Can not get the correct dns server from DHCP Static Mappings.

stbird

I didn't set any dns servers on clients.

So I sniff the host pfsense and port 67. I find that there is another ack pack with the wrong dns servers 10.209.2.1/2.

Is this a bug?
I have updated my pfsense to v2.2.5(amd64). Nothing changed.

doktornotor

I don't read Japanase. You need to release the old lease. That's all. If you are unable to figure out the MS crap, then simply nuke the leases file on pfSense.

rm -f /var/dhcpd/var/db/dhcpd.leases*

johnpoz

"I find that there is another ack pack"

Why don't you post up this sniff so we can see.. Are you saying multiple offers are being sent, or sounds like client asked for its OLD lease that was not deleted off pfsense..  So yeah pfsense will send that..

I tested this multiple ways when you first posted, and everything is working as it should from my testing.. Yes if the OLD lease is still on the server you could get that sent to you..  Please post up your sniff in pcap for some we can open it and wireshark and look.  So we can help you!!  I am running 2.2.4 and then again tested this with 2.2.5 and as long as there is NO old lease on pfsense, it gets the correct info…

stbird

I have posted the snap pictures.

Here's the sniff packages.
http://pan.baidu.com/s/1mgB2JzU

I have done the command "rm -f /var/dhcpd/var/db/dhcpd.leases*" in ssh shell and rebooted the pfsense.  Nothing changed. The client still got the wrong dns servers.

[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: ls -l
total 72
-rw-r--r--  1 dhcpd  _dhcp  32860 Nov  7 09:10 dhcpd.leases
-rw-r--r--  1 dhcpd  _dhcp  36305 Nov  7 08:38 dhcpd.leases~
-rw-r--r--  1 dhcpd  _dhcp      0 Oct 27 05:01 dhcpd6.leases
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: rm -f /var/dhcpd/var/db/dhcpd.leases*
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: ls 
dhcpd6.leases
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: reboot
*** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pf ***

 WAN (wan)       -> em0        -> v4: 218.90.165.218/29
 LAN (lan)       -> em1        -> v4: 192.168.108.241/24
 NAT303 (opt1)   -> em2        -> v4: 10.209.3.241/24
 NAT302 (opt2)   -> em3        -> v4: 10.209.2.241/24
 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) pfSense Developer Shell
 4) Reset to factory defaults         13) Upgrade from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

[2.2.5-RELEASE][root@pfsense]/root: 
[2.2.5-RELEASE][root@pfsense]/root: cd /var/dhcpd/var/db/
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: ls -l
total 4
-rw-r--r--  1 root   _dhcp  1094 Nov  7 09:28 dhcpd.leases
-rw-r--r--  1 root   _dhcp     0 Nov  7 09:27 dhcpd.leases~
-rw-r--r--  1 dhcpd  _dhcp     0 Oct 27 05:01 dhcpd6.leases

If I empty the dns servers 10.209.2.1/2 on pfsense and Just leave the static dhcp mapping dns server 10.209.3.241  then my client can get the right dns server 10.209.3.241.

Thanks for your help!

johnpoz

Dude I see a release from your client

Where is the REQUEST… Do you have a relay in the mix..

You would not send ACK without request.. There is no request in that sniff..

stbird

I don't have any dhcp relay in my network.

I changed the captue filter to "port 67". There is REQUEST now

http://pan.baidu.com/s/1eQ15ABC

In this sniff I found "dhcp inform" from my client. So I google it. Maybe find out why the client always got the wrong dns servers.

https://readme.phys.ethz.ch/windows/what_to_do_if_windows_vista_gets_the_wrong_dns_servers_via_dhcpinform_answers/
https://lists.isc.org/pipermail/dhcp-users/2013-May/016729.html

I have two win7 clients in my test. One of them is 10.209.3.82 which never got the right dns server, another is 10.209.2.87 which sometime got the right dns server. The difference between them is that 10.209.3.82 is joined AD and 10.209.3.87 did not.

According to https://lists.isc.org/pipermail/dhcp-users/2013-May/016729.html, I cat /var/etc/dhcpd/dhcpd.conf and find "authoritative" in the conf.
How can I delete "authoritative" in the conf?

I think that maybe I can block "dhcp inform" by firewall. but how?

Any helps?

johnpoz

there is nothing wrong with an inform..  Is asking for info..  This is common practice..

Can you post up this sniff so I can open it in wireshark.

