DNS Resolver and DNS Forwarder not working as expected.
-
@N8LBV if it’s returning RFC1918 IPs it’s probably https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
Upvote 👍 helpful posts! -
@SteveITS said in DNS Resolver and DNS Forwarder not working as expected.:
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.htm
Getting a 404 on that one.
I think this is the place.
And thanks for the pointer, looking into it!https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections
-
@N8LBV the last “L” got omitted in your quote :)
-
@SteveITS This does not seem to be the issue.
I tried adding custom options to the resolver.
I also tried turning off rebind protection globally on the system and The behavior is the same.Local DNS zones do not resolve (even when querying for A records that point to external Internet IP addresses.
But external DNS names resolve fine.server:
private-domain: "externaldomaintest.com"
private-domain: "externamdomaintest2.com" -
@SteveITS It appears to be not returning anything it should be returning RFC1918 addresses on most queries but is also not returning anything in the case where the A records point to external Internet IP addresses.
It's not working with any of my authoritative zones on the DNS.
But works when it has to go out to the Internet for names. -
@N8LBV and repeating myself here: it works fully as expected from PFSense itself WebUI and command line/shell.
-
@N8LBV reread your message…if the issue is say a non public Windows AD domain isn’t resolving, that would be a domain override that points to the internal DNS server.
Rebinding is an issue for public DNS lookups.
-
@SteveITS Sorry guess I am confused.
I have everything pointing to the local DNS server.
I don't think there is a reason for any kind of domain override where it would point to this DNS for specific domains.
It's already pointing to this server for everything so to speak.
I don't think PFsense should be treating these lookups any differently than anything else.
And it is not behaving like this from the WebUI and local command line and working here as expected.
Something is "different" when the DNS resolver or forward has to look these up and that is not working on any zone our server is authoritative for.
It's behaving is if the PFSense resolver or forwarder are somehow working internally as a standalone DNS and -NOT- forwarding any requests to the configured nameserver, and going out to the Internet to hit the rootservers. -
@N8LBV IN resolver config I turned on forwarding mode and it's working as expected.
At this point I don;t know what the difference would be than just running the DNS forwarder service instead.
Other than maybe it is a caching DNS in this config.
However- putting this in "forwarding mode" implies it is no longer a caching DNS at this point. -
@N8LBV is it now forwarding to upstream Internal DNS? Or public DNS?
-
@SteveITS Internal upstream DNS.
I know this for sure because it's resolving the internal IPs as it should be.
I'm still totally confused as stated above on the options and what they actually do and how they are handling talking to the upstream DNS or apprently not in this case.
I can get out the packet capture kit if I have to. -
@N8LBV In the default config DNS Resolver goes straight to the root servers and looks up the hostname (name server for .com, then name server for example.com, then www.example.com). Since the root servers don't know about your internal domain they would presumably return that it doesn't exist.
If you enable forwarding then it contacts the configured DNS server(s) only. In your case since that server knows about your internal domain it can answer.
I misunderstood this was an internal/second-level (whatever the name) router I think. a Domain Override would apply in a situation like a Windows Server domain and pfSense has "local.lan" pointing to the Windows Server IP for DNS.
