Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS queries | resolver, host overrides, dhcp & external dns

    DHCP and DNS
    2
    6
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mfr
      last edited by

      Hi
      My DNS resolution is not working correctly as it seems. What could be the problem? I tried already different scenarios, but can't get it to work.

      I have setup pfsense with a site-to-site vpn. I'm trying to get the name resolution of Site1 to work.
      In Site1 I'm using

      • resolver

      • and host overrides in resolver to resolve some hostnames with static IPs

      • in System / General Setup I have 2 wan dns hosts of my ISP

      • If I connect a client with DHCP it gets the IP of pfsense as DNS and no other DNS servers.

      • DNS lookups from client for hostnames in host overrides are working

      But DNS lookups to external hosts are not working until I enter the DNS Servers under Services / DHCP Server / DNS servers
      But if I do that, the DNS lookups from the client for hostnames in hosts overrides go to the ISP DNS servers.

      How can I resolve the internal hostnames AND the external ?
      What could be the problem?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You resolver isn't set up right. Post the settings for the resolver and make sure pfSense itself can make queries to outside addresses:

        What does this show:

        Diagnostics > Command prompt

        Command: drill @8.8.8.8 www.google.com Execute

        Leave your DHCP server giving pfSense as the DNS server to inside hosts and fix your resolver.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mfr
          last edited by

          pfsense shell (before and after removing ISP DNS from Services / DHCP DNS Servers)

          # drill @8.8.8.8 www.google.com Execute
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 1084
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; Execute.     IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.       1091    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2015112401 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 8 msec
;; SERVER: 8.8.8.8
;; WHEN: Tue Nov 24 23:01:31 2015
;; MSG SIZE  rcvd: 100
#

          after removing the ISP DNS from Services / DHCP DNS Servers

          nslookup 8.8.8.8

          returns "Server failed" (Win10)

          24.11.png
          24.11.png_thumb
          24.111.png
          24.111.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            The Execute was for the GUI.

            Run this: drill @8.8.8.8 www.google.com

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              mfr
              last edited by

              Oh, thanks

              
# drill @8.8.8.8 www.google.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17594
;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.google.com.      IN      A

;; ANSWER SECTION:
www.google.com. 18      IN      A       173.194.116.48
www.google.com. 18      IN      A       173.194.116.51
www.google.com. 18      IN      A       173.194.116.52
www.google.com. 18      IN      A       173.194.116.50
www.google.com. 18      IN      A       173.194.116.49

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 7 msec
;; SERVER: 8.8.8.8
;; WHEN: Wed Nov 25 06:46:58 2015
;; MSG SIZE  rcvd: 112
              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Do your firewall rules prevent LAN hosts from querying LAN address for DNS?

                This just works out-of-the-box. Have to figure out what, specifically, you've done to make it not work.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.