bx-004.b.aaplimg.com.
                  
                  ;; Query time: 0 msec
                  ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
                  ;; WHEN: Tue Aug 22 17:09:05 BST 2023
                  ;; MSG SIZE  rcvd: 100
                  

                  What do you have lightsquid set to use for name resolution?

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    michmoor LAYER 8 Rebel Alliance @stephenw10
                    last edited by

                    @stephenw10
                    I really dont remember ever running into this problem using LightSquid. It always resolved even apple domains.

                    815ddb9d-2cc0-4c62-97c3-bd77cee4add9-image.png

                    Firewall: NetGate,Palo Alto-VM,Juniper SRX
                    Routing: Juniper, Arista, Cisco
                    Switching: Juniper, Arista, Cisco
                    Wireless: Unifi, Aruba IAP
                    JNCIP,CCNP Enterprise

                    M 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance @michmoor
                      last edited by michmoor

                      @stephenw10
                      This is the weirdness im talking about.

                      Looking for the pointer record and this is what i get on my Ubuntu machine.

                      michael@netadmin:~$ dig -x 17.248.191.170
                      
                      ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> -x 17.248.191.170
                      ;; global options: +cmd
                      ;; Got answer:
                      ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37250
                      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
                      
                      ;; OPT PSEUDOSECTION:
                      ; EDNS: version: 0, flags:; udp: 65494
                      ;; QUESTION SECTION:
                      ;170.191.248.17.in-addr.arpa.   IN      PTR
                      
                      ;; AUTHORITY SECTION:
                      17.in-addr.arpa.        3453    IN      SOA     usmsc2-extxfr-001.dns.apple.com.                                                                                                                                    hostmaster.apple.com. 2010133180 1800 900 2592000 7200
                      
                      ;; Query time: 92 msec
                      ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
                      ;; WHEN: Tue Aug 22 15:32:12 EDT 2023
                      ;; MSG SIZE  rcvd: 134
                      
                      

                      When i try to lookup via pfSense ..nothing.

                      251c0d48-73e3-4836-be93-0ee4369cfdc7-image.png

                      Then there are entries that do have a PTR record and yet the LightSquid Reporting doesnt put the DNS name. Example

                       dig -x 31.13.65.52
                      
                      ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> -x 31.13.65.52
                      ;; global options: +cmd
                      ;; Got answer:
                      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46561
                      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                      
                      ;; OPT PSEUDOSECTION:
                      ; EDNS: version: 0, flags:; udp: 65494
                      ;; QUESTION SECTION:
                      ;52.65.13.31.in-addr.arpa.      IN      PTR
                      
                      ;; ANSWER SECTION:
                      52.65.13.31.in-addr.arpa. 557   IN      PTR     instagram-p3-shv-01-atl3.fbcdn.net.
                      
                      ;; Query time: 12 msec
                      ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
                      ;; WHEN: Tue Aug 22 15:39:22 EDT 2023
                      ;; MSG SIZE  rcvd: 101
                      
                      

                      c99f9b2a-6d24-4585-80dd-abf317556d26-image.png

                      79e12b45-bc14-4b50-9cdd-4663968b3d4b-image.png

                      Whatever is going on here , between Squid choosing a IPv6 path [see screen shot in previous thread] and its inability to do reverse DNS , this is all related. Something is probably misconfigured but i cant figure out what it is.

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @michmoor
                        last edited by johnpoz

                        @michmoor said in DNS - Unable to reverse lookup internet address:

                        When i try to lookup via pfSense ..nothing.

                        you do understand not all IPs have ptr records right?? It is the responsibility of who owns the IP space to create the records, not everyone does..

                        That is telling you there is no record specific for that IP.. but that that NS is the SOA (source of authority) for the network of anything that starts with 17.x.x.x

                        Maybe the phone directly connected to an IP vs asking the proxy go to www.something.tld that it would resolve to an IP?

                        Normally with a proxy the client asks the proxy hey go to something.whatever.tld, and the proxy looks it up and goes to that IP. If the client isn't specifically asking the proxy, say a transparent proxy and the client looks up the IP of the fqdn it wants to go to - then it would just try and go to the IP, and the proxy being a transparent proxy, etc. would just go there for the client, etc

                        NetRange:       17.0.0.0 - 17.255.255.255
                        CIDR:           17.0.0.0/8
                        Organization:   Apple Inc. (APPLEC-1-Z)
                        OrgName:        Apple Inc.
                        

