DNS forwarder is refusing queries

Wouter Mense

I've been having some troubles getting my setup to work properly ever since i started working with pfSense. I have set it up as a filtering bridge with the LAN bridged to WAN. I have enabled the DNS forwarder because i have a webserver on the LAN network. However, the DNS forwarder is refusing my queries. These are the diagnostics i can show you so far:

Configuration of my local machine on the network. 192.168.1.2 is the LAN address of the pfSense box. 192.168.1.1 is the server:

This shows that DNS queries are refused by the forwarder:

The same problems seem to happen locally on the pfSense box too. It can't find updates at all and searching for and downloading packages fails too:
![](http://www.pm12.nl/~wouter/unable to check for updates.png)

This is how I set up what DNS servers the pfSense box uses:
![](http://www.pm12.nl/~wouter/general setup.png)

192.168.1.254 is the LAN address of my modem. Unfortunately it won't allow me to put it in bridge mode, but thats something for me and my ISP ;)

Here it shows how local addresses are resolved to the webserver.
![](http://www.pm12.nl/~wouter/dns forwarder.png)

And finally I am not blocking outgoing DNS requests with any firewall rule:
![](http://www.pm12.nl/~wouter/firewall rules.png)

So as far as I can tell everything should be set correctly. I'm only asking here because after weeks of tinkering I can't get it to work at all. Any help would be welcome ;)

johnpoz

And can you query those forwarder servers directly?

Take pfsense out of the picture, just query those servers

; <<>> DiG 9.8.1 <<>> @194.134.5.55 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9339

I can not query those servers either, are those your ISP dns??

I show them as
dns.wanadoo.nl
dns.euro.net

Are those the name servers your suppose to be using? If you can not query them from your client directly then its not an issue with pfsense.

with nslookup you change servers via server command, example


C:\Windows\System32>nslookup
Default Server:  pfsense.local.lan
Address:  192.168.1.253

> server dns.euro.net
Default Server:  dns.euro.net
Address:  194.134.5.5

> www.google.com
Server:  dns.euro.net
Address:  194.134.5.5

*** dns.euro.net can't find www.google.com: Query refused
> server 8.8.8.8
Default Server:  [8.8.8.8]
Address:  8.8.8.8

> www.google.com
Server:  [8.8.8.8]
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.l.google.com
Addresses:  74.125.225.48
          74.125.225.52
          74.125.225.50
          74.125.225.49
          74.125.225.51
Aliases:  www.google.com

Wouter Mense

Yes I can query them directly, they are my ISP's DNS servers. Following your guidelines I tried querying them directly through nslookup. Result:


C:\Users\wouter>nslookup
Default Server:  pfsense.pm12.nl
Address:  192.168.1.2

> www.google.com
Server:  pfsense.pm12.nl
Address:  192.168.1.2

*** pfsense.pm12.nl can't find www.google.com: Query refused
> server 194.134.5.55
Default Server:  [194.134.5.55]
Address:  194.134.5.55

> www.google.com
Server:  [194.134.5.55]
Address:  194.134.5.55

Non-authoritative answer:
Name:    www.google.com.PM12.NL
Address:  81.71.91.10

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> www.google.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.google.com.PM12.NL
Address:  81.71.91.10

>

johnpoz

You go something clearly wrong there, and no does not seem like your doing queries to those servers – look at your answers

www.google.nl
Server: dns.wanadoo.nl
Address: 194.134.5.55

Non-authoritative answer:
Name: www.google.nl.PM12.NL
Address: 81.71.91.10

www.google.nl
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
Name: www.google.nl.PM12.NL
Address: 81.71.91.10

Sorry but those are not the right answer for www.google.nl ;)

These are the right answers

Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.225.50
74.125.225.49
74.125.225.52
74.125.225.48
74.125.225.51
Aliases: www.google.nl
www.google.com

put a dot on the end, looks like your adding some sort of search suffix?

so like www.google.nl. <–-- see the trailing period.

Why do you have that over ride domain pm12.nl?? Which I looks like you must have a wild card setup for? Cuz it sure should not respond with anything with www.google.nl.pm12.nl as a query.

Wouter Mense

My best guess is it has to do with the DNS suffix? No idea where I've set that up though. Let me investigate a bit more.


C:\Users\wouter>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WOUTER-PC
   Primary Dns Suffix  . . . . . . . : PM12.NL
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : PM12.NL

chpalmer

It appears that your wan and lan are on the same subnet.

Gertjan

Added to that:
Your PC says: the gateway is 192.168.1.254
pfSense says that the WAN adress is 192.168.1.64
This is not good at all.

As chpalmer said (implies): the WAN interface is probably using DHCP to obtain a "WAN" IP.
And it gets 192.168.1.64, which is a non routing local IP from the modem's LAN side.

Best thing to do (best first):
Put your modem in PPPOE (bridge) mode.
Inform pfSense about the login parameters. pfSense will see a real Internet IP.
OR:
Change the modem's LAN IP range for 192.168.2.x - give it 192.168.2.1, AND do not block NOT "Block private networks" (Interface => WAN, bottom part of the page)
OR:
Change the LAN IP settings on pfSEnse.

Wouter Mense

@chpalmer:

It appears that your wan and lan are on the same subnet.

True, I have them bridged.

@Gertjan:

Added to that:
Your PC says: the gateway is 192.168.1.254
pfSense says that the WAN adress is 192.168.1.64
This is not good at all.

Ok I might be understanding something fundamentally wrong here. Isn't the gateway supposed to be the modem's LAN address?

As chpalmer said (implies): the WAN interface is probably using DHCP to obtain a "WAN" IP.
And it gets 192.168.1.64, which is a non routing local IP from the modem's LAN side.

No, this is statically assigned.

Best thing to do (best first):
Put your modem in PPPOE (bridge) mode.
Inform pfSense about the login parameters. pfSense will see a real Internet IP.

Unfortunately impossible. ISP does not allow this.

Change the modem's LAN IP range for 192.168.2.x - give it 192.168.2.1, AND do not block NOT "Block private networks" (Interface => WAN, bottom part of the page)

"Block private networks" is off, not blocking.

My preference is to keep the pf box in bridged mode to avoid double NAT situations.

chpalmer

Your box does not appear to be truly in bridge mode. What does your outbound NAT page look like?

Wouter Mense

I must admit I never really touched those settings…

nat.png_thumb