Completely confused by DNS failure (dnsmasq)
-
@NickJH if pfSense is not NATting then the upstream router needs a static route to know where to send replies back to 192.168.1.0/24.
-
pfSense is natting. I didn't include the dump of the packets at the pfSense external interface but they match the packets coming back from the Firewall.
Also external resolution works in the PC.
-
@NickJH Then it should "just work." DNS Forwarder is really old though...you can set DNS Resolver to forward via a checkbox, though uncheck the DNSSEC checkbox if you do.
-
That is the problem. It doesn't work and I have no idea why. It correctly gets a response back from the Firewall when querying external DNS.
I can't use a recursive resolver unless I replicate all the hosts that are in the Firewall for my split DNS. That would be a pain. For that reason I switched to a forwarder temporarily.
Alternatively, can I bulk load hosts into pfSense?
I am now just trying to switch the resolver to forwarding as you suggest.
-
@NickJH said in Completely confused by DNS failure (dnsmasq):
response packets at the pfSense WAN interface.
But what response - what should it respond with for sia2.howitts.co.uk?
I don't see A response.. A response would look like this.
192.168.9.100.49907 > 192.168.9.253.53: 64979+ [1au] A? nas.home.arpa. (54) 192.168.9.253.53 > 192.168.9.100.49907: 64979* 1/0/1 nas.home.arpa. A 192.168.9.10 (58)
This is not a valid response
15:59:39.895289 IP 192.168.1.1.53 > 192.168.1.4.63611: 2* 0/0/0 (36) -
@NickJH The "Enable Forwarding Mode" forwards anything that isn't a host or domain override.
@NickJH said in Completely confused by DNS failure (dnsmasq):
can I bulk load hosts into pfSense?
I don't think so but you can put it in the config file and then restore just the DNS Resolver config.
@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "
-
@SteveITS said in Completely confused by DNS failure (dnsmasq):
@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "
It didn't send them, unless you edited the response.
edit: oh I see you did some more posts... Pretty sure sure dnsmasq also does rebind protection.. When you forward a rfc1918 response is not going to be returned to the client.. Unless you have turned off rebind or have setup a domain to be private and allowed to return rfc1918
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
-
@johnpoz said in Completely confused by DNS failure (dnsmasq):
When you forward a rfc1918 response is not going to be returned to the client
Ah yes there it is.
-
Yes, it could be rebind protection as I expect it to return a private IP (172.17.2.51). It is late here so I'll have a look in the morning.
-
I can confirm it was rebind protection causing it. I have disabled it and am using the the DNS Resolver successfully in forwarder mode. Thanks.
-
@NickJH dig you disable it globally? I would suggest just setting your domain your forwarding for and want rfc1918 vs turning it completely off.
-
@johnpoz Yes I did it globally. I don't know how to do it by domain only, but it does not matter as pfSense is on my LAN for testing/learning. When I deploy it properly, I'll be turning it back on. It is just that it was interfering with my testing.
-
@NickJH for reference itโs on that doc page:
โTo exclude a domain from DNS rebinding protection, use the Custom Options box in the DNS resolver settings. Enter one domain per line in the following format, preceded by the server: line.
server:
private-domain: "example.com"
private-domain: "dnsbl.example"
โI just forget about this โfeatureโ because itโs rarely needed, but we had to discover/use it ourselves 10 years ago.
-
@NickJH how to do that was right in the link I posted..
For both unbound and dnsmasq
I take it you didn't read past the "This behavior is controlled by the DNS Rebind Check option under System > Advanced, Admin Access tab." part ;)
-
@johnpoz All I needed was a quick and dirty fix because it is not going to be the production set up. I did the fix late yesterday but it was about 10pm and if the quick and dirty was going to fix it, it was good enough for me. I only tested it this morning.