Dns issue…? not sure
-
now when on the 192 network pfsense is not resolving after changing it from local to lan
ping pfsense (and it added .lan since that is the domain in pfsense, which is normal)
Ping has started…
PING pfsense.lan (67.215.65.132): 56 data bytes
64 bytes from 67.215.65.132: icmp_seq=0 ttl=54 time=32.445 ms
64 bytes from 67.215.65.132: icmp_seq=1 ttl=54 time=39.338 ms
64 bytes from 67.215.65.132: icmp_seq=2 ttl=54 time=33.226 ms(edit, this is on my mac)
-
some more info…
i connected a windows PC to vlan10
pfsense domain was local, changed it to lan
static entry under DNS forwarder section is working (for ds2411, 192.168.1.254 with lan as the domain), as you can see below. i temporarily removed it just to confirm it was working and it didnt resolve. that was temporary, it has already been added back in.
C:>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : x200
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lanWireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : lan
Description . . . . . . . . . . . : Intel(R) WiFi Link 5150
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.0.10.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, February 10, 2013 7:23:50 PM
Lease Expires . . . . . . . . . . : Monday, February 11, 2013 7:23:49 PM
Default Gateway . . . . . . . . . : 10.0.10.1
DHCP Server . . . . . . . . . . . : 10.0.10.1
DNS Servers . . . . . . . . . . . : 10.0.10.1
NetBIOS over Tcpip. . . . . . . . : EnabledC:>ping ds2411
Pinging ds2411.lan [192.168.1.254] with 32 bytes of data:
Reply from 192.168.1.254: bytes=32 time=2ms TTL=63
Reply from 192.168.1.254: bytes=32 time=2ms TTL=63
Reply from 192.168.1.254: bytes=32 time=2ms TTL=63
Reply from 192.168.1.254: bytes=32 time=2ms TTL=63Ping statistics for 192.168.1.254:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2msseems to be only causing an issue on my mac. not that big of a deal, the purpose of my vlan is to block traffic from the regular network. right now my rules are allowing traffic to and from all networks since this is mainly for testing, however, it is probably good to know how to fix this for future reference.
i followed along what was said in that other thread, but i still dont know what i am missing since i have tried a combo of things.
thanks.
-
@cmb:
In that case, the default domain of the machine and the domain on the DNS entry probably aren't the same. Read my posts in this thread for more of an explanation. http://forum.pfsense.org/index.php/topic,53203.0/topicseen.html
when i checked the DNS on the wifi adapter on the mac, the DNS servers are 192.168.1.1 and 10.0.10.1 and in the domain section was a grayed out name….lan (so it recognized the new settings from pfsense), but still not resolving properly.
thanks.
-
That IP your resolving to for pfsense.lan is a opendns hit
132.65.215.67.in-addr.arpa. 585381 IN PTR hit-nxdomain.opendns.com.
So seems opendns is resolving your query not pfsense.
and your using just .lan as your domain? Not a fan of doing that, why not local.lan or yourname.lan or somepornstarname.lan or mynetwork.lan
etc..
Do a simple query to pfsense for your fqdn does it resolve to the ip you want or not - if not then pfsense is not setup correctly. If does then your client is not asking the right question or is asking someone else.
my pfsense box is 192.168.1.253, my domain is local.lan, my boxes use that as their search domain as well.. So example
C:>ping pfsense
Pinging pfsense.local.lan [192.168.1.253] with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64see how it comes back fully qualified.
Now if I do a dig for it I use the fully qualified name (local.lan) attached if not then dig wold be only asking for hostname not the fqdn
; <<>> DiG 9.9.2-P1 <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35147
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 1 IN A 192.168.1.253;; Query time: 10 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 08:00:41 2013
;; MSG SIZE rcvd: 51You can see that pfsense box at .253 resolved it
I can even do a ptr
; <<>> DiG 9.9.2-P1 <<>> -x 192.168.1.253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12699
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;253.1.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:
253.1.168.192.in-addr.arpa. 1 IN PTR pfsense.local.lan.;; Query time: 13 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 08:02:02 2013
;; MSG SIZE rcvd: 75So query pfsense box – what does it return?
-
That IP your resolving to for pfsense.lan is a opendns hit
132.65.215.67.in-addr.arpa. 585381 IN PTR hit-nxdomain.opendns.com.
So seems opendns is resolving your query not pfsense.
and your using just .lan as your domain? Not a fan of doing that, why not local.lan or yourname.lan or somepornstarname.lan or mynetwork.lan
etc..
