DNS query want work
-
Buonasera a tutti! ;)
I just setup my pfSense to query my Pi-Hole run on my raspberry… Are more than 10h that I using this settings and everything work grate, I can query my host with its name and querying the web.
Trying fo find something I have noticed that querying the website:raspberrypi.orgsomething went wrong… My Raspberry solve the query correctly:
dig @172.16.0.2 www.raspberrypi.org ; <<>> DiG 9.8.3-P1 <<>> @172.16.0.2 www.raspberrypi.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31916 ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.raspberrypi.org. IN A ;; ANSWER SECTION: www.raspberrypi.org. 228 IN CNAME lb.raspberrypi.org. lb.raspberrypi.org. 229 IN A 46.235.227.11 lb.raspberrypi.org. 229 IN A 93.93.128.230 lb.raspberrypi.org. 229 IN A 93.93.130.39 lb.raspberrypi.org. 229 IN A 93.93.128.211 lb.raspberrypi.org. 229 IN A 93.93.135.188 lb.raspberrypi.org. 229 IN A 93.93.128.133 lb.raspberrypi.org. 229 IN A 93.93.130.214 lb.raspberrypi.org. 229 IN A 93.93.130.104 ;; Query time: 3 msec ;; SERVER: 172.16.0.2#53(172.16.0.2) ;; WHEN: Wed Jul 19 21:24:03 2017 ;; MSG SIZE rcvd: 197But If I try to dig my pfsense box the result is:
$ dig www.raspberrypi.org ; <<>> DiG 9.8.3-P1 <<>> www.raspberrypi.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18813 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.raspberrypi.org. IN A ;; Query time: 1 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Wed Jul 19 21:23:46 2017 ;; MSG SIZE rcvd: 37of course, if I change the URL with one of this IP I can reach the website perfectly.
I can't understand why… Someone can help me?
-
"I just setup my pfSense to query my Pi-Hole run on my raspberry"
You did that via dnsmasq (the forwarder) or unbound (resolver in forwarder mode)?
Why would you not just set your clients to query your pihole directly, and then send pihole to pfsense where pfsense is in resolver mode?
You are getting SERVFAIL.. That could mean quite a few things - look at your logs on pfsense, up them logging level of whatever your using forwarder or resolver. For all we know you installed the bind package and are using that?
-
"I just setup my pfSense to query my Pi-Hole run on my raspberry"
You did that via dnsmasq (the forwarder) or unbound (resolver in forwarder mode)?
Why would you not just set your clients to query your pihole directly, and then send pihole to pfsense where pfsense is in resolver mode?
You are getting SERVFAIL.. That could mean quite a few things - look at your logs on pfsense, up them logging level of whatever your using forwarder or resolver. For all we know you installed the bind package and are using that?
I have done that because I had some problem with the VPN and the DNS. But I have changed my setting like have you suggested me.
LAN –> Pi-Hole --> (OpenDNS1, OpenDNS2, pfSense fwm)
pfSense --> (OpenDNS1, OpenDNS2)Or you are suggesting to remove the OpenDNS entry from the Pi-Hole and leaving the querying all to the pfSense?
-
If your pihole queries opendns, how would your resolve local stuff? Ie any override you have set in pfsense, any dhcp clients you have registering in psfense, etc.
Make sure you uncheck to forward reverse for rfc1918, on your pihole under advanced dns as well. Or it will not forward PTR queries for rfc1918 addresses.
You should not setup anything to query multiple dns that do not resolve the same thing.. You can never be sure which one will be asked or return answer first, etc.. So if I ask some public dns for local shit you will get back nx, etc. And not resolve your local stuff so if you setup something that resolves local and something that does not.. Maybe when your looking for something local your pubic gets asked and now your query fails.
So if you want to resolve local, then ALWAYS and only ask your local - let it forward or resolve stuff that is not local.
-
Make sure you uncheck to forward reverse for rfc1918, on your pihole under advanced dns as well. Or it will not forward PTR queries for rfc1918 addresses.
This checkbox need to be checked or not? This double negation made a doubt…
