Completely confused by DNS failure (dnsmasq)

johnpoz

@SteveITS said in Completely confused by DNS failure (dnsmasq):

@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "

It didn't send them, unless you edited the response.

edit: oh I see you did some more posts... Pretty sure sure dnsmasq also does rebind protection.. When you forward a rfc1918 response is not going to be returned to the client.. Unless you have turned off rebind or have setup a domain to be private and allowed to return rfc1918

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

SteveITS

@johnpoz said in Completely confused by DNS failure (dnsmasq):

When you forward a rfc1918 response is not going to be returned to the client

Ah yes there it is.

NickJH

Yes, it could be rebind protection as I expect it to return a private IP (172.17.2.51). It is late here so I'll have a look in the morning.

NickJH

I can confirm it was rebind protection causing it. I have disabled it and am using the the DNS Resolver successfully in forwarder mode. Thanks.

johnpoz

@NickJH dig you disable it globally? I would suggest just setting your domain your forwarding for and want rfc1918 vs turning it completely off.

NickJH

@johnpoz Yes I did it globally. I don't know how to do it by domain only, but it does not matter as pfSense is on my LAN for testing/learning. When I deploy it properly, I'll be turning it back on. It is just that it was interfering with my testing.

SteveITS

@NickJH for reference it’s on that doc page:

“To exclude a domain from DNS rebinding protection, use the Custom Options box in the DNS resolver settings. Enter one domain per line in the following format, preceded by the server: line.

server:
private-domain: "example.com"
private-domain: "dnsbl.example"
“

I just forget about this “feature” because it’s rarely needed, but we had to discover/use it ourselves 10 years ago.

johnpoz

@NickJH how to do that was right in the link I posted..

For both unbound and dnsmasq

I take it you didn't read past the "This behavior is controlled by the DNS Rebind Check option under System > Advanced, Admin Access tab." part ;)

NickJH

@johnpoz All I needed was a quick and dirty fix because it is not going to be the production set up. I did the fix late yesterday but it was about 10pm and if the quick and dirty was going to fix it, it was good enough for me. I only tested it this morning.

cb831

@johnpoz Thanks for this I have been through the same debugging process as @NickJH. The documentation for DNS forwarder says "To exclude a domain from DNS rebinding protection, use the DNS forwarder Advanced Settings box as follows:" - It should be "...Custom Settings".

SteveITS

@cb831 There's a "Give Feedback" link at the top of each doc page. It probably got renamed at some point.

johnpoz

@SteveITS yeah I would highly doubt there has been much work on the forwarder (dnsmasq) in quite some time to be honest. I am surprised that anyone would still be using it to be honest.. I mean it can do some things unbound can't like forward to multiple NS as the same time, etc.

But if you can't figure out that the custom options box is what they were talking about - not sure what to tell you ;)

Now if there was 2 boxes, one labeled advanced, and the other custom - and putting it in advanced didn't work because they called out the wrong box - yeah that could be problematic.. But there is only one possible place such commands could be put into that gui form.