Dns issue…? not sure
-
i removed 192.168.1.1 from DNS on the mac, but 10.0.10.1 stayed, in gray. since i am on the vlan10 network, that makes sense. domain appears, in gray, as local.lan
Ping has started…
PING ds2411.local.lan (67.215.65.132): 56 data bytes
64 bytes from 67.215.65.132: icmp_seq=0 ttl=54 time=33.808 ms
64 bytes from 67.215.65.132: icmp_seq=1 ttl=54 time=37.612 ms
64 bytes from 67.215.65.132: icmp_seq=5 ttl=54 time=36.895 ms–-----------------------------------------------------------------------------
dig pfsense
; <<>> DiG 9.8.3-P1 <<>> pfsense
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56168
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 76 extra bytes at end;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;pfsense. IN A;; ANSWER SECTION:
pfsense. 0 IN A 67.215.65.132;; Query time: 89 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 11 17:44:00 2013
;; MSG SIZE rcvd: 128
dig pfsense.local.lan
; <<>> DiG 9.8.3-P1 <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31139
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 66 extra bytes at end;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 0 IN A 67.215.65.132;; Query time: 195 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Feb 11 17:44:57 2013
;; MSG SIZE rcvd: 128 -
and clearly your asking loopback in those queries
SERVER: 127.0.0.1
Not your pfsense box! Do a dig to your pfsense box, what does it answer - clearly replace my below example with your pfsense lan IP.
C:\Windows\System32>dig @192.168.1.253 pfsense.local.lan
; <<>> DiG 9.9.2-P1 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8159
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 86400 IN A 192.168.1.253;; Query time: 17 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 23:09:12 2013
;; MSG SIZE rcvd: 51So your mac is running its own forwarder and forwards those to opendns clearly since
132.65.215.67.in-addr.arpa. 603883 IN PTR hit-nxdomain.opendns.com.
-
and clearly your asking loopback in those queries
SERVER: 127.0.0.1
Not your pfsense box! Do a dig to your pfsense box, what does it answer - clearly replace my below example with your pfsense lan IP.
C:\Windows\System32>dig @192.168.1.253 pfsense.local.lan
; <<>> DiG 9.9.2-P1 <<>> @192.168.1.253 pfsense.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8159
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense.local.lan. IN A;; ANSWER SECTION:
pfsense.local.lan. 86400 IN A 192.168.1.253;; Query time: 17 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Feb 11 23:09:12 2013
;; MSG SIZE rcvd: 51So your mac is running its own forwarder and forwards those to opendns clearly since
132.65.215.67.in-addr.arpa. 603883 IN PTR hit-nxdomain.opendns.com.
yeah, i noticed that as well, but why does the mac do this? everything is on dhcp on the mac, the windows machines work fine…is it a mac only issue (it appears to be) but why?
dig 192.168.1.1
; <<>> DiG 9.8.3-P1 <<>> 192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41966
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: Messages has 136 extra bytes at end;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;192.168.1.1. IN A;; ANSWER SECTION:
192.168.1.1. 0 IN A 67.215.65.132;; Query time: 35 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 12 02:09:10 2013
;; MSG SIZE rcvd: 192 -
" but why does the mac do this?"
Because you have it configured that way - that is why! Computers only do what you tell them, you have told this one to use the service running on itself for dns, which forwards to opendns.
Just because you have a box set for dhcp for its IP, etc. Does not mean that its going to grab dns from dhcp - window boxes allow you to do this as well. You can get ip and gateway info from dhcp, but point to whatever dns you want.
-
" but why does the mac do this?"
Because you have it configured that way - that is why! Computers only do what you tell them, you have told this one to use the service running on itself for dns, which forwards to opendns.
Just because you have a box set for dhcp for its IP, etc. Does not mean that its going to grab dns from dhcp - window boxes allow you to do this as well. You can get ip and gateway info from dhcp, but point to whatever dns you want.
ok, lets try this again because i am starting to become confused and i am not sure if it is a problem with me or with how pfsense is working.
my intention is for the pfsense box to use openDNS when resolving lookup requests from computer devices on my network (vs the ISP DNS servers).
an ipconfig /all on a windows machine shows:
ip- 192.168.1.xxx
sub- 255.255.255.0
gate- 192.168.1.1 (pfsense)dns1- 192.168.1.1 (pfsense)
if the DNS on the windows machine was pointing to 208.67.222.222 and 220.220 i would agree with you that it is bypassing pfsense altogether and asking openDNS what the ip for DS2411 is. however, it doesnt, it appears that on my windows box it asks 192.168.1.1 what the IP of DS2411 is and since it sees it locally, it replies back with 192.168.1.254
no problem, that is what i am looking for, so i assumed my pfsense DNS configuration was setup as it should be.
