PfSense blocking nameservers on Virtualmin?
-
There might be a default firewall running on the webserver, however before pfSense was installed, the website showed, so the only difference is pfSense added, not turning on (or off) any firewall on the webserver.
Windows was on the wrong network, so that was another issue…I've fixed that now so Windows is on the same network.
Yes, I'm changing the real website with domain.tld.
Here's the iptables --list from the webserver 192.168.1.163
# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:dnp ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination -
So I researched and the IP table listed above seems to indicate that DNS packets on port 53 are not blocked.
This would indicate pfSense blocking then I think? -
well unless you changed something again pfsense was forwarding dns to your .163 box - but no answers were coming back..
What version of bind are you running? I don't see any allow statement for queries
I see this
zone "domain.tld" {
type master;
file "/var/named/domain.tld.hosts";
allow-transfer {
127.0.0.1;
localnets;
};
};But there should be a allow query statement like this
allow-query {
any;
};Or there should be an ACL, setup - and the fact that you allow recursion - if you do get it working your dns will be used in an attack fairly quickly..
Please email with a time to TV back in and we will put this to bed
-
I haven't changed anything that would effect DNS packets through pfSense.
The BIND DNS Server is BIND version 9.8.2.
I'm not sure why there's no allow statement for queries, as this is the default setup the server sets up and works without pfSense.
It seems the default settings setup recursion, which is a flaw, as I certainly don't want to be an DDOS attacker or an unwilling victim of DDOS attacks.
The recursion will need to be switched off. -
Why would you be running 9.8.2, not even .7 the latest in that line which is approaching EOL anyway. You should be running the current 9.9, .5 is the current but seems many linux distros just backport security features vs updating.
-
"I haven't changed anything that would effect DNS packets through pfSense."
Well that is NOT True – for starters you don't have pfsense in your dmz anymore - so how is dns going to even get to pfsense to forward?
Dude I really want to help you but this is becoming very frustrating!!! I get on an you don't even know I am there.. I get on and you have F'd up your dns forward by replacing your wan address with *, then you don't have pfsense in your DMZ anymore -- That is a REQUIREMENT that the traffic you want to forward behind pfsense gets to pfsense from the NAT you have running before it. So dmz is best option, which we setup before.
Now you can not even remember your netgear login password.
Dude I want to put this to bed - but its like pulling teeth with a pair of tweezers.. This takes all of 2 seconds to setup, but every time I connect into you machine there are issues. Mouse doesn't work, on a box with triple nat, don't know your dns box password. You don't know your modem/router password.. You have change everything we had already setup.
If you would give me 5 whole minutes where I could actually access your devices this would be working bing bang zoom! But I am going to say this again!! You should not try and host your own dns -- you only have 1 IP which is bad.. You have old version of bind running with recursion on from the public net if we get the forward working, etc..
Host your domains here https://www.cloudns.net/ you can get 3 domains FREE.. There are plenty of places to host your domains - if you want I can host them for you.. You clearly are not ready for providing services to the public net off your connection.. And you have what 1mbps up -- that is going to crash and burn with 1 user ;)
-
Host your domains here https://www.cloudns.net/ you can get 3 domains FREE.. There are plenty of places to host your domains - if you want I can host them for you..
You can host 50 domains with HE. Master/slave/reverse.
-
^ Yup there you go!! There is NO reason to try and host dns off your box that you have no clue how to setup with 1 public IP address, and 1mbps upload pipe.. Your just asking for trouble and issues.
-
Ok - got email from him that is working.. So did a test and yes it answers query for the A record he gave me www, but dude this BROKE!! See my email
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yourdomain.tld IN A;; ANSWER SECTION:
www.yourdomain.tld 38400 IN A 192.0.2.67;; AUTHORITY SECTION:
yourdomain.tld. 38400 IN NS localhost.localdomain.;; ADDITIONAL SECTION:
localhost.localdomain. 86400 IN A 127.0.0.1
localhost.localdomain. 86400 IN AAAA ::1;; Query time: 277 msec
;; SERVER: 192.0.2.67#53(192.0.2.67)
;; WHEN: Tue Mar 11 10:51:19 CDT 2014
;; MSG SIZE rcvd: 143Clearly I have replaced his domain and IP returned to documentation network 192.0.2.0/24 But that is what it returns for NS and IPs for NS.
-
Hmmm… Lulz, that's pure men's DNS, run your own on localhost if you want to resolve my domain. ;D I'd too strongly suggest the guy should NOT run any public-facing DNS.
