Dns issue…? not sure
-
yeah thats your pfsense - and having it forward to opendns is fine.. But the mac has to be able to ask pfsense if he wants to resolve ds2411.local.lan to 192.168.1.254
Need to see why your mac is not asking pfsense - he seems to be asking himself, which is then forwarded to opendns. If was forwarded to pfsense then it would resolve that ds2411 client vs pfsense forwarding to opendns.
-
yeah thats your pfsense - and having it forward to opendns is fine.. But the mac has to be able to ask pfsense if he wants to resolve ds2411.local.lan to 192.168.1.254
Need to see why your mac is not asking pfsense - he seems to be asking himself, which is then forwarded to opendns. If was forwarded to pfsense then it would resolve that ds2411 client vs pfsense forwarding to opendns.
i know, and i stated that my mac was off.
i wanted to post these screens so there were no assumptions on the pfsense setup. that way we all know what we are looking at.
my DNS section looks the same as yours (pfsense IP on one side, local.lan on the other [both grayed out]).
thank you for your help, i will post the info you requested (of the mac) when i am able to.
edit- we know windows is fine, but here is the output of nslookup for ds2411
C:>nslookup ds2411
Server: pfsense.local.lan
Address: 192.168.1.1Name: ds2411.local.lan
Address: 192.168.1.254operating as it should be… (which we know)
-
unbelievable, i figured out what it was. i am embarrassed to admit this, but i am going to swallow my pride.
i was running dnscrypt on my mac (free tool from openDNS), which is why it was always resolving to openDNS for lookups.
when it first came out, dnscrypt was only available for mac and i installed it to see how well it worked. i was using openDNS on the pfsense, but i was mobile with my mac and wanted to test the new software. apparently once i turned it on i forgot about it and never turned it off. i just turned it off…
dig pfsense
; <<>> DiG 9.8.3-P1 <<>> pfsense
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15215
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;pfsense. IN A;; ANSWER SECTION:
pfsense. 1 IN A 192.168.1.1;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Feb 12 19:32:16 2013
;; MSG SIZE rcvd: 41dig ds2411
; <<>> DiG 9.8.3-P1 <<>> ds2411
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42009
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;ds2411. IN A;; ANSWER SECTION:
ds2411. 1 IN A 192.168.1.254;; Query time: 4 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Feb 12 19:32:41 2013
;; MSG SIZE rcvd: 40i feel like an idiot for not catching that sooner, especially since i implement openDNS on many networks and i am not new to their service/software.
well, at least it is resolved…(no pun intended)
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
i didnt check that since the issue was resolved, but i can confirm what it does show when i get back home.
dnscrypt has an option to use/force openDNS servers. it points to itself (127.0.0.1) and then has the openDNS server within the DNScrypt program.
-
Well at least figured out the issue.. So where does dnscrypt make a change that causes your mac to use that vs what is handed out via dhcp or what you setup in the network settings.
Did your resolv.conf point to 127.0.0.1?
looks normal, those values are being pulled from DHCP, i assume. i didnt put them there.
Mac OS X Notice
This file is not used by the host name and address resolution
or the DNS query routing mechanisms used by most processes on
this Mac OS X system.
This file is automatically generated.
domain local.lan
nameserver 192.168.1.1 -
curious what it was before when you were using dnscrypt
How was dnscrypt pointing system to use 127.0.0.1
-
curious what it was before when you were using dnscrypt
How was dnscrypt pointing system to use 127.0.0.1
i am not using dnscrypt now, it is disabled (as of yesterday).
dnscrypt was acting like a proxy, forcing itself to look at 127.0.0.1 for lookups.
i used a program that did the same thing (a few years ago) on a windows machine because the ISP was intercepting DNS lookups on port 53. this program/proxy ran as a windows service and i was able to force it to do DNS lookups on port 5353 (with the help of some people on a forum). i had to make sure the computer DNS was set to 127.0.0.1 for it to work.
http://www.delegate.org/delegate/
-
No your not understanding my point
I know what it was doing, but it was not intercepting anything nor was it a proxy setting in your browser.. From a commandline you were doing dig, and it pointed to loopback!
Something in the OS settings told the system to use 127.0.0.1 vs what you got from dhcp.. That could of been an edit to resolv.conf – or something else? Like I said I am not a big OS X user so I don't know off the top of my head the ins and outs of the config files used to determine where dns is sent.. But from resolv.conf it seems that there is something else - because it states file is not used for most processes for dns routing.
I understand it was running a forwarder on your machine, and listening on 127.0.0.1 and then sending any queries to opendns.. What I don't understand is why when you just did
dig something
That is went to loopback vs what you got from dhcp, and what you saw in your network settings!
Guess I can just install it on my OS X setup and see how it works. I really don't see the point of dnscrypt to be honest - your just hiding your dns queries from your isp... What you don't think they see where you go after you look up the fqdn to an IP?? dnscrypt does not verify that records are correct like dnssec - just verifies that you asked opendns, they could be giving you crap for all you know.
If your worried about hiding traffic from your local network or isp then just use a vpn and hide all your traffic from your local network or isp, etc.
-
No your not understanding my point
I know what it was doing, but it was not intercepting anything nor was it a proxy setting in your browser.. From a commandline you were doing dig, and it pointed to loopback!
Something in the OS settings told the system to use 127.0.0.1 vs what you got from dhcp.. That could of been an edit to resolv.conf – or something else? Like I said I am not a big OS X user so I don't know off the top of my head the ins and outs of the config files used to determine where dns is sent.. But from resolv.conf it seems that there is something else - because it states file is not used for most processes for dns routing.
I understand it was running a forwarder on your machine, and listening on 127.0.0.1 and then sending any queries to opendns.. What I don't understand is why when you just did
dig something
That is went to loopback vs what you got from dhcp, and what you saw in your network settings!
Guess I can just install it on my OS X setup and see how it works. I really don't see the point of dnscrypt to be honest - your just hiding your dns queries from your isp... What you don't think they see where you go after you look up the fqdn to an IP?? dnscrypt does not verify that records are correct like dnssec - just verifies that you asked opendns, they could be giving you crap for all you know.
If your worried about hiding traffic from your local network or isp then just use a vpn and hide all your traffic from your local network or isp, etc.
i am not worried about hiding my traffic. the program forces your computer to use OpenDNS servers for lookups. rather than manually setting up the DNS servers, users who travel can run this program and not have to worry about manually changing their settings. that way, no matter where they are at, they are using openDNS for lookups. of course this might not always work if the network they are on has firewall rules for port 53 or blocks those types of apps.
using it at home was just a test, i simply forgot to turn it off after i saw what the program did. i initially installed it when it was still in the beta stages.
anyway, it is resolved now and the program was doing what it was designed to do.
-
You do understand that you could just manually configure opendns once, dhcp client can be setup to not use the dns offered in dhcp.
Either way your right if where they are at blocks outbound on 53 and forces you to use a local dns then neither method would work.
-
You do understand that you could just manually configure opendns once, dhcp client can be setup to not use the dns offered in dhcp.
i understand that. i was just testing the program to see what all it could do.
-
not sure why i didnt notice/check this after i figured out what was causing the ping issues, i still cant access my NAS drive when on vlan10 even though i can ping the NAS and i am not using local in the host name (as per the text in the pfsense settings).
thoughts?
