PfSense cannot resolve hostnames in local network

johnpoz

"Forwarding mode is enabled. Under "network interfaces""

What is the freaking point of using the resolver if your just going to have it forward?

What do you have pfsense pointing to for dns?? Itself?

fraglord

According to the official unbound documentation forwarding mode must be enabled for multi-WAN configurations, which is the case for me.
I only use unbound for the reason to be able to take advantage of pfblockerng and it's DNSBL feature.
First DNS server for pfsense is localhost followed by some others I have set up under system -> general setup.
But I guess all that is not related to DNS lookup problems with my LAN hosts.

johnpoz

"enabled for multi-WAN configurations"

That makes no sense at all… I will have to look into who put that info in the wiki.. It makes NO sense that would be a requirement..

Well what you tell pfsense to use is directly related to looking up your lan hosts, since your lan clients point to your AD dns directly anyway.. So your just want pfsense to use your AD dns as well when you lookup a host name or a ptr on pfsense.

So I created a zone on my 2k8r2 box called example.com, with a reverse for 1.2.3 created a host.example.com with 1.2.3.4 as its IP and it created the reverse record in the reverse zone... I then enabled unbound to use my lan interface, since normally its just using wan for queries. I then created the overrides.. As you can see if I query the local dns, it is working... And then also if I have pfsense look it up it works as well both in the gui and from cmd line... But if you have pfsense forward somewhere, and that somewhere doesn't know about your local zones... Then how would it ever look them up?

unbounddomainoverride.png_thumb

fraglord

Thanks for your detailed answer. That is also the way I have set it up. But the good news is that it "seems" to work now. The only thing I did - because i forgot to do earlier - was signing the forward and reverse lookup zones on my AD DNS. Not sure if it's related tho.
From the webui reverse lookups working flawless but forward lookups not work! If I log in to the console and ping a host by the hostname or FQDN it resolves properly or if i simply resolve with the host command. Reverse and forward lookups from console are reliable!
Also I noticed the domain overrides not seem to be applied when i use the DNS Lookup via the webui. It still shows me the query times from the servers set under system -> general setup. How come DNS Lookup still queries the "wrong" DNS servers (except localhost) and ignores my domain override in unbound?!
BTW: forwarding mode enabled or not does not change anything.

johnpoz

Forwarding mode would change a lot… When Not in forward mode there is NO way dns could ask the wrong server... Since the "resolver" would query roots and work its way down to owning ns for the domain trying to query.

What exactly is not working in webui ?? Where does it show it asked, only 127.0.0.1 that is set to resolver mode.. Or does it list asking other servers?

If not working why don't you just sniff and validate that where it sent a query too, and why there no answer if your AD got asked..

doktornotor

@fraglord:

It still shows me the query times from the servers set under system -> general setup.

You should have no servers set up there.

johnpoz

When using the resolver as actual resolver.. You have no need to put anything there.

If they are going to allow forwarder mode in the resolver, then they really should allow user in the resolver section either with text box or using the advanced box to set where forwarded vs using the stuff from the general settings which is how its done I think??

Not 100% not sure why anyone would use forwarder mode ;)

You can just check with unbound on what ns it would use to lookup something…

[2.2.5-RELEASE][root@pfSense.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup 4.3.2.1.in-addr.arpa
The following name servers are used for lookup of 4.3.2.1.in-addr.arpa.
The noprime stub servers are used:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 1 IP addresses.
192.168.9.19 not in infra cache.
[2.2.5-RELEASE][root@pfSense.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup www.example.com
The following name servers are used for lookup of www.example.com.
The noprime stub servers are used:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 1 IP addresses.
192.168.9.19 not in infra cache.

dnsservers.png_thumb

fraglord

Well I let you know why I use forwarding mode in the other thread already ;)

As you instructed on console I checked forward and reverse lookup with unbound-control and it its working reliable. And there is, just like it supposed to be, only the IP of my AD DNS :D
Also darkstat is able to properly display the hostnames via reverse lookup.

The DNS lookup via webui still not working properly. Reverse lookups are working but forwards lookup fail or only show a result if I push the DNS lookup button multiple times in row; sometimes just not at all. And like I told you already, I still not get it why all the DNS servers set under system -> general setup are queried ALTHOUGH proper domain overrides (forward & reverse) are set up?!

johnpoz

so unbound knows that its suppose to ask your server… But is pfsense set to only ask unbound? That is the problem with forwarding..

fraglord

What do you mean by that? dnsmasq is disabled of course.
I not see why this behaviour is related to forwarding mode. If there is a domain override set, I expect it to override whatever the settings are and query the server specified for this domain override. Or am I wrong?
Even more surprising is the fact that unbound actually does query the server with respect to the domain override but the DNS lookup from the webinterface does not.

johnpoz

Dude what part do you not understand if you have pfsense set to ask other servers??? What do you have in the general setup? Its fine if it asks your server for your local stuff, but if pfsense happens to ask say googledns then NO its not going to get an answer..

What does your output of the webgui look look? IF its not doing a query to loopback (unbound) that will then ask your AD, then no it would never find your stuff..

fraglord

Today I upgraded to pfsense version 2.2.6 and noticed something very odd. With "unbound-control -c /var/unbound/unbound.conf lookup" I am not able to lookup (forward and reverse) any local hostnames / IP address anymore:

no delegation from cache; goes to configured roots

Lookups for local hostnames via the webui still not work and seem to ignore the domain overrides I have set. :P