                        Apple owns all of 17.x.x.x - if they don't want to create PTR records for every IP in the 17.x.x.x that is up to them.

                        But they do have PTRs for some of the IPs in that space

                        ;; QUESTION SECTION:
                        ;10.176.47.17.in-addr.arpa.     IN      PTR
                        
                        ;; ANSWER SECTION:
                        10.176.47.17.in-addr.arpa. 43200 IN     PTR     usmsc2-extxfr-001.dns.apple.com.
                        
                        ;; QUESTION SECTION:
                        ;2.170.57.17.in-addr.arpa.      IN      PTR
                        
                        ;; ANSWER SECTION:
                        2.170.57.17.in-addr.arpa. 3600  IN      PTR     mx-in-vib.apple.com.
                        

                        They seem to have only created PTRs for the IPs they want to create them for, or where it make sense too - ie NS and their Mail servers, etc.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        M 1 Reply Last reply Reply Quote 0
                        • M
                          michmoor LAYER 8 Rebel Alliance @johnpoz
                          last edited by michmoor

                          @johnpoz I hear what you're saying John but the problem is that when there are PTR records lightsquid for some reason isnt using it.
                          Example below. There is a PTR in the answer section.
                          Example

                           dig -x   17.253.27.202
                          
                          ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> -x 17.253.27.202
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54548
                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 65494
                          ;; QUESTION SECTION:
                          ;202.27.253.17.in-addr.arpa.    IN      PTR
                          
                          ;; ANSWER SECTION:
                          202.27.253.17.in-addr.arpa. 43200 IN    PTR     uschi5-vip-bx-004.b.aaplimg.com.
                          
                          ;; Query time: 16 msec
                          ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
                          ;; WHEN: Tue Aug 22 17:09:00 EDT 2023
                          ;; MSG SIZE  rcvd: 100
                          
                          

                          7e097d77-cf0b-4ba3-a6ab-049df9399d8d-image.png

                          Firewall: NetGate,Palo Alto-VM,Juniper SRX
                          Routing: Juniper, Arista, Cisco
                          Switching: Juniper, Arista, Cisco
                          Wireless: Unifi, Aruba IAP
                          JNCIP,CCNP Enterprise

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @michmoor
                            last edited by

                            @michmoor why do you think lightsquad would look up PTRs?

                            When a proxy is set to explicit, ie the client points to it - the client should be asking the proxy hey I want to go to www.something.tld, and the proxy would lookup what IP to go too.

                            Explicit clients shouldn't be going to IPs directly, or asking the proxy for an IP, unless the client actually either looked up the fqdn to the IP before which it shouldn't if it has explicit proxy set, or something is using an IP vs a fqdn?

                            None of that really has anything to do with lightsquid trying to lookup a PTR.. its just logging where a client asked to go - if you asked to go to 1.2.3.4 be it you specifically asked the proxy to go there, or the proxy intercepted the traffic via transparent settings and went there on the behalf of the client.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              michmoor LAYER 8 Rebel Alliance @johnpoz
                              last edited by

                              @johnpoz My understanding is that pfSense resolves the IP address to hostnames. Theres a setting for that in Squid Proxy Reports.

                              Firewall: NetGate,Palo Alto-VM,Juniper SRX
                              Routing: Juniper, Arista, Cisco
                              Switching: Juniper, Arista, Cisco
                              Wireless: Unifi, Aruba IAP
                              JNCIP,CCNP Enterprise

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @michmoor
                                last edited by johnpoz

                                @michmoor I believe that is for clients IPs.. I don't currently have squid or squid reports or anything installed, guess I could to take a look. But anything you google for squid PTR all comes up talking about the client IP.

                                from back in the day, when I ran proxies for living ;) we almost always blocked direct IP access, and only specific ones were whitelisted. Not sure why a proxy would want to look up PTRs when you normally block direct IP access, etc. ;)

                                But for clients, you could use client names in rules that allow, deny etc. So since client IPs might change you might want to do ptr on client IPs to know if its specific client based on its name.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.