Ok – your running AD???  Why would you not be using AD dns and dhcp??  Really if you have AD setup, there is really little point to running dhcp and dns services of pfsense.. AD clients should ONLY Point to AD for dns..  And it makes it much easier for AD name resolution when the dhcp server that is in AD is doing the dhcp..

While you do have something weird going on.. I have been in IT for 25+ some years and have been working with MS since before it was even a thing.. First windows server we setup was NT3.51 and use to use 3.11 etc.. so been around MS for lot of years and here is the thing.. if your running AD there is really NO POINT to trying to run dhcp and dns services of pfsense.. There just isnt..  Do your self a favor and just use your AD setup..

stbird

Sorry for the sniff package url. I pasted the wrong url and corrected it now.
http://pan.baidu.com/s/1eQ15ABC

Yes, I'm running ad. The pfsense is the only dhcp server in ad.

Most of ad users visit internet by proxy. The ad dns server can't analyze internet domains.
Some users have to visit inernet by nat. They need different dns server. So pfsense is set to another dns server and gateway. I  forward ad domain to the ad dns server. It looks work good.

I'm the IT of the company, but not the ad admin. The ad admin is in the parent company.

johnpoz

"The ad dns server can't analyze internet domains."

Well forward that to pfsense dns then… How do your clients find your AD if they are not pointing to AD dns...  If you use a proxy - they don't even do dns..

Do yourself a freaking favor and FIX what sounds like a mess...  To be honest I can not think of a reason why you would have to hand out different dns if your setup correctly..  dhcp and dns from your AD as MS wants it..  Have your MS dns forward to pfsense to look up stuff like www.pfsense.org.  But then again if your clients are using proxy the proxy does the dns..

edit.. Well yup the inform is clearly what is getting answered with the wrong stuff via that ack..  The mac is the same.. But you can tell from the transaction id what is the answer to what..  So need to figure out why dhcp is sending your default stuff to the inform request even when mac is listed..  Seems more like a bug with dnsmasq dhcp vs something in pfsense.  But now you have some details to work with in that sniff.

But again - all of that is pointless if you would just up your network in a better fashion..

Here is pretty much OLD thread talking about your exact issue
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005409.html

However, we've noticed some Windows PCs also request DHCP INFORM, and it
appears dnsmasq replies to those requests and provides DNS server
information - those PCs then start to use the DNS servers supplied by
dnsmasq instead of the DNS servers supplied by the primary DHCP server.

stbird

I'm running ad and the dc is not on my control same as the dns(10.209.2.1/2).I have pfsense 2.0 for a while.  Just forward my ad domain TO ad dns server.  It has worked good for years.

Most of ad users use the normal dhcp settings. They visit internet by proxy. Their dns is 10.209.2.1/2 which can't  analyze internet domains like www.pfsense.org.
Some ad users have to visit internet by nat. So they need another dns server which can  analyze domain like www.pfsense.org.

"However, we've noticed some Windows PCs also request DHCP INFORM, and it
appears dnsmasq replies to those requests and provides DNS server
information"

Dnsmasq replies to dncp requests? I don't think so. I have disable dns forworder and dns resolver. Still got the normal dns servers.
If I emptied the normal dns server in dhcp setting then the client got the right dns server.
I think the dhcp server replies the "dns inform" not dnsmasq.

I Comment out this line $dhcpdconf .= "authoritative;\n" in /etc/inc/services.inc. It's working now.

Thank johnpoz for your patients and sorry for my english.

johnpoz

your right pfsense runs isc dhcpd not dnsmasq dhcp server my bad, but its the same problem - your problem is still that your dhcpinfrom is getting your configured default setting vs what you setup via a static, this is by dhcp design it seems not a pfsense issue.

Here this is your exact problem..  When windows clients send out the dhcpinform they get the standard dns vs what was setup in reservation.

https://readme.phys.ethz.ch/windows/what_to_do_if_windows_vista_gets_the_wrong_dns_servers_via_dhcpinform_answers/
According to the most current DHCP standard, DHCP servers are not allowed to look up any lease data about the requesting MAC address if they answer to a DHCPINFORM packet. In ISC's interpretation of this rule this even includes group membership which belongs to the configured static (and not dynamic) lease data.

Setting to non authoritative it now just doesn't answer dhcpinform requests I would take it, so no you don't get any dhcpinform info for anything..  Problem is most related to windows asking for wpad.. This sends out a dhcp inform..