DNS resolver working for pfSense but not on LAN
-
I am trying to prep pfSense on my LAN so I can insert it as my router with minimum downtime so I have a bit of a messy networking setup.
At the moment pfSense is using the Resolver and, from ssh, can resolve upstream DNS. However it gives ServFail messages to LAN connected devices. I have done a tcpdump on the pfSense internal and external interfaces:
Internal:
0:16:07.461347 IP 172.17.2.116.58654 > 172.17.2.254.53: 64030+ A? www.msftconnecttest.com. (41) 10:16:07.461422 IP 172.17.2.116.61404 > 172.17.2.254.53: 72+ A? www.msftconnecttest.com. (41) 10:16:07.483491 IP 172.17.2.125.60409 > 172.17.2.254.53: 2+ A? ntp.homehub.btopenworld.com. (45) 10:16:07.483702 IP 172.17.2.254.53 > 172.17.2.125.60409: 2 ServFail 0/0/0 (45) 10:16:07.484193 IP 172.17.2.125.53360 > 172.17.2.254.53: 3+ A? time.windows.com. (34) 10:16:07.484397 IP 172.17.2.254.53 > 172.17.2.125.53360: 3 ServFail 0/0/0 (34) 10:16:07.495641 IP 172.17.2.116.58654 > 172.17.2.254.53: 64030+ A? www.msftconnecttest.com. (41) 10:16:07.495690 IP 172.17.2.116.61404 > 172.17.2.254.53: 72+ A? www.msftconnecttest.com. (41) 10:16:07.518034 IP 172.17.2.254.53 > 172.17.2.116.61404: 72 ServFail 0/0/0 (41) 10:16:07.518037 IP 172.17.2.254.53 > 172.17.2.116.58654: 64030 ServFail 0/0/0 (41) 10:16:07.518051 IP 172.17.2.254.53 > 172.17.2.116.61404: 72 ServFail 0/0/0 (41) 10:16:07.518053 IP 172.17.2.254.53 > 172.17.2.116.58654: 64030 ServFail 0/0/0 (41)External:
10:16:07.462084 IP 172.17.4.231.57286 > 192.36.148.17.53: 48335+ [1au] A? www.msftconnecttest.com. (52) 10:16:07.462104 IP 192.112.36.4.53 > 172.17.4.231.43143: 6611 0/0/0 (21) 10:16:07.462202 IP 172.17.4.231.55442 > 193.0.14.129.53: 50434+ [1au] A? www.msftconnecttest.com. (52) 10:16:07.512560 IP 172.17.4.231.27436 > 192.36.148.17.53: 2167+ [1au] A? www.msftconnecttest.com. (52) 10:16:07.514487 IP 172.17.4.231.8517 > 193.0.14.129.53: 43843+ [1au] A? www.msftconnecttest.com. (52) 10:16:07.517759 IP 192.36.148.17.53 > 172.17.4.231.57286: 48335 2/0/0 A 23.73.137.235, A 23.73.138.194 (73) 10:16:07.517776 IP 193.0.14.129.53 > 172.17.4.231.8517: 43843 2/0/0 A 23.73.137.235, A 23.73.138.194 (73) 10:16:07.517779 IP 192.36.148.17.53 > 172.17.4.231.27436: 2167 2/0/0 A 23.73.137.235, A 23.73.138.194 (73) 10:16:07.517781 IP 193.0.14.129.53 > 172.17.4.231.55442: 50434 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)If I try pinging somewhere from a LAN PC I get:
C:\Users\nick>ping google.com Ping request could not find host google.com. Please check the name and try again.So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.
In the resolver, Network Interfaces is set to ALL and Outgoing Network Interfaces to WAN. I have also tried enabling DNS Query Forwarding with upstream servers of 1.1.1.1 and 1.0.0.1 but it made no difference.
The (horrible) networking set up is:
Internet | Router A (for main LAN) | 172.17.2.0/24 Router B | 172.17.4.0/24 pfSense | 172.17.2.0/24 Test LANNote that because I am trying to load pfSense with fixed leases, it needs the same LAN subnet as the main LAN so I have to insert Router B between the main LAN and test LAN to avoid pfSense having the same subnet on its LAN and WAN.
Is there something obvious I am missing?
-
@NickJH said in DNS resolver working for pfSense but not on LAN:
C:\Users\nick>ping google.com
Ping request could not find host google.com. Please check the name and try again.Just to be sure :
ipconfig /allwhat is the assigned DNS server to this PC ?
@NickJH said in DNS resolver working for pfSense but not on LAN:
So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.
Strange.
But reasons exist. One of them is : DNSSEC. if the time of the pfSense is incorrect, and the requested domain name has DNSSEC info, then validation fails and the answer will be 'fail'.
Not a mess.
What is known as "Internet" in your "networking setup" as a huge chain of even more routers.
