DNS Resolver not overriding host



  • Hello everyone,

    In DHCP I have the following DNS Servers released to my LAN clients:
    10.65.1.182 (PFSense)
    10.65.1.1    (windows DNS server)
    10.65.1.10  (windows DNS server)

    While trying to resolve internet addresses and intrenal addresses everything works. I've put an overrid for wpad.mydomain.loc in PFSense DNS Resolver (resolver is enabled of course) but I can't resolve the address on my lan PCs… Testing from pfsense console is working though.

    Any idea what I'm missing?

    Thanks,
    James


  • Rebel Alliance Global Moderator

    your missing that your handing out multiple dns to your clients.  You can never be sure which one the client will query.  Do your windows DNS have the exact same records as pfsense?

    It is BAD idea to hand your clients name servers that do not resolve the exact same things, since you can not control which ns your client actually asks.  If you are running AD, I would suggest that all members of your AD only point to AD dns..

    So your clients ask your pfsense for AD, what does pfsense do?  Your clients ask windows ns, do they have this same record for wpad?



  • I also tried overriding DHCP on a network client pointing the DNS only to PFSense as I myself was doubting to which DNS server the query was going (even if I had set the PFSense IP as the first DNS, theorically it should query in order).

    PFsense has no DNS records except for wpad. The reason is that I'm testing PFSense and I don't want all the rest of my network to suddenly resolve wpad and overwrite the current proxy settings so I avoided adding the wpad record to my windows network DNSs.

    Pointing to just pfsense manually should make it work, correct?


  • Rebel Alliance Global Moderator

    "theorically it should query in order"

    No not really.. That is not how windows figures out which name server to query after it has been running and doing queries for a bit..  Here is the most important piece of the puzzle

    https://technet.microsoft.com/en-us/library/cc961411.aspx
    Name Resolution
    "The resolver keeps track of which servers answer queries more quickly, and it might move servers up or down on the list based on how quickly they reply to queries."

    This is a dated article..  What I can tell just from experience is you can never be sure which dns is going to be queried and become the go to name server for the client.  And then depending on what sort of responses you get, NX or just timeout or Refused, etc. for different queries this all comes into play as well.

    Yes if all you query pfsense, and you put in an override that is what will be returned for that query..  That is very simple to test via a simple query using your fav tool, nslookup, dig, drill, host, etc.  Or just simple ping even.



  • Unfortuntately thats not working though. I overrided but I'm still not resolving the only host PFSense should know.


  • Rebel Alliance Global Moderator

    what are you running on pfsense forwarder or resolver.  Common mistake is to put the override in the wrong one ;)

    So I have a overrride for wpad.local.lan, the network I use that points to loopback.. Just to stop all the noise for queries for wpad… I don't use a proxy in my network

    so attached you can see a box of mine doing a query to pfsense on 192.168.9.253 for wpad.local.lan and getting back the override I put in.




  • Here is a screenshot of one of the LAN clients. As you can see PFSense is configured to override (I only have the DNS Resolver enabled not the forwarder). In one of the command prompts you can see that the only DNS is PFSense. In the other command prompt you can see I attempt to ping to resolve a test address (I also flushed the DNS records inbetween just in case).
    Obviously the LAN client reaches PFSense otherwise the configuration page wouldn't be opened (in the address bar you can see that the IP is the same as the configured DNS).



  • Rebel Alliance Global Moderator

    well you can not tell from just a ping what is going on..  Do a simple query with dig, or drill or nslookup for gosh sake.  Does nslookup say could not talk to ns or did you get back NX or Resfused?

    nslookup
    Default Server:  pfSense.local.lan
    Address:  192.168.9.253

    wpad.local.lan
    Server:  pfSense.local.lan
    Address:  192.168.9.253

    Name:    wpad.local.lan
    Address:  127.0.0.1

    set debug in nslookup if you need to get the details.. Notice here it added my suffix local lan because I didn't put . on the end

    wpad.local.lan
    Server:  pfSense.local.lan
    Address:  192.168.9.253

    Name:    wpad.local.lan
    Address:  127.0.0.1

    set debug
    wpad.local.lan
    Server:  pfSense.local.lan
    Address:  192.168.9.253

    –----------
    Got answer:
        HEADER:
            opcode = QUERY, id = 6, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
            wpad.local.lan.local.lan, type = A, class = IN
        AUTHORITY RECORDS:
        ->  local.lan
            ttl = 10800 (3 hours)
            primary name server = pfsense.local.lan
            responsible mail addr = root.local.lan
            serial  = 1
            refresh = 3600 (1 hour)
            retry  = 1200 (20 mins)
            expire  = 604800 (7 days)
            default TTL = 10800 (3 hours)



    Got answer:
        HEADER:
            opcode = QUERY, id = 7, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
            wpad.local.lan.local.lan, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  local.lan
            ttl = 10800 (3 hours)
            primary name server = pfsense.local.lan
            responsible mail addr = root.local.lan
            serial  = 1
            refresh = 3600 (1 hour)
            retry  = 1200 (20 mins)
            expire  = 604800 (7 days)
            default TTL = 10800 (3 hours)



    Got answer:
        HEADER:
            opcode = QUERY, id = 8, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
            wpad.local.lan, type = A, class = IN
        ANSWERS:
        ->  wpad.local.lan
            internet address = 127.0.0.1
            ttl = 3600 (1 hour)



    Got answer:
        HEADER:
            opcode = QUERY, id = 9, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
            wpad.local.lan, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  local.lan
            ttl = 10800 (3 hours)
            primary name server = pfsense.local.lan
            responsible mail addr = root.local.lan
            serial  = 1
            refresh = 3600 (1 hour)
            retry  = 1200 (20 mins)
            expire  = 604800 (7 days)
            default TTL = 10800 (3 hours)


    Name:    wpad.local.lan
    Address:  127.0.0.1



  • Oh, sorry didn't even know debug mode existed. I'm getting a refused answer is this likely to be firewall related?




  • Figured it out, bloody access lists… Thanks for all your help.

    James