when i do an ipconfig /all on a windows PC i DONT want to see this:
ip- 192.168.1.xxx
sub- 255.255.255.0
gate- 192.168.1.1 (pfsense)dns1- 208.67.222.222
dns2- 208.67.220.220i dont want network devices having public DNS servers, i want them to have a private/internal ip that points to the pfsense box (or a domain controller if i were using one)
as stated, everything works fine in windows. the problem is when i come to the mac.
i didnt configure the mac to do anything, the mac is on DHCP and receiving settings from pfsense, which is my DHCP server.
thanks, hopefully we can resolve this.
-
And what you posted is showing the MAC not asking pfsense, but asking itself 127.0.0.1, which is forwarding where?? It sure looks to be opendns..
If pfsense answers correctly on windows, then its not a misconfiguration of pfsense - but the mac is not asking it!
on the mac do a dig TO pfsense
dig @ipaddressofpfsenseLanIP yourrecord
What does that return, Im not a huge mac user.. but its pretty freaking close to standard linux setup.. what does your etc/resolv.conf say?
On my one mac setup. You can see when I do a dig it asks my pfsense box at 192.168.1.253, and you see this in the resolv.conf file - see attached screenshot.. Like I said I am not a OS X user, so not sure of the details of its config methods. But I notice in the resolv.conf file that is states that this file is not used by most processes?? But clearly your running either local dnsmasq, bind, something that is taking dns queries on loopback 127.0.0.1 and sending them somewhere. Which from what your getting back looks like opendns to me, so that had to be configured somewhere!
So see my 2nd screen shot - under dns on your network config what do you show?
What does your /etc/hostconfig show - does it it have dnsmasq installed?
Do you have a /etc/resolv.dnsmasq.conf file? What is in it? Do you have a /usr/local/etc/dnsmasq.conf file - what is in it?
-
this is all i can get for now, mac is not on, can't remote into it…
-
yeah thats your pfsense - and having it forward to opendns is fine.. But the mac has to be able to ask pfsense if he wants to resolve ds2411.local.lan to 192.168.1.254
Need to see why your mac is not asking pfsense - he seems to be asking himself, which is then forwarded to opendns. If was forwarded to pfsense then it would resolve that ds2411 client vs pfsense forwarding to opendns.
-
yeah thats your pfsense - and having it forward to opendns is fine.. But the mac has to be able to ask pfsense if he wants to resolve ds2411.local.lan to 192.168.1.254
Need to see why your mac is not asking pfsense - he seems to be asking himself, which is then forwarded to opendns. If was forwarded to pfsense then it would resolve that ds2411 client vs pfsense forwarding to opendns.
i know, and i stated that my mac was off.
i wanted to post these screens so there were no assumptions on the pfsense setup. that way we all know what we are looking at.
my DNS section looks the same as yours (pfsense IP on one side, local.lan on the other [both grayed out]).
thank you for your help, i will post the info you requested (of the mac) when i am able to.
edit- we know windows is fine, but here is the output of nslookup for ds2411
C:>nslookup ds2411
Server: pfsense.local.lan
Address: 192.168.1.1Name: ds2411.local.lan
Address: 192.168.1.254operating as it should be… (which we know)
-
unbelievable, i figured out what it was. i am embarrassed to admit this, but i am going to swallow my pride.
i was running dnscrypt on my mac (free tool from openDNS), which is why it was always resolving to openDNS for lookups.
when it first came out, dnscrypt was only available for mac and i installed it to see how well it worked. i was using openDNS on the pfsense, but i was mobile with my mac and wanted to test the new software. apparently once i turned it on i forgot about it and never turned it off. i just turned it off…
dig pfsense
; <<>> DiG 9.8.3-P1 <<>> pfsense
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15215
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense. IN A;; ANSWER SECTION:
pfsense. 1 IN A 192.168.1.1;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Feb 12 19:32:16 2013
;; MSG SIZE rcvd: 41dig ds2411
; <<>> DiG 9.8.3-P1 <<>> ds2411
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42009
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;ds2411. IN A;; ANSWER SECTION:
ds2411. 1 IN A 192.168.1.254;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Feb 12 19:32:41 2013
;; MSG SIZE rcvd: 40i feel like an idiot for not catching that sooner, especially since i implement openDNS on many networks and i am not new to their service/software.
well, at least it is resolved…(no pun intended)
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
i didnt check that since the issue was resolved, but i can confirm what it does show when i get back home.
dnscrypt has an option to use/force openDNS servers. it points to itself (127.0.0.1) and then has the openDNS server within the DNScrypt program.