Do a simple query to pfsense for your fqdn does it resolve to the ip you want or not - if not then pfsense is not setup correctly. If does then your client is not asking the right question or is asking someone else.
my pfsense box is 192.168.1.253, my domain is local.lan, my boxes use that as their search domain as well.. So example
C:>ping pfsense
Pinging pfsense.local.lan [192.168.1.253] with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64see how it comes back fully qualified.
Now if I do a dig for it I use the fully qualified name (local.lan) attached if not then dig wold be only asking for hostname not the fqdn
; <<>> DiG 9.9.2-P1 <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35147
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 1 IN A 192.168.1.253;; Query time: 10 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 08:00:41 2013
;; MSG SIZE rcvd: 51You can see that pfsense box at .253 resolved it
I can even do a ptr
; <<>> DiG 9.9.2-P1 <<>> -x 192.168.1.253
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12699
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;253.1.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:
253.1.168.192.in-addr.arpa. 1 IN PTR pfsense.local.lan.;; Query time: 13 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 08:02:02 2013
;; MSG SIZE rcvd: 75So query pfsense box – what does it return?
i can change it to local.lan i thought 1 word was enough, no problem there.
yes, i am using openDNS for DNS lookups/filtering on this network, but i want pfsense to handle local name lookups first.
everything seems to be working fine (with my current setup) until i get on my mac. a windows computer has no problems with DNS lookups when plugged into the vlan.
-
well maybe your mac is not doing the query you think it is doing.
simple enough to do a query to pfsense using dig or nslookup or host..
If what you query returns that 67 address, that tells me pfsense did not know what you were asking for and sent it up the tree to whatever it is set to forward too.. Which if that is the returned address then its opendns.
So if you say it works on your windows box, that points to mac not configured the same - maybe not using the same suffix you think .lan or has issues the single domains. Which is why I think you should use something other than just .lan as your domain.. Try changing it to something.lan as your domain.
Then do an actual query from your mac and what is returned. You 100% sure your mac is actually doing the query you think to pfsense? Why not do a simple sniff on pfsense lan for the mac IP.. What do you see the query as, what is the dest IP – quite possible mac is doing query direct to opendns?
-
well maybe your mac is not doing the query you think it is doing.
simple enough to do a query to pfsense using dig or nslookup or host..
If what you query returns that 67 address, that tells me pfsense did not know what you were asking for and sent it up the tree to whatever it is set to forward too.. Which if that is the returned address then its opendns.
So if you say it works on your windows box, that points to mac not configured the same - maybe not using the same suffix you think .lan or has issues the single domains. Which is why I think you should use something other than just .lan as your domain.. Try changing it to something.lan as your domain.
Then do an actual query from your mac and what is returned. You 100% sure your mac is actually doing the query you think to pfsense? Why not do a simple sniff on pfsense lan for the mac IP.. What do you see the query as, what is the dest IP – quite possible mac is doing query direct to opendns?
thanks for the feedback, i will let you know when i am able to test with my mac.
i know that with pfsense using local and lan as the domain, windows had no problems on 192 or 10 network resolving by hostname. mac works fine (with local and lan in pfsense) on the 192 network, but not the 10.
however, i changed the domain to local.lan per your recommendation and cant test the mac until i am on site later today (mac is off). what i can confirm is that the DNS settings in the mac had 192.168.1.1 and 10.0.10.1 in the IP side (dns servers) and lan was gray/shaded on the domain section in the mac settings. when i changed it to lan in pfsense, i didnt do anything in the mac other than plug in the lan cable so it obviously pulled lan on its own from the pfsense dhcp server options. and when it did resolve, it was the 67 address.
which is strange, because windows didnt do that, it checked for local name resolution, first. mac seems to be skipping local and going straight to openDNS, which i dont want if the devices exists locally (obviously).
i will let know know how the mac likes local.lan and try your suggestions.
thanks.
-
so I don't see a reason to point dhcp clients to both the 192 and the 10 address for dns.. Since that is the same box, dhcp in 192 should only get the 192 address, and dhcp clients in the 10 should only point to the 10 address of pfsense interface for dns.
If you have multiple servers listed in clients dns, you really have little control to which one the client would use. You would really not want to point to anything other than pfsense or it would be possible for client to use say opendns directly if you have it listed. And opendns would not be able to resolve local.lan or .lan anything and would send back nx-domain for anything in such domains.
-
so I don't see a reason to point dhcp clients to both the 192 and the 10 address for dns.. Since that is the same box, dhcp in 192 should only get the 192 address, and dhcp clients in the 10 should only point to the 10 address of pfsense interface for dns.
