PfSense blocking nameservers on Virtualmin?
-
So why would a dns server running bind not point to itself for dns? Is bind not allow recursive? Why would you not point it to pfsense if that is the case - how are you going to resolve your on local domain pointing to 8.8.8.8?
So can you query your bind server and resolve your domain now? Because I couldn't last time I was on your network. So lets see your query - because if that works then it will work from the outside since pfsense port forwards are setup, and we saw the traffic being sent to your .163 address via the sniff on pfsense lan remember.
-
I'm getting a bit confused with all the settings now with pfSense router and Proxmox server with Virtualmin (and Virtualmin running off CentOS (CentOS then having its own DNS settings).
So I changed the CentOS DNS from 192.168.1.180 to 8.8.8.8 and now to 192.168.1.155.
Website still not showing.
-
ARGGH dude what that box uses for dns has NOTHING to do with your issue.
Your running BIND as you stated, this hosts up your domain.tld, this is not answering a simple query from computer on the same network as it.
Say 192.168.1.162 – so how does pfsense have anything to do with it?
So my local domain is local.lan -- if I ask my dns server for a simple A record, lets call it my printer I call brother.local.lan
C:>nslookup
Default Server: pfsense.local.lan
Address: 192.168.1.253brother.local.lan
Server: pfsense.local.lan
Address: 192.168.1.253Name: brother.local.lan
Address: 192.168.2.50See how I get a response.. So on your network.. Do a simple nslookup for a record that should be there say www.yourdomain.tld
Do you get a response?? If NOT then nothing you do on pfsense or the rest of your network is going to fix that.. That is a problem with BIND running on your host, is it even running? Have you looked in its log? Does this centos box have a local host firewall? etc.. etc..
You need to fix that before we have to worry about people on the internet being able to resolve www.yourdomain.tld.
See attached - I am on my workstation on the 192.168.1.0/24 network, my dns (pfsense in this case) has a record for all my local devices in the local.lan domain. If I query it for a record - it answers. Lets see this from your workstation doing a query to your .163 server running bind. You can change the host you query via server command in nslookup. So make sure you change server to your .163 address and do a query for records you created in yourdomain
Let us see these queries!! Then if not working from the internet I will be happy to TV in again and take a look at your forwards. But they were working last time I was in.
If your using dig, you can do same sort of command with @serverIP fqdn
C:>dig @4.2.2.2 www.pfsense.org
; <<>> DiG 9.9.5-W1 <<>> @4.2.2.2 www.pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56986
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.pfsense.org. IN A;; ANSWER SECTION:
www.pfsense.org. 1800 IN A 192.207.126.26;; Query time: 221 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Wed Feb 26 07:54:13 Central Standard Time 2014
;; MSG SIZE rcvd: 60
-
Yes, I have checked that the BIND server is running.
Here are the results:
192.168.1.120 > Terminal > nslookup www.domain.tld Server: 8.8.8.8 Address: 8.8.8.8#53 ** server can't find www.domain.tld: SERVFAIL 192.168.1.120 > Terminal > dig www.domain.tld ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> www.domain.tld ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63678 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.domain.tld. IN A ;; Query time: 3177 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sat Mar 01 15:37:10 EST 2014 ;; MSG SIZE rcvd: 48 192.168.1.163 > Terminal > nslookup www.sk8parks.org.au Server: 192.168.1.155 Address: 192.168.1.155#53 ** server can't find www.domain.tld: NXDOMAIN 192.168.1.163 > Terminal > dig www.domain.tld ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.domain.tld ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52297 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.domain.tld. IN A ;; Query time: 3192 msec ;; SERVER: 192.168.1.155#53(192.168.1.155) ;; WHEN: Sat Mar 1 15:41:56 2014 ;; MSG SIZE rcvd: 37 -
ARRRGGHHHH!!!!!
Query your freaking bind server and does it return an answer??
How hard is that to understanding – I have stated like a million times already. You query google and pfsense.. WTF?? From the DNS box itself even??
Neither of those are going to work - because your BIND server is Not Answering!!
dig @192.168.1.163 www.sk8parks.org.au
or nslookup
server 192.168.1.163
www.sk8parks.org.auIf your BIND server does not respond, since that is where you point to for this sk8parks.org.au then no other dns server on the planet is going to resolve sk8parks.org.au.. And that has nothing to do with a port forwarding or pfsense.
-
Thank you for the clarification.