Btw : two chained local networks using "172.17.2.0/24" ? I've never seen that before. Better be safe then sorry : don't do that, whatever your motives are. -
@Gertjan said in DNS resolver working for pfSense but not on LAN:
@NickJH said in DNS resolver working for pfSense but not on LAN:
C:\Users\nick>ping google.com
Ping request could not find host google.com. Please check the name and try again.Just to be sure :
ipconfig /allwhat is the assigned DNS server to this PC ?
Wireless LAN adapter WiFi: Connection-specific DNS Suffix . : howitts.co.uk Description . . . . . . . . . . . : Realtek RTL8821CE 802.11ac PCIe Adapter Physical Address. . . . . . . . . : 00-E9-3A-3D-87-FF DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::ce93:ae3e:9468:4450%11(Preferred) IPv4 Address. . . . . . . . . . . : 172.17.2.116(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : 16 April 2024 10:59:38 Lease Expires . . . . . . . . . . : 16 April 2024 12:59:38 Default Gateway . . . . . . . . . : 172.17.2.254 DHCP Server . . . . . . . . . . . : 172.17.2.254 DHCPv6 IAID . . . . . . . . . . . : 117500218 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-0C-41-D9-00-E9-3A-3D-87-FF DNS Servers . . . . . . . . . . . : 172.17.2.254 Primary WINS Server . . . . . . . : 172.17.2.1 NetBIOS over Tcpip. . . . . . . . : EnabledAnd pfSense:
ifconfig bge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE> ether fc:15:b4:7a:ff:aa inet 172.17.4.231 netmask 0xffffff00 broadcast 172.17.4.255 inet 62.30.63.91 netmask 0xffffffff broadcast 62.30.63.91 inet 62.30.63.94 netmask 0xffffffff broadcast 62.30.63.94 inet6 fe80::fe15:b4ff:fe7a:ffaa%bge0 prefixlen 64 scopeid 0x1 media: Ethernet autoselect (1000baseT <full-duplex,master>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> bge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: LAN options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE> ether fc:15:b4:7a:ff:ab inet 172.17.2.254 netmask 0xffffff00 broadcast 172.17.2.255 inet6 fe80::fe15:b4ff:fe7a:ffab%bge1 prefixlen 64 scopeid 0x2 inet6 fe80::1:1%bge1 prefixlen 64 scopeid 0x2 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>@NickJH said in DNS resolver working for pfSense but not on LAN:
So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.
Strange.
But reasons exist. One of them is : DNSSEC. if the time of the pfSense is incorrect, and the requested domain name has DNSSEC info, then validation fails and the answer will be 'fail'.Date is spot on:
[2.7.2-RELEASE][root@pfSense.howitts.co.uk]/root: date Tue Apr 16 14:09:38 BST 2024Not a mess.
What is known as "Internet" in your "networking setup" as a huge chain of even more routers.
Btw : two chained local networks using "172.17.2.0/24" ? I've never seen that before. Better be safe then sorry : don't do that, whatever your motives are.[edit]
My comment at the end disappeared. I have to use the same network on the pfSense LAN as I am loading static leases and they fail validation if they do not belong to the LAN subnet.I have disabled DNSSEC in pfSense and DNS now works from the PC. That seems wrong. How can I get it going?
[/edit] -
If you have 10 minutes :
- Save/backup your pfSense config.
- Console option : 4 Reset to factory default.
- When it boots, and interfaces needs to be assigned, go bare minimum mode : assign a DHCP mode WAN, and set up the LAN with the "out of the box", world's most tested 192.168.1.1/24, network.
- Connect to your 'Router A'.
Now you have a "it works" situation - no exceptions, no doubts, 100 % guaranteed.
From this known to be working setup, you start applying your own settings.
As soon as things stop to work : undo your last setup - as this one needs more thoughts, and you'll be good.I know, sound all pretty silly. It's known that the road to success is always easy when you know it upfront.
-
I feel bad about this one. I've had a sudden dawning that there is an upstream fancy DNS filter (adam:ONE) and pfSense was being filtered in such a way as to break DNSSEC to the pfSense clients. I am not sure why it worked to pfSense, but that is irrelevant. The purpose of this box is to replace the upstream filter so I am happy it is working.
-
Ok, good : progress
Btw : pfSense LAN clients 'normally' don't do any DNSSEC checking.
Read this short write up, as it looks pretty accurate IMHO.
Your pfSense network clients are / should forwarder to a Resolver. That resolver can be : the pfSense unbound resolver, or any other resolver, like ... dono ... 8.8.8.8 ?
Unbound can do DNSSEC checking for you.DNSSEC checking is validating that the top to bottom relation is valid : example : https://dnsviz.net/d/test-domaine.fr/dnssec/
-
@Gertjan I was just trying to build a router before putting it into operation, but trying to pre-load it to minimise downtime so I had a horrible setup. pfSense is going to be directly connected to my cable modem. It will use the DNS Resolver (unless I get fed up with it) and the LAN clients will use pfSense as their upstream forwarder.
My new N100 toy arrived today, so I have just loaded it up and plan to get it into operation tomorrow when there is no one at home.
-
@NickJH DNSSEC should be disabled if forwarding. See blue note here:
https://quad9dns.github.io/documentation/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/
