Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [RESOLVED] DNS forward fails to resolve a specific name

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 3 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keylevel
      last edited by

      Using 2.0-RELEASE:

      I've got the DNS forwarder enabled and the general tab has two DNS servers configured (those provided by the hosting company DNS).

      The Diagnostics/DNS Lookup page shows that general name resolution works, but it fails for ftp.somedomain.com.

      If I set 'Do not use the DNS Forwarder as a DNS server for the firewall' then 'DNS Lookup' for the same name works using the first DNS server configured on the general tab.

      My server uses the pFSense as its DNS. 'nslookup ftp.somedomain.com' always fails, regardless of the 'Do not use the DNS Forwarder as a DNS server for the firewall' setting. The server can resolve any other name I try. Running the same nslookup command with the DNS specified in the general tab resolves as expected. It does not resolve if I specify the pfSense LAN interface as the DNS.

      Why does 'ftp.somedomain.com' fail to resolve through the DNS forwarder ?

      Chris

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        if you would give us the actual domain used, we might be able to help.  Or atleast try and duplicate your issue.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • K
          keylevel
          last edited by

          I should have added to my original post that the name is not (and will not be) resolvable on the public internet. It's provided by the hosting company to allow the server to access an ftp server that's only accessible externally through a VPN.

          The first DNS server defined within the general tab resolves the name, but only if it is queried explicitly (i.e. not using the DNS forwarding service).

          Chris

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Ah, well that makes more sense.

            I don't run the forwarder service, I run unbound and have it do its own lookups (no forwarders involved)

            But if I recall correctly you could verify with a sniff when you ask the forwarder for say host.domainX.tld it will forward that requests to all servers listed, and use the first one that responds.  So I could see where you could have a problem if only one of your configured dns forwarders has records your looking for.  And the wrong one responds first.

            In such a case you would have to make sure that only that specific nameserver is queried for that domain with a domain over ride setting or something.  I know how you do it in unbound

            with a
            forward-zone:; name:domainX.com; forward-host: ns.nameserverfordomainx.com.net;

            I don't think any forwarder will run through a listing of forwarders for one that answers with a specific record.  If you have private domains that only specific dns is authoritative for you need to create specific forwards for those domains to forward to those specific name servers.

            edit: I think this is what you need in the bottom of the dns forwarder section

            domainoverrides.jpg
            domainoverrides.jpg_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              Probably because it resolves to a private IP and the DNS rebinding protection prevents that. You can either add a domain override for that particular domain, or disable DNS rebinding protection under System>Advanced.

              1 Reply Last reply Reply Quote 0
              • K
                keylevel
                last edited by

                Thanks guys, that's solved it.

                DNS was never my strong point, but it's nice to learn something new  :)

                Chris

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.