I think the results are showing that from my computer 192.168.1.120, I can connect to BIND.192.168.1.120 ~ $ dig @192.168.1.163 www.domain.tld ; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1.1 <<>> @192.168.1.163 www.domain.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31480 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.domain.tld. IN A ;; ANSWER SECTION: www.domain.tld. 38400 IN A xxx.xxx.xxx.xx ;; AUTHORITY SECTION: domain.tld. 38400 IN NS localhost.localdomain. ;; ADDITIONAL SECTION: localhost.localdomain. 86400 IN A 127.0.0.1 localhost.localdomain. 86400 IN AAAA ::1 ;; Query time: 3 msec ;; SERVER: 192.168.1.163#53(192.168.1.163) ;; WHEN: Mon Mar 03 10:02:26 EST 2014 ;; MSG SIZE rcvd: 143 192.168.1.120 ~ $ nslookup > server 192.168.1.163 Default server: 192.168.1.163 Address: 192.168.1.163#53 > www.domain.tld Server: 192.168.1.163 Address: 192.168.1.163#53 Name: www.domain.tld Address: xxx.xxx.xxx.xx -
And what is your bind config?
Because I can understand why you would change out the IP address of your record, but that stays your Nameserver is 127.0.0.1 localhost.localdomain?
And why was I not able to query it when I was teamviewered in and on your windows box. Does your bind config not allow answer to network outside of 192.168.1.0/24?
Please post your bind config.
should be named.conf.
-
Ok, here's the BIND configuration on the webserver.
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "domain.tld" { type master; file "/var/named/domain.tld.hosts"; allow-transfer { 127.0.0.1; localnets; }; };I think you weren't able to query the BIND server when in the Windows OS, as the Windows OS was on a network of 10.0.0.1, being different from BIND server's network 192.168.1.0/24.
I tested if the pfSense firewall is blocking port 53 with the following results:
192.168.1.163# lsof -ni tcp:53 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME named 1300 named 20u IPv6 9350 0t0 TCP *:domain (LISTEN) named 1300 named 21u IPv4 9355 0t0 TCP 127.0.0.1:domain (LISTEN) named 1300 named 25u IPv4 10525 0t0 TCP 192.168.1.163:domain (LISTEN) 192.168.1.163# netstat -nat | grep :53 tcp 0 0 192.168.1.163:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 :::53 :::* LISTEN 192.168.1.120# lsof -ni tcp:53 192.168.1.120# netstat -nat | grep :53If I understand the results, then my LAN computer 192.168.1.120 can't get through pfSense 192.168.1.155 to the webserver 192.168.1.163's DNS port 53.
pfSense does have port 53 forwarded to 192.168.1.163.
I didn't know the Windows OS was on a different network…this must have happened by default with the Virtual Machine's bridge setting.
I am trying to fix this. -
And do you have a firewall running on this server.. You must because that explains the problem. Windows was pinging the IP, so should of worked unless firewall on the .163 box blocking?
As to .120 can't get through - what??? You queried and got an answer.. And .120 does not NOT go through pfsense to get to .163 – they are on the same segment, pfsense is only used for on and off that 192.168.1.0/24 segment - boxes talking to each other on that network could give a shit if pfsense was even on.
Lets be clear you are changing out domain.tld for your actual domain?
And you think you did what with that netstat and lsof command? That has Nothing to do with what pfsense is or isn't doing, your just showing if that box is listening on tcp 53.. What about UDP, most queries use UDP not TCP.. tcp would be used for zone transfers and large queries.
And once you get queries working, you have to fix your zone file - you can not list localhost.localdomain as your NS with loopback as the IP and expect the zone to work ;)
Can you run
iptables --list
On the centos box, the .163 so we can see the firewall rules on it. Prob have to be root to run it.
example
root@ubuntu:/# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
sshguard all -- anywhere anywhereChain FORWARD (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destinationChain sshguard (1 references)
target prot opt source destination
root@ubuntu:/# -
There might be a default firewall running on the webserver, however before pfSense was installed, the website showed, so the only difference is pfSense added, not turning on (or off) any firewall on the webserver.
Windows was on the wrong network, so that was another issue…I've fixed that now so Windows is on the same network.
Yes, I'm changing the real website with domain.tld.
Here's the iptables --list from the webserver 192.168.1.163
# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:dnp ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination -
So I researched and the IP table listed above seems to indicate that DNS packets on port 53 are not blocked.
This would indicate pfSense blocking then I think? -
well unless you changed something again pfsense was forwarding dns to your .163 box - but no answers were coming back..
What version of bind are you running? I don't see any allow statement for queries
I see this
zone "domain.tld" {
type master;
file "/var/named/domain.tld.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};But there should be a allow query statement like this
allow-query {
any;
};Or there should be an ACL, setup - and the fact that you allow recursion - if you do get it working your dns will be used in an attack fairly quickly..