-
Okay, so the website isn't working again.
I couldn't access the modem and the restore restored an old password I don't know. I factory reset the modem and setup a new password so access to modem works.
Modem has DMZ through to pfSense's WAN port.pfSense NAT port forward automatically sets up WAN and LAN ports as *, rather than the specific WAN IP of pfSense to LAN IP of webserver?
The 50 DNS hosts looks good however I setup 1 domain to test how it goes, and the site doesn't show the name server settings needed for my webserver? The free DNS did show the nameserver settings initially, but I was going through the setup stages of my domain, so I expected the nameserver settings at the end of the process which aren't anywhere to be found now, so I haven't recorded or know the nameservers?
Also, I go to http://he.net/ > Information > Customer Login > enter my username and password (I actually have an old account here) and error: No record matched username.
There's no password retrieval, but I could login before at https://dns.he.net/Anyway, not working again with same DNS on my webserver as https://dns.he.net won't work. Ports seem to be forwarded and DMZed.
-
Well if you reset the modem and it no longer works - then you didn't setup dmz correctly. Unless you had messed with the forwards I fixed on pfsense.
"pfSense NAT port forward automatically sets up WAN and LAN ports as *, rather than the specific WAN IP of pfSense to LAN IP of webserver?"
Sorry but NO it does not..
Here lets look = click to add new nat – what does it show there for destination.. You had that set to ANY or * That is not going to work!
Because you forgot your password he.net won't work? Did you think to contact them?
"please contact Support support@he.netand request a password."
As to other possible issue - did your IP happen to change on reset of your modem? If your public IP changed then you have to update your registrar to point to your new public IP. Which could take what days depending on the registrar.. You really should not be hosting your own dns PERIOD!!
-
I think the modem works as I have indeed setup the DMZ to 192.168.0.2 (pfSense's WAN IP).
pfSense > Firewall > NAT > DNS > does automatically sets up the Destination as Type: WAN address.
The current setup is pfSense > Firewall > NAT > DNS > Destination > Type: WAN address.
However it's still not working? -
See my edit - did your public IP change? you are on now email me your TV info and I will jump on
-
So I TV in – NO DMZ that I could see, and he can not log into his modem yet again because he can not remember the correct password.
Sorry dude I am done I can not deal with such nonsense any longer..
-
So, I have factory reset the modem again and I can login to modem with default username and password when connected to local computer.
I connect modem back into pfSense and my computer can access Internet and the modem, however the default username and password are rejected.I am still researching why the modem won't accept the default username and password when connected to pfSense.
-
The 50 DNS hosts looks good however I setup 1 domain to test how it goes, and the site doesn't show the name server settings needed for my webserver?
I have absolutely no clue WTH you mean there.
You may use this interface to maintain your own domains. Simply click on the 'Add a new domain' option from the left hand 'Zone Functions' menu and enter the domain name in the form when prompted. You may need to change the nameservers that are authoritative for the domain. You would do this at your registrar.
Change your nameservers to:
ns5.he.net
ns4.he.net
ns3.he.net
ns2.he.netAre you actually reading some instructions, or just blindly messing with things you have no clue about?
-
Thank you for providing the name servers.
Unfortunately, the name server settings are not easy to find.
I remember seeing your mentioned name server settings through the steps of setting up the 1st domain, however I expected the settings to be provided at the end of the setup process.
Unfortunately, the settings weren't provided at the end of the setup process, so I clicked 'back' several time to see the previous setup step with your mentioned name server settings, but they were no longer shown.I checked your website and the Free DNS link and the settings aren't there either, so basically the navigation path to the settings could improve for some user friendly navigation.
-
Thank you for providing the name servers.
Unfortunately, the name server settings are not easy to find.
I checked your website and the Free DNS link and the settings aren't there eitherOh really? This is what is shown directly after logon… I'd frankly call that damn impossible to miss!
-
Yes, that looks very clear.
However the issue is navigating to find that specific nameserver information.I just did a login as your example looks very easy to see the information after login, however this doesn't appear for me when I login.
Anyways, 1st issue is to fix pfSense to allow DNS packets through port 53.
2. Let modem login with default username and password which works when connected to this local computer, but when connected to pfSense, I access the modem from this local computer through pfSense, but the modem default username and password won't work.
3. Fix my DNS settings.
4. Use your DNS settings if I can't get mine to work.
