Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bogus lookups return external IP

    Scheduled Pinned Locked Moved
    DHCP and DNS
    2
    5
    3.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      freakalad
      last edited by

      I've sat with this issue for a while, but because it's been more annoying than critical, I not had much reason to rock the boat.
      If I'm unable to resolve this issue, I may be forced to rebuild my pfSense host, which I'd like to avoid if possible (as you can imagine; the box has been serving me fairly-well otherwise for a stretch now).

      If I lookup an external DNS value, i.e. ping/nslookup/host foo.bar, it returns my external IP, so effectively bogus/incorrect DNS values never fail.
      My pfSense box (1.2.3-RELEASE) is effectively the DNS for my LAN (as well as serving up DHCP), in the [General Setup] section I've provided my ISP & Google's DNS (8.8.8.8) as upstream servers for my pfSense host (firewall/gateway/proxy/etc) to resolve against.

      I am able to telnet into my DSL modem (running a BusyBox variant) & SSH into my pfSense host.
      When I ping/lookup foo.bar from my firewall, it returns my external IP, but if I do the same from the modem the resolution fails (as it should).

      For the various lookups, I get the following:
      (1.2.3.4 being a proxy for my external IP)
      (I.S.P being a proxy for my ISP)
      (F.Q.D.N being my own domain on the LAN & from outside so that I can access services)
      (10.0.0.1 is the real LAN IP of my pfSense box - LAN runs on 10.0.0.0/24)

      nslookup foo.bar

      
Server:	10.0.0.1
Address:	10.0.0.1#53

Non-authoritative answer:
Name:	foo.bar.F.Q.D.N
Address:ย   1.2.3.4

      ping foo.bar

      
PING foo.bar.F.Q.D.N (1.2.3.4) 56(84) bytes of data.
64 bytes from ip-1-2-3-4.static-xdsl.I.S.P (1.2.3.4): icmp_req=1 ttl=63 time=2.34 ms
..etc....

      host -v foo.bar

      
Trying "foo.bar"
Received 25 bytes from 10.0.0.1#53 in 2 ms
Trying "foo.bar.F.Q.D.N"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41356
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.F.Q.D.N.		IN	A

;; ANSWER SECTION:
foo.bar.F.Q.D.N.	480	IN	A	1.2.3.4

Received 51 bytes from 10.0.0.1#53 in 2 ms
Trying "foo.bar.F.Q.D.N"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.F.Q.D.N.		IN	AAAA

;; AUTHORITY SECTION:
F.Q.D.N.		300	IN	SOA	ns1.nameserver.net.nz. soa.nameserver.net.nz. 2011052646 10800 1800 1209600 300

Received 94 bytes from 10.0.0.1#53 in 440 ms
Trying "foo.bar.F.Q.D.N"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30924
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;foo.bar.F.Q.D.N.		IN	MX

;; AUTHORITY SECTION:
F.Q.D.N.		300	IN	SOA	ns1.nameserver.net.nz. soa.nameserver.net.nz. 2011052646 10800 1800 1209600 300

Received 94 bytes from 10.0.0.1#53 in 391 ms
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Do you have your domain set to your dyndns domain?
        Does your dyndns domain have wildcard enabled?

        I've seen this happen in that specific circumstance.

        Try ending hostnames with a period when you use tools like host/dig.

        like:

        host foo.bar.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • F
          freakalad
          last edited by

          Thanks for the tip, jimp

          I'm not making use of a DynamicDNS service, but have a few domains registered with a registrar pointing to my static-IP.

          As for your suggestion re ending lookups with a period, it seems to have the effect I wish (which is the result I want even if I don't terminate with a period).

          So ping **foo.bar** (or nslookup or host) still returns my external IP, but ping **foo.bar.** comes back null.

          This would lead me to believe there may be something hinky in my pfSense's DNS service/daemon; as best I'm aware I'm not making use of any additional DNS services (beyond the default installation) that could've caused this.

          My current crop of packages are:

          • Dashboard
          • Proxy Server with mod_security (experimenting with a WAF; it's the OWASP-thing to do)
          • bandwidthd
          • darkstat
          • phpSysInfo
          • rate

          Does this information provide any additional insight?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Well it may not be a Dynamic DNS service, but just regular wildcard DNS. If your provider is returning everything requested with your domain to your IP, it would have the same effect.

            With the dot, try:

            host thisdoesnotexist.mydomain.com.

            If that also returns your WAN IP, it's whoever is hosting the mydomain.com zone that is to blame for using wildcard DNS.

            What you are seeing is proper DNS behavior. A FQDN ends with a dot when used like that. With no trailing dot, it first tries to append your domain when looking up the host, assuming it's a hostname and not a FQDN. In this case, the hostname looking using the search domain returns an answer, so that is given.

            It may be unexpected, but it's normal in that case.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • F
              freakalad
              last edited by

              Thanks or the clarification, jimp.
              I'll try to use it in this correct manner in future, thanks.

              As for:
              host -v thisdoesnotexist.mydomain.com. ,
              it actually does exists & the name resolution returns 216.34.94.184 (pop the address in a browser & it returns the MyDomain registrar's landing-page)
              That's why I've been using foo.bar as a bogus DNS value.

              As best I can tell, when I do a host -v lookup on my own (primary) domain, everything looks in order.

              I'm also running a reverse-proxy on my network, so that I can redirect HTTP(s) requests for multiple domains & sub-domains fairly easily to different hosts.
              I'm not sure that that could cause such issues, but I'm just throwing it in there for reference-sake.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post