If you have multiple servers listed in clients dns, you really have little control to which one the client would use. You would really not want to point to anything other than pfsense or it would be possible for client to use say opendns directly if you have it listed. And opendns would not be able to resolve local.lan or .lan anything and would send back nx-domain for anything in such domains.
i will check when i go home. i am not sure if that was user added or discovered on its own based off which connection i added. but i agree with that you said.
-
i removed 192.168.1.1 from DNS on the mac, but 10.0.10.1 stayed, in gray. since i am on the vlan10 network, that makes sense. domain appears, in gray, as local.lan
Ping has started…
PING ds2411.local.lan (67.215.65.132): 56 data bytes
64 bytes from 67.215.65.132: icmp_seq=0 ttl=54 time=33.808 ms
64 bytes from 67.215.65.132: icmp_seq=1 ttl=54 time=37.612 ms
64 bytes from 67.215.65.132: icmp_seq=5 ttl=54 time=36.895 ms–-----------------------------------------------------------------------------
dig pfsense
; <<>> DiG 9.8.3-P1 <<>> pfsense
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56168
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 76 extra bytes at end;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;pfsense. IN A;; ANSWER SECTION:
pfsense. 0 IN A 67.215.65.132;; Query time: 89 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 11 17:44:00 2013
;; MSG SIZE rcvd: 128
dig pfsense.local.lan
; <<>> DiG 9.8.3-P1 <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31139
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 66 extra bytes at end;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 0 IN A 67.215.65.132;; Query time: 195 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 11 17:44:57 2013
;; MSG SIZE rcvd: 128 -
and clearly your asking loopback in those queries
SERVER: 127.0.0.1
Not your pfsense box! Do a dig to your pfsense box, what does it answer - clearly replace my below example with your pfsense lan IP.
C:\Windows\System32>dig @192.168.1.253 pfsense.local.lan
; <<>> DiG 9.9.2-P1 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8159
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 86400 IN A 192.168.1.253;; Query time: 17 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 23:09:12 2013
;; MSG SIZE rcvd: 51So your mac is running its own forwarder and forwards those to opendns clearly since
132.65.215.67.in-addr.arpa. 603883 IN PTR hit-nxdomain.opendns.com.
-
and clearly your asking loopback in those queries
SERVER: 127.0.0.1
Not your pfsense box! Do a dig to your pfsense box, what does it answer - clearly replace my below example with your pfsense lan IP.
C:\Windows\System32>dig @192.168.1.253 pfsense.local.lan
; <<>> DiG 9.9.2-P1 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8159
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 86400 IN A 192.168.1.253;; Query time: 17 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 23:09:12 2013
;; MSG SIZE rcvd: 51So your mac is running its own forwarder and forwards those to opendns clearly since
132.65.215.67.in-addr.arpa. 603883 IN PTR hit-nxdomain.opendns.com.
yeah, i noticed that as well, but why does the mac do this? everything is on dhcp on the mac, the windows machines work fine…is it a mac only issue (it appears to be) but why?
dig 192.168.1.1
; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41966
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 136 extra bytes at end;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;192.168.1.1. IN A;; ANSWER SECTION:
192.168.1.1. 0 IN A 67.215.65.132;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 12 02:09:10 2013
;; MSG SIZE rcvd: 192 -
" but why does the mac do this?"
Because you have it configured that way - that is why! Computers only do what you tell them, you have told this one to use the service running on itself for dns, which forwards to opendns.
Just because you have a box set for dhcp for its IP, etc. Does not mean that its going to grab dns from dhcp - window boxes allow you to do this as well. You can get ip and gateway info from dhcp, but point to whatever dns you want.
-
" but why does the mac do this?"
Because you have it configured that way - that is why! Computers only do what you tell them, you have told this one to use the service running on itself for dns, which forwards to opendns.
Just because you have a box set for dhcp for its IP, etc. Does not mean that its going to grab dns from dhcp - window boxes allow you to do this as well. You can get ip and gateway info from dhcp, but point to whatever dns you want.
ok, lets try this again because i am starting to become confused and i am not sure if it is a problem with me or with how pfsense is working.
my intention is for the pfsense box to use openDNS when resolving lookup requests from computer devices on my network (vs the ISP DNS servers).
an ipconfig /all on a windows machine shows:
ip- 192.168.1.xxx
sub- 255.255.255.0
gate- 192.168.1.1 (pfsense)dns1- 192.168.1.1 (pfsense)
if the DNS on the windows machine was pointing to 208.67.222.222 and 220.220 i would agree with you that it is bypassing pfsense altogether and asking openDNS what the ip for DS2411 is. however, it doesnt, it appears that on my windows box it asks 192.168.1.1 what the IP of DS2411 is and since it sees it locally, it replies back with 192.168.1.254
no problem, that is what i am looking for, so i assumed my pfsense DNS configuration was setup as it should be.
