Dns Forwarder Issues
-
So show me in pfsense it not working.. Lets see your host command to the IP and the query..
Lets see the actual capture in wireshark to see if there is a problem with the packet..
So your saying I do a host record server like this to that IP it fails
[2.2-RC][root@pfSense.local.lan]/root: host www.google.com 4.2.2.2
Using domain server:
Name: 4.2.2.2
Address: 4.2.2.2#53
Aliases:www.google.com has address 64.233.181.147
www.google.com has address 64.233.181.106
www.google.com has address 64.233.181.99
www.google.com has address 64.233.181.103
www.google.com has address 64.233.181.105
www.google.com has address 64.233.181.104
www.google.com has IPv6 address 2607:f8b0:4001:c08::67So when you do to one server it works, and other server it fails even though clearly from the sniff the query returned traffic.
-
So when you do to one server it works, and other server it fails even though clearly from the sniff the query returned traffic.
Exactly, I will work on getting a wireshark output later this week and post back here.
-
you can just download the capture you do on pfsense diag, it opens in wireshark just fine.
-
In the packet capture after the failed nslookup, it actually shows a standard query response.
When I capture the LAN interface it is responding with 0x0005 no such name.
Still non the wiser as to why pfsense isn't passing the result on.
-
So sounds like pfsense is answering the client with NX??
Can we see the actual wireshark on both the interface the client is asking from, and then any other interfaces pfsense has that it might send out a query for this request. So we can follow what is happening.
Do you have sequential dns on, or is the forwarding asking all the dns servers and the first one to answer is saying sorry NX..
In the dns forwarder section. Seems like you have some sort of issue with your first query did not even respond.. So its busy or network issues?
Query DNS servers sequentially
If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel. -
If sequential is ticked, the request doesn't make it over the VWG interface, presumably because it gets a response from the 8.8.8.8 NS and just gives up (Surely that isn't correct behavior?)
I've taken several captures, these are all done with parallel.
https://www.dropbox.com/s/isw2fv3ale6vsts/Packet_Captures.zip?dl=0
I personally can't see anything wrong apart from the LAN interface responding with Not found when it clearly is.
-
yes it is – if your dns server says NX, ie that domain does not exist.. Why should you go ask another one??
Normal practice, if you have non public domains you need to resolve is to POINT to that dns only!!! And let it forward your requests or ask roots for public domains, etc..
You can not point to multiple dns and ask for something doesn't exist on some of them and expect it to work.. Because one out of the list knows about that domain.
If you want to ask seqentially, put the owner of the vwg domain first - but you have a problem if it doesn't answer fast enough you move on to the next one and get nx and not good.
So whatever dns you ask, needs to know about this vwg domain. Or you need who ever you ask to have a conditional forwarder to go and ask the owning dns of your .vwg domain.
We use to have to resolve that same domain in company use to work for in our AD. So our AD dns, that all users used had conditional fowarders to the owning ns of that domain down a vpn connection. User ask dns for something.vwg the dns went and asked ns of of vwg.. If not .vwg and it did not know the request it forwarded it up and got forwarded to public dns, etc..
I don't think there is anything wrong with pfsense - you just need to design your dns correctly.
-
Thank you very much John, that's some food for thought.
-
I don't think there is anything wrong with pfsense - you just need to design your dns correctly.
Exactly. What's shown here is the correct behavior and how any DNS server will behave in the circumstance. When it gets the NXDOMAIN reply first, it uses that. If it got no reply at all, or a SERVFAIL, it'd continue on and use another option.
-
Ok, so it makes sense that if a public DNS replies with 'not found' it's not then going to try the other DNS's to see if its on those, however why then when the DNS server (which runs on the AD) is added to the config does the .vwg domain then resolve?
The public DNS is still giving the same answer 'not found' but for some reason pfsense is taking note of the response it gets from the DNS running on the AD and forwarding that to the client.
Doesn't matter what order they're in either and it works in parallel mode too! Is the AD DNS doing something special?
-
I suspect that if you run DNS queries in parallel, an NXDOMAIN response won't stop the search before it asks the other servers since it's asking them all at once.
-
Actually, thinking about it, response time must have something to do with it as the DNS running on the AD, is obviously local…
