Nslookup failed on some pcs while works on other pcs

John Tiota

I configured pfsense 2.0.3 to allow internet access for some pcs while others blocked internet access. When I do nslookup on pcs with internet access nslookup works as expected, however nslookup fails on pcs with no internet access.

What makes me confused is that why nslookup fails resolve my local domain pcs when I did nslookup on pcs with no internet access when it should only fail to resolve external domains ?

I would appreciate your explaination and assistance

podilarius

It really depends on where the block is occurring and what you are blocking. If you are block at the LAN from any to any, then if your computer has to route through pfSense it will get blocked. Of if the DNS server is pfSense, then you can also block if you you block all traffic at LAN. You could set the rule up so that it block !<locallanips>. Where that is an alias pointing to the internal networks.
If you could give more details on how you are blocking internet from some.</locallanips>

johnpoz

Need to know how your blocking, and where your pointing to for dns.

"when it should only fail to resolve external domains ? "

How do you expect this to happen exactly?  Where are you pointing your clients for dns?

John Tiota

thanks for the prompt replies i really appreciate.. see below my pfsense firewall configuration for those pcs with no internet access

Action : Block
Interface : LAN
Protocol : any
Source : Type->Single host or alias
                      Address->192.168.0.132

Destination : Type ->any
                      Address -> empty

johnpoz

Well that shows you how they are blocked..  But where are they suppose to get dns from?  Where it would resolve internal but not external sites.

John Tiota

In the pfsense General Setup I put the ip address of my pfsense and windws server 2008 , and 8.8.8.8 and 8.8.4.4

It that what you mean ?

johnpoz

And where does your 2k8 get its dns from?  Roots or forward..

And HINT you NEVER point AD clients to anything other than AD dns – so why would you your 2k8 box listed along with googledns?  Does googledns know about your AD?

How do you know which one of those 3 your client is going to ask?

If you don't want your client to be able to lookup anything other than local then you need to control that at your dns with a views.

podilarius

Yeah, your DHCP server should hand out your Win2k8 server IP as the DNS. Otherwise you are going to have lots of problems with AD.
Otherwise, you would need to add a DNS forward in pfSense to forward your AD domain requests to the AD DNS server (your win2k8).
The rule you have set blocks any attempt at access to the pfSense box.
If you still want pfSense to do your DNS, then the rule should be more like:

Action : Block
Interface : LAN
Protocol : any
Source : Type->Single host or alias
                      Address->192.168.0.132

Destination : Type ->any
                      Address -> !192.168.0.0/24

This will block any attempt to go to any other network besides your local private network.

John Tiota

hi guys i really appreciate your responses…below are my responses to you regarding my current pfsense setup

1. Where does your 2k8 get dns its from ? --> Roots
2. so why wk8 box listed along with googledns ? does googledns know about your AD ?
  --> i was thinking clients would ask one of those dns servers for dns queries for local and external
      listed in the geneal setup.
      -> 192.168.0.2(wk8) -- would serve queries for my local network
      -> 192.168.0.3 (pfsense) -- serve local &  external queries by forwarding to googledns
      ->8.8.8.8 and 8.8.4.4 -- for external queries

3. what you mean to control dns with views ?

4. Pfsense(dhcp) is also configured to hand 192.168.0.2 (wk8) and pfsense (192.168.0.3) ad dns

johnpoz

Well in your block - your clients you block can not even ask pfsense for anything.

AD clients should ONLY be configured for your AD dns.

Here is the thing if you ask says googledns for your AD domain, and you get back NX.. which you will.. example

; <<>> DiG 9.9.3-rpz2+rl.13214.22-P2-Ubuntu-1:9.9.3.dfsg.P2-4ubuntu1 <<>> @8.8.8.8 host.local.lan
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 32535
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

Your client will say - oh ok, that host is not valid, and will just stop asking even if it had 40 other dns servers in its list.

AD clients should ONLY point to your AD for dns, your AD server will serve up your local records, and if not local will either ask its forwarder or roots for answers for stuff like www.cnn.com, www.yahoo.com, etc.

if you don't want your local clients to be able to look up www.cnn.com - then in isc bind dns it is called VIEWS, and would not allow clients from your local network 192.168.0.0/24 to ask for anything other than your local domains.  I don't believe 2k8 dns can do this - but I do believe the ms dns in 2012 server has this sort of feature now.

I would suggest you only hand out your AD as dns on your network, and then control what can and not be looked up there.  But its not normally an issue if a client you don't allow to use the internet can look up something - since even though they know the IP, your block rule on your gateway (pfsense) will not allow them to go there anyway.

John Tiota

Thanks very much for all your reponse .. I did manually configure DNS settings of one my clients (whose internet access is denied) and add only the ip of wk8 server and did the nslookup successfully… nslookup resolved internal network and external which were already cached

As you said I have to point my network clients to AD DNS which is exactly what my dhcp is currently setup to hand out the ip of my AD DNS along with ip of my pfsense. Do I need to hand out only the ip of my AD DNS ?

phil.davis

1. For clients that are in the AD domain, it is best for DHCP to give out only the AD DNS IP address. Then the clients will always work directly with the AD DNS - I think this is specially needed if the clients are auto-registering themselves in AD DNS.
2. For standalone clients, you can give out the pfSense LAN address, where the pfSense DNS is running. Then put a domain override in pfSense DNS to send requests for names in your AD Domain to the AD DNS.
   If you do it these 2 different ways for different classes of clients, then DHCP has to know which client is which - so sometimes it is easier to use (1) for all the clients. The disadvantage of that is if the AD DNS is down/offline then standalone clients have no working DNS, even though there is internet through pfSense.
   If you static-map all the AD domain clients (usually quite easy as they are known PCs in the domain anyway) then you can give out the AD DNS to those clients. Then give the pfSense DNS to the rest of the general DHCP pool.

johnpoz

" Do I need to hand out only the ip of my AD DNS ?"

Yes!!

YOu don't even allow 53 (dns) to your pfsense box - so what is the point in handing it out for dns?

Let me repeat yet again - AD clients should ONLY Point to AD dns - nothing else!!

John Tiota

Thanks very much to you all…

I have configured my pfsense dhcp to hand out only the ip of my AD DNS...nslookup now works as it should be.