when i do an ipconfig /all on a windows PC i DONT want to see this:
ip- 192.168.1.xxx
sub- 255.255.255.0
gate- 192.168.1.1 (pfsense)dns1- 208.67.222.222
dns2- 208.67.220.220i dont want network devices having public DNS servers, i want them to have a private/internal ip that points to the pfsense box (or a domain controller if i were using one)
as stated, everything works fine in windows. the problem is when i come to the mac.
i didnt configure the mac to do anything, the mac is on DHCP and receiving settings from pfsense, which is my DHCP server.
thanks, hopefully we can resolve this.
-
And what you posted is showing the MAC not asking pfsense, but asking itself 127.0.0.1, which is forwarding where?? It sure looks to be opendns..
If pfsense answers correctly on windows, then its not a misconfiguration of pfsense - but the mac is not asking it!
on the mac do a dig TO pfsense
dig @ipaddressofpfsenseLanIP yourrecord
What does that return, Im not a huge mac user.. but its pretty freaking close to standard linux setup.. what does your etc/resolv.conf say?
On my one mac setup. You can see when I do a dig it asks my pfsense box at 192.168.1.253, and you see this in the resolv.conf file - see attached screenshot.. Like I said I am not a OS X user, so not sure of the details of its config methods. But I notice in the resolv.conf file that is states that this file is not used by most processes?? But clearly your running either local dnsmasq, bind, something that is taking dns queries on loopback 127.0.0.1 and sending them somewhere. Which from what your getting back looks like opendns to me, so that had to be configured somewhere!
So see my 2nd screen shot - under dns on your network config what do you show?
What does your /etc/hostconfig show - does it it have dnsmasq installed?
Do you have a /etc/resolv.dnsmasq.conf file? What is in it? Do you have a /usr/local/etc/dnsmasq.conf file - what is in it?
-
this is all i can get for now, mac is not on, can't remote into it…
-
yeah thats your pfsense - and having it forward to opendns is fine.. But the mac has to be able to ask pfsense if he wants to resolve ds2411.local.lan to 192.168.1.254
Need to see why your mac is not asking pfsense - he seems to be asking himself, which is then forwarded to opendns. If was forwarded to pfsense then it would resolve that ds2411 client vs pfsense forwarding to opendns.
-
yeah thats your pfsense - and having it forward to opendns is fine.. But the mac has to be able to ask pfsense if he wants to resolve ds2411.local.lan to 192.168.1.254
Need to see why your mac is not asking pfsense - he seems to be asking himself, which is then forwarded to opendns. If was forwarded to pfsense then it would resolve that ds2411 client vs pfsense forwarding to opendns.
i know, and i stated that my mac was off.
i wanted to post these screens so there were no assumptions on the pfsense setup. that way we all know what we are looking at.
my DNS section looks the same as yours (pfsense IP on one side, local.lan on the other [both grayed out]).
thank you for your help, i will post the info you requested (of the mac) when i am able to.
edit- we know windows is fine, but here is the output of nslookup for ds2411
C:>nslookup ds2411
Server: pfsense.local.lan
Address: 192.168.1.1Name: ds2411.local.lan
Address: 192.168.1.254operating as it should be… (which we know)
-
unbelievable, i figured out what it was. i am embarrassed to admit this, but i am going to swallow my pride.
i was running dnscrypt on my mac (free tool from openDNS), which is why it was always resolving to openDNS for lookups.
when it first came out, dnscrypt was only available for mac and i installed it to see how well it worked. i was using openDNS on the pfsense, but i was mobile with my mac and wanted to test the new software. apparently once i turned it on i forgot about it and never turned it off. i just turned it off…
dig pfsense
; <<>> DiG 9.8.3-P1 <<>> pfsense
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15215
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense. IN A;; ANSWER SECTION:
pfsense. 1 IN A 192.168.1.1;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Feb 12 19:32:16 2013
;; MSG SIZE rcvd: 41dig ds2411
; <<>> DiG 9.8.3-P1 <<>> ds2411
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42009
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;ds2411. IN A;; ANSWER SECTION:
ds2411. 1 IN A 192.168.1.254;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Feb 12 19:32:41 2013
;; MSG SIZE rcvd: 40i feel like an idiot for not catching that sooner, especially since i implement openDNS on many networks and i am not new to their service/software.
well, at least it is resolved…(no pun intended)
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
