pfSense fails to provide a DNS response.

TomT

HI
I've got an application running on a Linux server that looks at an email address, splits it down to the domain name then sends a DNS query out to find the relevant MX records for the domain.

With pfSense acting as my DNS server (resolver, not forwarder) I get no response back so no MX records are found.

However if I download and enable Simple DNS Plus (https://simpledns.com) on a PC on the network then I get a response from this and MX results.

I've run a wireshark trace on the Linux server capturing what is sent out and what is replied to by Simple DNS Plus.

192.168.1.2 is the Linux Server
192.168.1.5 is the PC on the LAN.

597	2018-07-18 11:00:18.125994	192.168.1.2	57231	255.255.255.255	53		DNS	Standard query 0x0001 MX domain.co.uk	73

598	2018-07-18 11:00:18.126844	192.168.1.5	53		192.168.1.2	57231		DNS	Standard query response 0x0001 MX domain.co.uk MX 10 mail2.domain.co.uk MX 5 mail.domain.co.uk A 195.61.28.1 A 195.61.28.1	148

599	2018-07-18 11:00:18.128494	192.168.1.2	25846	255.255.255.255	53		DNS	Standard query 0x0001 A mail2.domain.co.uk	79

600	2018-07-18 11:00:18.128945	192.168.1.5	53		192.168.1.2	25846		DNS	Standard query response 0x0001 A mail2.domain.co.uk A 195.61.28.1	95

Is it possible to have pfSense respond to these requests ?
Thanks

jimp

I get MX responses from the DNS Resolver just fine here. There may be something else about the queries making them fail. Anything in the resolver log? Any special options changed in the DNS resolver (is it checking DNSSEC, for example)?

TomT

Thanks for replying.

From my Linux box 192.168.1.2

I've run nslookup and confirmed the DNS Server config, then run an mxlookup.

nslookup

> server
Default server: 192.168.1.1
Address: 192.168.1.1#53
Default server: 8.8.8.8
Address: 8.8.8.8#53
Default server: 127.0.0.1
Address: 127.0.0.1#53

> set q=MX

> domain.co.uk
Server:         192.168.1.1
Address:        192.168.1.1#53

Non-authoritative answer:
domain.co.uk   mail exchanger = 5 mail.domain.co.uk.
domain.co.uk   mail exchanger = 10 mail2.domain.co.uk.

Authoritative answers can be found from:
mail2.domain.co.uk     internet address = 195.61.28.1
mail.domain.co.uk      internet address = 195.61.28.1

To me that suggests that 192.168.1.1 (pfSense) has replied, but I don't see any reference to domain.co.uk in the logs.

I think the issue is how the application does the DNS lookup. It starts by sending a broadcast out and Simple DNS PLUS will respond to that, but pfSense doesn't.

17:49:13.577 [mailer] DNSEntry::Lookup - '255.255.255.255' adding...
17:49:13.577 [mailer] DNS: 845874dbg3 DnsLookup - send
17:49:13.577 [845874dbg3] DNSEntry::Thread - '255.255.255.255' requesting...
17:49:13.577 [845874dbg3] DNSEntry::Thread - '255.255.255.255' address 255.255.255.255 found
17:49:13.578 [mailer] 0000  00 01 01 00 00 01 00 00 00 00 00 00 07 64 6f 6d  .............dom
17:49:13.578 [mailer] 0010  61 69 6e 2e 63 6f 2e 75 6b 00 00 0f 00 01     	ain.co.uk.....
17:49:13.578 [845874dbg3] 12 AsyncSocket::DNSResult - address for 255.255.255.255 is 255.255.255.255

This is what is shown when Simple DNS Plus replies:

17:55:28.740 [mailer] DNS: 845874dbg3 DnsLookup - send
17:55:28.740 [mailer] Buf: buf 0xf6ff2560, data=0xf6ff2c79, size 1740, len 31, age 0s, ptr (nil)
17:49:13.578 [mailer] 0000  00 01 01 00 00 01 00 00 00 00 00 00 07 64 6f 6d  .............dom
17:49:13.578 [mailer] 0010  61 69 6e 2e 63 6f 2e 75 6b 00 00 0f 00 01     	ain.co.uk.....
17:55:29.085 [mailer] DNS: 845874dbg3 DnsLookup - receive
17:55:29.085 [mailer] Buf: buf 0xf6f95414, data=0xf6f9566e, size 600, len 106, age 0s, ptr 0x80f12a8 ((null)) [0.0.0.0:55212,192.168.1.5:53]

Once the IP Address for the DNS server is known, the application queries it as normal.

Any ideas how to do this ?
Thanks

TomT

I've run a packet capture on the LAN interface of pfSense with the host as 255.255.255.255

18:04:08.974522 IP 192.168.1.2.52232 > 255.255.255.255.53: UDP, length 31
18:04:13.978787 IP 192.168.1.2.50050 > 255.255.255.255.53: UDP, length 31

So it does look like the request is getting to pfSense... so why is DNS not responding ?

jimp

pfSense doesn't listen for broadcast DNS requests like that. The application must actually send the DNS request to the pfSense IP address in that segment. The application is broken if it isn't, or something in the host OS isn't respecting the DNS configuration. It's 100% a client issue.

The other DNS server only works because it supports broadcast DNS, so it's enabling the broken behavior.

TomT

Thanks
I'll try to get in touch with the app devs and see why it's configured this way.