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
looks normal, those values are being pulled from DHCP, i assume. i didnt put them there.
Mac OS X Notice
This file is not used by the host name and address resolution
or the DNS query routing mechanisms used by most processes on
this Mac OS X system.
This file is automatically generated.
domain local.lan
nameserver 192.168.1.1 -
curious what it was before when you were using dnscrypt
How was dnscrypt pointing system to use 127.0.0.1
-
curious what it was before when you were using dnscrypt
How was dnscrypt pointing system to use 127.0.0.1
i am not using dnscrypt now, it is disabled (as of yesterday).
dnscrypt was acting like a proxy, forcing itself to look at 127.0.0.1 for lookups.
i used a program that did the same thing (a few years ago) on a windows machine because the ISP was intercepting DNS lookups on port 53. this program/proxy ran as a windows service and i was able to force it to do DNS lookups on port 5353 (with the help of some people on a forum). i had to make sure the computer DNS was set to 127.0.0.1 for it to work.
http://www.delegate.org/delegate/
-
No your not understanding my point
I know what it was doing, but it was not intercepting anything nor was it a proxy setting in your browser.. From a commandline you were doing dig, and it pointed to loopback!
Something in the OS settings told the system to use 127.0.0.1 vs what you got from dhcp.. That could of been an edit to resolv.conf – or something else? Like I said I am not a big OS X user so I don't know off the top of my head the ins and outs of the config files used to determine where dns is sent.. But from resolv.conf it seems that there is something else - because it states file is not used for most processes for dns routing.
I understand it was running a forwarder on your machine, and listening on 127.0.0.1 and then sending any queries to opendns.. What I don't understand is why when you just did
dig something
That is went to loopback vs what you got from dhcp, and what you saw in your network settings!
Guess I can just install it on my OS X setup and see how it works. I really don't see the point of dnscrypt to be honest - your just hiding your dns queries from your isp... What you don't think they see where you go after you look up the fqdn to an IP?? dnscrypt does not verify that records are correct like dnssec - just verifies that you asked opendns, they could be giving you crap for all you know.
If your worried about hiding traffic from your local network or isp then just use a vpn and hide all your traffic from your local network or isp, etc.
-
No your not understanding my point
I know what it was doing, but it was not intercepting anything nor was it a proxy setting in your browser.. From a commandline you were doing dig, and it pointed to loopback!
Something in the OS settings told the system to use 127.0.0.1 vs what you got from dhcp.. That could of been an edit to resolv.conf – or something else? Like I said I am not a big OS X user so I don't know off the top of my head the ins and outs of the config files used to determine where dns is sent.. But from resolv.conf it seems that there is something else - because it states file is not used for most processes for dns routing.
I understand it was running a forwarder on your machine, and listening on 127.0.0.1 and then sending any queries to opendns.. What I don't understand is why when you just did
dig something
That is went to loopback vs what you got from dhcp, and what you saw in your network settings!
Guess I can just install it on my OS X setup and see how it works. I really don't see the point of dnscrypt to be honest - your just hiding your dns queries from your isp... What you don't think they see where you go after you look up the fqdn to an IP?? dnscrypt does not verify that records are correct like dnssec - just verifies that you asked opendns, they could be giving you crap for all you know.
If your worried about hiding traffic from your local network or isp then just use a vpn and hide all your traffic from your local network or isp, etc.
i am not worried about hiding my traffic. the program forces your computer to use OpenDNS servers for lookups. rather than manually setting up the DNS servers, users who travel can run this program and not have to worry about manually changing their settings. that way, no matter where they are at, they are using openDNS for lookups. of course this might not always work if the network they are on has firewall rules for port 53 or blocks those types of apps.
using it at home was just a test, i simply forgot to turn it off after i saw what the program did. i initially installed it when it was still in the beta stages.
anyway, it is resolved now and the program was doing what it was designed to do.
-
You do understand that you could just manually configure opendns once, dhcp client can be setup to not use the dns offered in dhcp.
Either way your right if where they are at blocks outbound on 53 and forces you to use a local dns then neither method would work.
-
You do understand that you could just manually configure opendns once, dhcp client can be setup to not use the dns offered in dhcp.
i understand that. i was just testing the program to see what all it could do.
-
not sure why i didnt notice/check this after i figured out what was causing the ping issues, i still cant access my NAS drive when on vlan10 even though i can ping the NAS and i am not using local in the host name (as per the text in the pfsense settings).
thoughts?
