No DNS resolution on LAN
-
Hi,
I have some troubles with DNS resolution on the pfSense LAN.
I've added a PASS ALL rule in the firewall, I can access to web site with IP address but there is no DNS resolution.I can ping 8.8.8.8 and if I launch dig @8.8.8.8 google.com it works. However if I launch dig google.com it doesn't work. Ping google.com returns unknown host google.com, and Firefox can't resolve domains.
DNS queries can pass the firewall so it's not a firewall issue but I have no idea why there is no DNS resolution.If you have any idea!
Thanks in advance.
Kind regards;
Alexis -
So obviously the DNS server you use on the client can't resolve public names or is not reachable.
Do you provide DNS server by DHCP? Which DNS is used on the client?
-
Yes, I have configured DHCP for LAN, I made two tests, one with the DNS servers from my ISP and one with Google public DNS (8.8.8.8 / 8.8.4.4).
I think the DNS resolver of the client is working because when I plug the client directly to the WAN network the resolution is working. (The client is a Debian Jessie).
-
So what DNS is requested by the client if you don't state a server? A public one or the pfSense DNS Resolver / Forwarder?
The dig output will reveal which server is requested.
Is the access to the DNS server permitted by firewall rules?
-
This post is deleted! -
The DHCP configuration provide 8.8.8.8 and 8.8.4.4 as DNS servers. Confirmed with nmcli dev show.
I have made a tcmdump to monitor dig requests and if I don't state a server dig doesn't send a request. It's a weird behaviour, because when I plug the client on the pfSense I can see that the client is sending request to 8.8.8.8 for A detectportal.firefox.com, so if the client is using 8.8.8.8 it's that the DHCP configuration is correct. I have no idea on what is wrong
The firewall is allowing access to DNS because when I state a server the resolution is working.
-
That's very strange.
I guess there is something wrong with your client. Have you tried another one? Are you sure it uses Network Manager?
-
I have tried with another client (Windows) and it works perfectly! There is an issue on my first client, but my solution is designed to work with Windows clients so I will not investigate more for this time.
Thank you for your time and your answers!
Have a nice day.
-
@alexis-girardi said in No DNS resolution on LAN:
if I don’t state a server dig doesn’t send a request
What version of dig are you using? I have seen this on 9.12 versions if dns not in the resolv.conf file, etc.. On windows I have not tried 9.12 on other OSes So you have to place default NS in this file
If you want to validate client dns resolve - you should use its built in client.. Something as simple as a ping for example to validate it can resolve.