Please email with a time to TV back in and we will put this to bed
-
I haven't changed anything that would effect DNS packets through pfSense.
The BIND DNS Server is BIND version 9.8.2.
I'm not sure why there's no allow statement for queries, as this is the default setup the server sets up and works without pfSense.
It seems the default settings setup recursion, which is a flaw, as I certainly don't want to be an DDOS attacker or an unwilling victim of DDOS attacks.
The recursion will need to be switched off. -
Why would you be running 9.8.2, not even .7 the latest in that line which is approaching EOL anyway. You should be running the current 9.9, .5 is the current but seems many linux distros just backport security features vs updating.
-
"I haven't changed anything that would effect DNS packets through pfSense."
Well that is NOT True – for starters you don't have pfsense in your dmz anymore - so how is dns going to even get to pfsense to forward?
Dude I really want to help you but this is becoming very frustrating!!! I get on an you don't even know I am there.. I get on and you have F'd up your dns forward by replacing your wan address with *, then you don't have pfsense in your DMZ anymore -- That is a REQUIREMENT that the traffic you want to forward behind pfsense gets to pfsense from the NAT you have running before it. So dmz is best option, which we setup before.
Now you can not even remember your netgear login password.
Dude I want to put this to bed - but its like pulling teeth with a pair of tweezers.. This takes all of 2 seconds to setup, but every time I connect into you machine there are issues. Mouse doesn't work, on a box with triple nat, don't know your dns box password. You don't know your modem/router password.. You have change everything we had already setup.
If you would give me 5 whole minutes where I could actually access your devices this would be working bing bang zoom! But I am going to say this again!! You should not try and host your own dns -- you only have 1 IP which is bad.. You have old version of bind running with recursion on from the public net if we get the forward working, etc..
Host your domains here https://www.cloudns.net/ you can get 3 domains FREE.. There are plenty of places to host your domains - if you want I can host them for you.. You clearly are not ready for providing services to the public net off your connection.. And you have what 1mbps up -- that is going to crash and burn with 1 user ;)
-
Host your domains here https://www.cloudns.net/ you can get 3 domains FREE.. There are plenty of places to host your domains - if you want I can host them for you..
You can host 50 domains with HE. Master/slave/reverse.
-
^ Yup there you go!! There is NO reason to try and host dns off your box that you have no clue how to setup with 1 public IP address, and 1mbps upload pipe.. Your just asking for trouble and issues.
-
Ok - got email from him that is working.. So did a test and yes it answers query for the A record he gave me www, but dude this BROKE!! See my email
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yourdomain.tld IN A;; ANSWER SECTION:
www.yourdomain.tld 38400 IN A 192.0.2.67;; AUTHORITY SECTION:
yourdomain.tld. 38400 IN NS localhost.localdomain.;; ADDITIONAL SECTION:
localhost.localdomain. 86400 IN A 127.0.0.1
localhost.localdomain. 86400 IN AAAA ::1;; Query time: 277 msec
;; SERVER: 192.0.2.67#53(192.0.2.67)
;; WHEN: Tue Mar 11 10:51:19 CDT 2014
;; MSG SIZE rcvd: 143Clearly I have replaced his domain and IP returned to documentation network 192.0.2.0/24 But that is what it returns for NS and IPs for NS.
-
Hmmm… Lulz, that's pure men's DNS, run your own on localhost if you want to resolve my domain. ;D I'd too strongly suggest the guy should NOT run any public-facing DNS.
-
Okay, so the website isn't working again.
I couldn't access the modem and the restore restored an old password I don't know. I factory reset the modem and setup a new password so access to modem works.
Modem has DMZ through to pfSense's WAN port.pfSense NAT port forward automatically sets up WAN and LAN ports as *, rather than the specific WAN IP of pfSense to LAN IP of webserver?
The 50 DNS hosts looks good however I setup 1 domain to test how it goes, and the site doesn't show the name server settings needed for my webserver? The free DNS did show the nameserver settings initially, but I was going through the setup stages of my domain, so I expected the nameserver settings at the end of the process which aren't anywhere to be found now, so I haven't recorded or know the nameservers?
Also, I go to http://he.net/ > Information > Customer Login > enter my username and password (I actually have an old account here) and error: No record matched username.
There's no password retrieval, but I could login before at https://dns.he.net/Anyway, not working again with same DNS on my webserver as https://dns.he.net won't work. Ports seem to be forwarded and DMZed.
