DNS Forwarder on Routed Subnets



  • I’m trying to use the DNS forwarder in pfsense for subnets that are routed behind my firewall. When I restart the DNS Forwarder I see the following message.

    " dnsmasq  47903  DNS service limited to local subnets”

    How can I allow other subnets besides just the locally connected ones?

    pfsense 2.3.2 AMD64



  • Would this be related to this new situation (for me) where pfSense's DNS forwarder won't respond to DNS queries over an OpenVPN tunnel? I know the traffic is coming across, I can see it in the firewall log, but I get no response. I can successfully get a response from another DNS server behind pfSense, but not from pfSense itself.



  • I would think so, it looks like DNS Forwarder is setup to only respond to subnets that are directly connected to pfsense. Here is what i found in the config, i'm sure i could comment this out but it would break again when i upgrade. Would be best if it was a option in the webgui.

    Accept DNS queries only from hosts whose address is on a local

    subnet, ie a subnet for which an interface exists on the server.

    This option only has effect if there are no –interface

    --except-interface, --listen-address or --auth-server options.

    local-service


  • LAYER 8 Global Moderator

    curious why your using the forwarder vs the resolver, the resolver has been default in pfsense since 2.2 and you can have it answer anyone you want as long s you create the correct acl to allow it.  For example my openvpn clients use it.

    I have not used the forwarder since unbound became available.  But could fire up the forwarder and check, there should be a simple way to allow your vpn users to query the forwarder.



  • I'll check on using the resolver instead, I've been using forwarder because it has been working fine for me, and have been using it since 1.2.X. The configs have been in place just upgrades to the software.



  • I just switched over to the resolver; no change for me, still won't respond to DNS queries over OpenVPN.


  • LAYER 8 Global Moderator

    And what is your openvpn client IP and what are you acls? What IP are you doing the query too.. Is unbound listening on that interface.  It defaults to all, but I have mine setup to only the interfaces I want it to listen on, etc. 192.168.9.253 is the lan interface IP.

    Did you set any odd firewall rules on your vpn, like tcp only or something?

    So I am on the vpn now.. And can query just fine.

    C:>dig pfsense.local.lan

    ; <<>> DiG 9.10.4-P1 <<>> pfsense.local.lan                             
    ;; global options: +cmd                                                 
    ;; Got answer:                                                         
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 139                 
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:                                                   
    ; EDNS: version: 0, flags:; udp: 4096                                   
    ;; QUESTION SECTION:                                                   
    ;pfsense.local.lan.            IN      A

    ;; ANSWER SECTION:                                                     
    pfsense.local.lan.      3600    IN      A      192.168.9.253

    ;; Query time: 103 msec                                                 
    ;; SERVER: 192.168.9.253#53(192.168.9.253)                             
    ;; WHEN: Wed Aug 03 15:36:35 Central Daylight Time 2016                 
    ;; MSG SIZE  rcvd: 62

    C:>

    My vpn networks are 10.0.8 and 10.0.200, I just put in a wide open acl of 10.0/16, my local networks are various 192.168 segments so same thing wide open acl for 192.168/16 and then my ipv6 networks from HE.

    Here you can see my vpn connection info,

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : local.lan
      Description . . . . . . . . . . . : TAP-Windows Adapter V9
      Physical Address. . . . . . . . . : 00-FF-EE-16-B9-3C
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::fd9b:6799:7fc9:2969%23(Preferred)
      IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Wednesday, August 03, 2016 9:25:07 AM
      Lease Expires . . . . . . . . . . : Thursday, August 03, 2017 9:25:07 AM
      Default Gateway . . . . . . . . . :
      DHCP Server . . . . . . . . . . . : 10.0.8.254
      DHCPv6 IAID . . . . . . . . . . . : 369164270
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-CA-26-3C-97-0E-99-DF-75
      DNS Servers . . . . . . . . . . . : 192.168.9.253
      NetBIOS over Tcpip. . . . . . . . : Enabled




  • Both of my "Interfaces" settings in the resolver configuration are "All". My tunnel network is 10.56.235.0/24 and my resolver ACL has two networks in it, 192.168.10.0/24 and 10.56.235.0/24.

    From the pfSense command line, I can successfully resolve:

    > dig gateway @192.168.10.254
    
    ; <<>> DiG 9.10.4-P2 <<>> gateway @192.168.10.254
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52322
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;gateway.			IN	A
    
    ;; ANSWER SECTION:
    gateway.		1	IN	A	192.168.10.254
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.10.254#53(192.168.10.254)
    ;; WHEN: Wed Aug 03 14:19:33 MST 2016
    ;; MSG SIZE  rcvd: 52
    

    Doing the same from over the VPN, however, times out:

    > dig gateway @192.168.10.254
    
    ; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.254
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    

    I can query a different DNS server over the VPN, however:

    > dig gateway @192.168.10.241
    
    ; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.241
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58311
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;gateway.                       IN      A
    
    ;; ANSWER SECTION:
    gateway.                1       IN      A       192.168.10.254
    
    ;; Query time: 56 msec
    ;; SERVER: 192.168.10.241#53(192.168.10.241)
    ;; WHEN: Wed Aug 03 13:36:41 2016
    ;; MSG SIZE  rcvd: 52
    

    I can see the states in the diagnostics/states page; the query that goes to .241 results in two states, one on the ovpns2 interface and one on the LAN. The query to .254 results only in the ovpns2 interface state.


Log in to reply