DNS requests issue
-
Hello,
I've been trying out pfSense as a firewall/proxy for a small time now and though it looked good.
pfSense however has been able to resolve names itself, but anything behind pfSense has not been able to do so.
(for example, I can go to google using it's IP. but not by browsing to google.com)I've tried disabling all firewalling by setting allow rules on both the LAN and WAN interfaces (normally not recommended), to ensure that the firewall is not blocking any requests.
Here is my setup,
192.168.0.1 - Our gateway to the internet and DNS server
192.168.0.92 - pfSense WAN interface
192.168.4.1 - pfSense LAN interface
192.168.4.75 - WorkstationI've tried using DNS forwarding but was unable to get it to work.
Does anyone have any suggestions?
If you need more information feel free to ask.
-
Where are you pointing your clients to for dns? Dns Forwarder is the common way to accomplish this. But your clearly behind another nat. Pfsense should point to your 192.168.0.1 since you say thats your dns.
Clients on the pfsense lan should point to pfsense lan of 192.168.4.1 for dns. Pfsense then asks 192.168.0.1, who then goes and asks whoever you setup it up to ask.
Did you turn off blocking private IP on the wan since your wan in pfsense clearly private address space.
-
Thank you for your fast response.
I'm currently not blocking Private addresses. My client is pointing to 192.168.0.1 for DNS. Changing this to pfSense did not fix the issue, however since this is a test network for a bigger environment there will be a nameserver on the LAN. Sorry for not mentioning this.
I have tried to configure DNS forwarding however i was still unable to get pfSense to forward any requests.
-
Dude this should work out of the box.. If you client can not query 192.168.0.1 for dns.. What is your lan rules?
The default lan rule is any any.. So you clearly should be able to query any dns server paste pfsense.
example
C:>dig @4.2.2.2 www.google.com
; <<>> DiG 9.10-P2 <<>> @4.2.2.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64299
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 83 IN A 74.125.225.49
www.google.com. 83 IN A 74.125.225.48
www.google.com. 83 IN A 74.125.225.52
www.google.com. 83 IN A 74.125.225.50
www.google.com. 83 IN A 74.125.225.51;; Query time: 20 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Mon Jun 23 07:05:49 Central Daylight Time 2014
;; MSG SIZE rcvd: 123Are you blocking dns at your lan rules? What is your current lan rules? Post them.. And your wan rules should be default.. There is no reason to edit any rules on the wan for dns to work.
I would suggest you do a simple sniff to make sure the dns query left pfsense to where you sent it.. If you don't get an answer than you have connectivity issue, where your doing the query doesn't answer your IP.. I have to assume your natting your lan to your wan pfsense IP. This is the default out of the box setup.
-
Here are my firewall rules, I have not set any floating rules.
Please note that seting these rules is unsafe and is not encouraged.the screenshots of my firewall rules are here:
http://i.imgur.com/R4erV1c.png
http://i.imgur.com/cehbD36.pngI have not changed any NAT settings because, as said, this should work out of the box.
Connection issue would be weird because I can go to google based on the IP address, so I do know I have an internet connection.
-
well your rule on your lan is default, any any rule.. Your wan rule is BAD, and WRONG to do – your answers to pfsense or clients doing a query will be allowed by state. Remove that rule. But point about rules on your wan.. Your behind a NAT, so those rules are pretty much useless unless you have put pfsense into dmz on the device in front of it - or have forwarded traffic to pfsense wan IP.
So do a simple sniff.. Do your queries even leave pfsense? Do you see the answer?
example - hmm not able to added images. Let me add them remotely
here you can see details in wireshark
-
After doing a packet capture I have determined that pfSense does receive the requests
In order to see if pfSense actually forwards any requests I have switched the router with a wireshark equipped client.
Wireshark did not capture and DNS related packages, I think this means pfSense is not doing anything with the packages.Which again is pretty confusing to me.
Thanks for showing the package capture diagnostic, I didn't even know pfSense had it.
Package capture:
http://imgur.com/mmLyzQ1 -
where are you seeing answer in that picture?? There are not responses to those queries.. Where is the capture on your wan interface of pfsense showing the response?? Like in my picture?
I see dns queries to 192.168.0.1 and 8.8.8.8 but no response, since the IP is your client, your not sniffing on the wan of pfsense(192.168.0.92)
-
I did sniff the wan, there was no response. After this i checked if 192.168.0.1 would actually get a request. Which it did not.
I did not include a picture of my WAN capture because it was empty. And no request was forwarded to 192.168.0.1 to return back to the WAN.
-
Your wording is what is confusing - saying there is no response would mean query went out but no "response" to your query. You say pfsense "does receive the requests. I would take that you saw the answer come back from the dns server and hit the pfsense wan.
Dude your problem is your firewall rule is NOT default or any any - its TCP only.. DNS is mostly UDP, some tcp sure with like a zone xfer, etc. But your lan rule is only TCP.. This is not the default rule set which is any any.. That is why nothing gets sent past pfsense for dns.
you have udp/tcp on the wan - but again that rule is pointless. So I didn't catch that only tcp on the lan the first time..
-
Well, now i feel stupid.
I was convinced my rule allowed both tcp and udp.
I have corrected this and it works now.thanks for your help!
-
No problem - sorry I missed it the first time I looked at the rules ;)
