DNS Resolver Host Override not working
-
I have configured host overridde, the thing is if I start the computer it doesnt work but If I go to pfsense and edit the host override without doing any change and click on save and apply, suddently it works. Then for now reason It stops working.
Apparently while it doesnt work I get a DNS rebinding error, and it looks like is trying to use pfsense cert to access to this website, and a nslookop resolvers the pfsense IP.
When It works I get this
I'm trying to access to an nginx webserver
I'm using pfblockerng in case it means something, I think it restarts the DNS service everytime it updates
-
When it doesn't work it resolves the public IP despite it is configure to resolve a local IP.
This is the config
-
Some words have already been posted about xxxx.duckdns.org (or any DDNS for that matter).
I wouldn't make a host over ride like this :
=> No host ???????
Your Resolver has become a 'no-brain' forwader (thenn why not using the dnsmasq forwarder ?):
What happens is :
Your xxx.duckdns.org resolver requests are forwarded ... (send away, upstream)
The upstream request "wins" and your answer will be wrong.The answer will be cached - and your local host override, coming in later in the list will always "loose".
Start by using the resolver as a resolver and you'll be ok.
Repair also your host override - it really looks strange to me. -
also, use localhost or all interfaces for outgoing traffic.
-
@gertjan
now it's like this
I use resolver because I can configure DNSSEC
@bahsig what do you mean exactly?
-
your outgoing network interface in dns resolver shows wan only. change this to “all“ or “localhost“. and disable forwarding mode.
-
@bahsig said in DNS Resolver Host Override not working:
an only. change this to “all“ or “localhost“. and
Now outgoing network interfaces is set in ALL but still doesnt work.
My question is, can this work without disabling the fordwarding mode? This configuration worked for me in the past but I don't know why now is failing
I guess that my DNS request will be faster in forwarding mode using 1.1.1.1 than in resolver. -
@l0rdraiden said in DNS Resolver Host Override not working:
I guess that my DNS request will be faster in forwarding mode using 1.1.1.1 than in resolver.
Impossible.
Check the file /etc/hosts
There is your host override - so it's already in the resolver cache.And if you try to resolve nxxxx.duckdns.org upstream you wind up having the wrong IP - of course.
Btw : Forwarding ok, but forget about DNSSEC then, as discussed many times already.
-
Now I am using DNS resolver as you said with forwarding disable, still the host override works for a while and then it starts to resolve the public IP instead the local IP. What is causing this?
The thing is if I change any settings in the DNS resolver and then I apply changes the host override works, and then it stops working. So I think something else is causing this.
When I try to resolve the domain in a browser in pfsense logs appears this (i have added the ***)
Jan 29 08:18:32 pfsense.homelocal nginx: 2019/01/29 08:18:32 [error] 83403#100162: 262 open() "/usr/local/www/index.php/204" failed (20: Not a directory), client: 192.168.1.30, server: , request: "GET /index.php/204 HTTP/1.1", host: "ne*********.duckdns.org"
Jan 29 08:03:07 pfsense.homelocal nginx: 2019/01/29 08:03:07 [error] 83100#100167: 260 open() "/usr/local/www/ocs/v1.php/cloud/user" failed (2: No such file or directory), client: 192.168.1.30, server: , request: "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1", host: "tc***s.duckdns.org"
-
@l0rdraiden said in DNS Resolver Host Override not working:
I use resolver because I can configure DNSSEC
But if your forwarding you throw that out anyway... The resolver is where dnssec happens, if your forwarding its pointless to ask for dnssec info, etc. Your adding extra traffic for no reason.
Are you using proxy? Or HA proxy?
What do you have pfsense pointing to for dns? It should only post to loopback if you want it to use your overrides.@bahsig said in DNS Resolver Host Override not working:
your outgoing network interface in dns resolver shows wan only. change this to “all“ or “localhost“. and disable forwarding mode.
There is no reason to change his outgoing to ALL.. And unless he is using multiple wan, he could for sure just use wan and not have to have localhost selected for outgoing. What is your reasoning behind having to have localhost selected for the outgoing interface?
-
@johnpoz said in DNS Resolver Host Override not working:
@l0rdraiden said in DNS Resolver Host Override not working:
I use resolver because I can configure DNSSEC
But if your forwarding you throw that out anyway... The resolver is where dnssec happens, if your forwarding its pointless to ask for dnssec info, etc. Your adding extra traffic for no reason.
Are you using proxy? Or HA proxy?
What do you have pfsense pointing to for dns? It should only post to loopback if you want it to use your overrides.
But when I use forwarding to a server like 1.1.1.1 DNSSEC works.
I'm using nginx with letsencrypt, right now the DNS is working as a resolver and the host override is pointing to the nginx server.
I am using suricata and pfblockerng in case this matters.The funny thing is that If I edit the host override or a setting in the DNS resolver it works for a while, it resolves 192.168.1.220 and then after 15-20 mins or so it resolves again the public IP.
This was working well in the past but I can't remember what I have changed in order to break it, I will try to disable pfblockerng to see if it changes the behavior.
-
@l0rdraiden said in DNS Resolver Host Override not working:
But when I use forwarding to a server like 1.1.1.1 DNSSEC works.
If where you forward to does dnssec - then yeah you get dnssec, you don't have to have it checked.. The resolver is what does dnssec.. You asking for it or not asking for it has nothing to do with it the resolver does it or not.
-
But do you know why the host override works for a while and then stops working?
-
Not off the top... Trying to figure out what that error is you posted. That is pfsense trying to get something with nginx?
Do you have pfsense pointing to anything other than localhost for dns?
In your system widget what does it show for dns?
-
- Yes but I don't know what is trying to get
- No, DNS general settings is empty and the DNS in the clients is the pfsense IP
- enable up and running.
BTW I have disable pfblockerng and now it works fine... so I guess is some kind of incompatibility. I will try to report it to see if I get the dev to read this thread.
-
@johnpoz said in DNS Resolver Host Override not working:
That is pfsense trying to get something with nginx?
Yeah, what is this :
@l0rdraiden said in DNS Resolver Host Override not working:
...... open() "/usr/local/www/index.php/204" failed (20: Not a directory), client: 192.168.1.30, server: , request: "GET /index.php/204 HTTP/1.1", host: "ne*********.duckdns.org"
.... open() "/usr/local/www/ocs/v1.php/cloud/user" failed (2: No such file or directory), client: 192.168.1.30, server: , request: "GET /ocs/v1.php/cloud/user?format=json HTTP/1.1", host: "tc***s.duckdns.org"/index.php/204 => this doesn't exists on pfSense (the web server / files ).
//ocs/v1.php/cloud/user => same thing.Just the browser who 'thinks' it's connected to some site, but redirected to the pfSense webroot, and obtaining a "non - not here".
-
@Gertjan you think that is something to do with his host override trying to ask pfsense for something... I can not really tell what that error is without more context.
-
Realy, .... dono.
I guess @l0rdraiden want to reach a local server (coming from local), the server he exposes on the Internet using a duckdns.org DDNS domain name.
Local host overrides always worked for me, using the default Resolver. -
yup zero issue with them.. But I don't see how an error on pfsense for nginx has anything to do with unbound?
-
IMHO, the errors are cached URL's in a browser, that thinks it's connected to a webserer (dsame URL) but it is connected to the GUI (or portal web server).
It's hitting the server (nginx) with the stored URL's and nginx is complaining about it.
I see this all the time on my own web servers : the most strange page requests are popping up - and errored out by the web server.