Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver not overriding host

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scarja
      last edited by

      Hello everyone,

      In DHCP I have the following DNS Servers released to my LAN clients:
      10.65.1.182 (PFSense)
      10.65.1.1    (windows DNS server)
      10.65.1.10  (windows DNS server)

      While trying to resolve internet addresses and intrenal addresses everything works. I've put an overrid for wpad.mydomain.loc in PFSense DNS Resolver (resolver is enabled of course) but I can't resolve the address on my lan PCs… Testing from pfsense console is working though.

      Any idea what I'm missing?

      Thanks,
      James

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        your missing that your handing out multiple dns to your clients.  You can never be sure which one the client will query.  Do your windows DNS have the exact same records as pfsense?

        It is BAD idea to hand your clients name servers that do not resolve the exact same things, since you can not control which ns your client actually asks.  If you are running AD, I would suggest that all members of your AD only point to AD dns..

        So your clients ask your pfsense for AD, what does pfsense do?  Your clients ask windows ns, do they have this same record for wpad?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          scarja
          last edited by

          I also tried overriding DHCP on a network client pointing the DNS only to PFSense as I myself was doubting to which DNS server the query was going (even if I had set the PFSense IP as the first DNS, theorically it should query in order).

          PFsense has no DNS records except for wpad. The reason is that I'm testing PFSense and I don't want all the rest of my network to suddenly resolve wpad and overwrite the current proxy settings so I avoided adding the wpad record to my windows network DNSs.

          Pointing to just pfsense manually should make it work, correct?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "theorically it should query in order"

            No not really.. That is not how windows figures out which name server to query after it has been running and doing queries for a bit..  Here is the most important piece of the puzzle

            https://technet.microsoft.com/en-us/library/cc961411.aspx
            Name Resolution
            "The resolver keeps track of which servers answer queries more quickly, and it might move servers up or down on the list based on how quickly they reply to queries."

            This is a dated article..  What I can tell just from experience is you can never be sure which dns is going to be queried and become the go to name server for the client.  And then depending on what sort of responses you get, NX or just timeout or Refused, etc. for different queries this all comes into play as well.

            Yes if all you query pfsense, and you put in an override that is what will be returned for that query..  That is very simple to test via a simple query using your fav tool, nslookup, dig, drill, host, etc.  Or just simple ping even.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • S
              scarja
              last edited by

              Unfortuntately thats not working though. I overrided but I'm still not resolving the only host PFSense should know.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                what are you running on pfsense forwarder or resolver.  Common mistake is to put the override in the wrong one ;)

                So I have a overrride for wpad.local.lan, the network I use that points to loopback.. Just to stop all the noise for queries for wpad… I don't use a proxy in my network

                so attached you can see a box of mine doing a query to pfsense on 192.168.9.253 for wpad.local.lan and getting back the override I put in.

                wpadoverride.jpg
                wpadoverride.jpg_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • S
                  scarja
                  last edited by

                  Here is a screenshot of one of the LAN clients. As you can see PFSense is configured to override (I only have the DNS Resolver enabled not the forwarder). In one of the command prompts you can see that the only DNS is PFSense. In the other command prompt you can see I attempt to ping to resolve a test address (I also flushed the DNS records inbetween just in case).
                  Obviously the LAN client reaches PFSense otherwise the configuration page wouldn't be opened (in the address bar you can see that the IP is the same as the configured DNS).

                  screenshot.png
                  screenshot.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    well you can not tell from just a ping what is going on..  Do a simple query with dig, or drill or nslookup for gosh sake.  Does nslookup say could not talk to ns or did you get back NX or Resfused?

                    nslookup
                    Default Server:  pfSense.local.lan
                    Address:  192.168.9.253

                    wpad.local.lan
                    Server:  pfSense.local.lan
                    Address:  192.168.9.253

                    Name:    wpad.local.lan
                    Address:  127.0.0.1

                    set debug in nslookup if you need to get the details.. Notice here it added my suffix local lan because I didn't put . on the end

                    wpad.local.lan
                    Server:  pfSense.local.lan
                    Address:  192.168.9.253

                    Name:    wpad.local.lan
                    Address:  127.0.0.1

                    set debug
                    wpad.local.lan
                    Server:  pfSense.local.lan
                    Address:  192.168.9.253

                    –----------
                    Got answer:
                        HEADER:
                            opcode = QUERY, id = 6, rcode = NXDOMAIN
                            header flags:  response, auth. answer, want recursion, recursion avail.
                            questions = 1,  answers = 0,  authority records = 1,  additional = 0

                    QUESTIONS:
                            wpad.local.lan.local.lan, type = A, class = IN
                        AUTHORITY RECORDS:
                        ->  local.lan
                            ttl = 10800 (3 hours)
                            primary name server = pfsense.local.lan
                            responsible mail addr = root.local.lan
                            serial  = 1
                            refresh = 3600 (1 hour)
                            retry  = 1200 (20 mins)
                            expire  = 604800 (7 days)
                            default TTL = 10800 (3 hours)



                    Got answer:
                        HEADER:
                            opcode = QUERY, id = 7, rcode = NXDOMAIN
                            header flags:  response, auth. answer, want recursion, recursion avail.
                            questions = 1,  answers = 0,  authority records = 1,  additional = 0

                    QUESTIONS:
                            wpad.local.lan.local.lan, type = AAAA, class = IN
                        AUTHORITY RECORDS:
                        ->  local.lan
                            ttl = 10800 (3 hours)
                            primary name server = pfsense.local.lan
                            responsible mail addr = root.local.lan
                            serial  = 1
                            refresh = 3600 (1 hour)
                            retry  = 1200 (20 mins)
                            expire  = 604800 (7 days)
                            default TTL = 10800 (3 hours)



                    Got answer:
                        HEADER:
                            opcode = QUERY, id = 8, rcode = NOERROR
                            header flags:  response, auth. answer, want recursion, recursion avail.
                            questions = 1,  answers = 1,  authority records = 0,  additional = 0

                    QUESTIONS:
                            wpad.local.lan, type = A, class = IN
                        ANSWERS:
                        ->  wpad.local.lan
                            internet address = 127.0.0.1
                            ttl = 3600 (1 hour)



                    Got answer:
                        HEADER:
                            opcode = QUERY, id = 9, rcode = NOERROR
                            header flags:  response, auth. answer, want recursion, recursion avail.
                            questions = 1,  answers = 0,  authority records = 1,  additional = 0

                    QUESTIONS:
                            wpad.local.lan, type = AAAA, class = IN
                        AUTHORITY RECORDS:
                        ->  local.lan
                            ttl = 10800 (3 hours)
                            primary name server = pfsense.local.lan
                            responsible mail addr = root.local.lan
                            serial  = 1
                            refresh = 3600 (1 hour)
                            retry  = 1200 (20 mins)
                            expire  = 604800 (7 days)
                            default TTL = 10800 (3 hours)


                    Name:    wpad.local.lan
                    Address:  127.0.0.1

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • S
                      scarja
                      last edited by

                      Oh, sorry didn't even know debug mode existed. I'm getting a refused answer is this likely to be firewall related?

                      screenshot.png
                      screenshot.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • S
                        scarja
                        last edited by

                        Figured it out, bloody access lists… Thanks for all your help.

                        James

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.