All domains resolve to PfSense GUI

Halfhidden · Jun 25, 2021, 3:21 PM

I've taken advise from this forum and after weeks of chasing my tail, I set up PfSense with a simple setup:

Esxi 6.7 (host)
PfSense running as DHCP server
I'de already configured the Lan and Wan and group
and this is connected through a switch to all of the NIC's on the server.
Internet access is through an ONC and PfSense is running this through PPPoe as a router.

Right Pfsense binds with the local lan and gives it an address from the local DHCP pool. Also Esxi is given an ip from the same pool. There are no other DHCP servers involved other than PfSense.
The Wan port is recognised and shows the correct static ip address from the ONC.
Internet access is live and working well.

I've just punched a hole through the firewall just to get all traffic through for now.
I've also set PfSense to use external DNS and set that to 8.8.8.8 8.8.4.4

My issue is that when I set up either a sub domain demo.foo.co.uk through DNS resolver it resolves to the Pfsense web GUI. The same happens if I set up a domain (foo.com) that too resolves to PfSense web GUI.

I'm guessing that DNS can't reach the local ip and therefore can't resolve to the VPN client I've pointed the resolver to.

As far as I can see the DNS is set up correctly for that those domains with freedns.

What have I done wrong please?

KOM · Jun 25, 2021, 5:28 PM

@halfhidden said in All domains resolve to PfSense GUI:

I've just punched a hole through the firewall just to get all traffic through for now.

You shouldn't have had to do that. Initial LAN rules allow all access by default.

I'm guessing that DNS can't reach the local ip and therefore can't resolve to the VPN client I've pointed the resolver to.

DNS doesn't care if the system is up or not. It just translates FQDNs to IP addresses.

What have I done wrong please?

Post a screenshot of your DNS Resolver Host Overrides.

Halfhidden · Jun 25, 2021, 6:16 PM

The firewall was blocking traffic from WAN through. I know I have to configure it correctly.

Here is a screen shot of the only resolvers I've added. At the moment I've only rest this up as a test.

Thanks for the reply :)

KOM · Jun 25, 2021, 7:23 PM

@halfhidden You're saying that if you use a LAN client to do a lookup of esxi.blerg.co.uk, it returns 192.168.1.1?

Halfhidden · Jun 25, 2021, 7:49 PM

No, if I do a it at lan level it resolves correctly to the FQD, but if I try to do this from outside the lan (another computer from the internet) it resolves back to the GUI of PfSense.

johnpoz · Jun 25, 2021, 7:54 PM

@halfhidden said in All domains resolve to PfSense GUI:

(another computer from the internet) it resolves back to the GUI of

Well normally yeah fqdn that are public resolving resolve to a public IP..

but esxi.blerg.co.uk does not resolve on the public internet.

KOM · Jun 25, 2021, 7:55 PM

@halfhidden What is the authoritative DNS for your blerg.co.uk domain? That is where you make your DNS changes. Why are you trying to resolve that host to a LAN IP? Clients on the Internet won't be able to route to it.

johnpoz · Jun 25, 2021, 8:02 PM

SOA for that is ns2.mythic-beasts.com

KOM · Jun 25, 2021, 8:06 PM

@johnpoz I was only using blerg.co.uk as a made-up placeholder for his obscured domain.

johnpoz · Jun 25, 2021, 8:06 PM

@halfhidden said in All domains resolve to PfSense GUI:

I'm guessing that DNS can't reach the local ip and therefore can't resolve to the VPN client I've pointed the resolver to.

Where are you pointing the vpn client too? If IP of pfsense unbound is listening on - you will have to adjust your ACLs in unbound to allow for that tunnel IP your vpn client is using to be able to query it.

edit: where did you come up with blerg? ;) foo is a common obfuscation sort of name ;) hehehe

KOM · Jun 25, 2021, 8:09 PM

@johnpoz To each their own. foo didn't occur to me even though I've seen it a zillion times.

johnpoz · Jun 25, 2021, 8:17 PM

blerg? hehee - we could see if we could get that added to the wiki page ;)

https://en.wikipedia.org/wiki/Metasyntactic_variable

KOM · Jun 25, 2021, 8:24 PM

@johnpoz I think it's funny that there just happens to be a blerg.co.uk.

Halfhidden · Jun 25, 2021, 9:11 PM

@johnpoz said in All domains resolve to PfSense GUI:

Where are you pointing the vpn client too? If IP of pfsense unbound is listening on - you will have to adjust your ACLs in unbound to allow for that tunnel IP your vpn client is using to be able to query it.

This is what I've done. I've not altered the ACLs at all.
Thanks both of you.
Really appriciate your help.

KOM · Jun 25, 2021, 9:47 PM

@halfhidden Well, I don't know what exactly you're trying to accomplish and you didn't answer any of my last questions so I'm not sure how much more helpful I can be. Maybe if you start from the beginning and explain what you want to do.

johnpoz · Jun 25, 2021, 9:48 PM

@kom I took his last reply that he fixed his acls and he now working how he wants.

KOM · Jun 25, 2021, 10:03 PM

@johnpoz If so then good. As long as it works.

Halfhidden · Jun 26, 2021, 12:11 PM

OK I apologise for this. I honestly though I'd fixed this. Clearly I've made no change to the situation.
After reaching for the Jack Daniels to celebrate a small victory, I realised I was actually testing the domains from a laptop that was connected to the internal DHCP of PfSense and yes the domains resolved, but from external requests they don't.

"What is the authoritative DNS"
The dns is set with http://freedns.centos-webpanel.com/
I've only set the @ "A" record to the static ip from my ISP and www "CNAME" to @ (and basic settings for FTP, MX and so on)
I'm trying to resolve the domain cloud.lescudjack.co.uk to an internal ip of 192.168.1.108 that is a Nextcloud VPN on Esxi 6.7
I'm also trying to resolve the domain lescudjack.co.uk to an internal ip 192.168.1.101 and that is the internal ip for Esxi.

Right now if I connect to the network that PfSense issues DHCP from. I can type in those domains and they resolve to the correct domain name and are completely accessible. If I try the same from a computer not connected to the internal PfSense network, then the same domain names do resolve to the domain, but instead of seeing the vpn as expected, I get this:

As an example cloud.lescudjack.co.uk should resolve to the NextCloud vpn, it resolves to the main GUI of Pfsense instead.

In DNS resolver/access lists I added the subdomain for cloud.lescudjack.co.uk and then put in the local ip and allowed the rule.

I know the domain and ip's shouldn't be posted on open forums, but if this is resolved then the domain will be used elsewhere (change dns) and the internal ip's changed to a different subnet.

KOM · Jun 26, 2021, 12:17 PM

@halfhidden Clients from the Internet can't route to private IP addresses. Even if you set your external DNS to reply to those queries with 192.168.x.y, clients won't be able to go there.

What are you trying to do?

For example, if you're trying to get Internet clients to be able to reach a server on your LAN, you do that via a NAT port-forward.

Halfhidden · Jun 26, 2021, 12:22 PM

@kom said in All domains resolve to PfSense GUI:

What are you trying to do?
For example, if you're trying to get Internet clients to be able to reach a server on your LAN, you do that via a NAT port-forward.

Yes that is what I'm trying to achieve, but I'm keen not to have to do this by way of ports that the user (internet side user) has to add ports to the end of the domain.
Example cloud.lescudjack.co.uk:2003