Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarder on Routed Subnets

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      djamp42
      last edited by

      I’m trying to use the DNS forwarder in pfsense for subnets that are routed behind my firewall. When I restart the DNS Forwarder I see the following message.

      " dnsmasq  47903  DNS service limited to local subnets”

      How can I allow other subnets besides just the locally connected ones?

      pfsense 2.3.2 AMD64

      1 Reply Last reply Reply Quote 0
      • G
        godefroi
        last edited by

        Would this be related to this new situation (for me) where pfSense's DNS forwarder won't respond to DNS queries over an OpenVPN tunnel? I know the traffic is coming across, I can see it in the firewall log, but I get no response. I can successfully get a response from another DNS server behind pfSense, but not from pfSense itself.

        1 Reply Last reply Reply Quote 0
        • D
          djamp42
          last edited by

          I would think so, it looks like DNS Forwarder is setup to only respond to subnets that are directly connected to pfsense. Here is what i found in the config, i'm sure i could comment this out but it would break again when i upgrade. Would be best if it was a option in the webgui.

          Accept DNS queries only from hosts whose address is on a local

          subnet, ie a subnet for which an interface exists on the server.

          This option only has effect if there are no –interface

          --except-interface, --listen-address or --auth-server options.

          local-service

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            curious why your using the forwarder vs the resolver, the resolver has been default in pfsense since 2.2 and you can have it answer anyone you want as long s you create the correct acl to allow it.  For example my openvpn clients use it.

            I have not used the forwarder since unbound became available.  But could fire up the forwarder and check, there should be a simple way to allow your vpn users to query the forwarder.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              djamp42
              last edited by

              I'll check on using the resolver instead, I've been using forwarder because it has been working fine for me, and have been using it since 1.2.X. The configs have been in place just upgrades to the software.

              1 Reply Last reply Reply Quote 0
              • G
                godefroi
                last edited by

                I just switched over to the resolver; no change for me, still won't respond to DNS queries over OpenVPN.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  And what is your openvpn client IP and what are you acls? What IP are you doing the query too.. Is unbound listening on that interface.  It defaults to all, but I have mine setup to only the interfaces I want it to listen on, etc. 192.168.9.253 is the lan interface IP.

                  Did you set any odd firewall rules on your vpn, like tcp only or something?

                  So I am on the vpn now.. And can query just fine.

                  C:>dig pfsense.local.lan

                  ; <<>> DiG 9.10.4-P1 <<>> pfsense.local.lan                             
                  ;; global options: +cmd                                                 
                  ;; Got answer:                                                         
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 139                 
                  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

                  ;; OPT PSEUDOSECTION:                                                   
                  ; EDNS: version: 0, flags:; udp: 4096                                   
                  ;; QUESTION SECTION:                                                   
                  ;pfsense.local.lan.            IN      A

                  ;; ANSWER SECTION:                                                     
                  pfsense.local.lan.      3600    IN      A      192.168.9.253

                  ;; Query time: 103 msec                                                 
                  ;; SERVER: 192.168.9.253#53(192.168.9.253)                             
                  ;; WHEN: Wed Aug 03 15:36:35 Central Daylight Time 2016                 
                  ;; MSG SIZE  rcvd: 62

                  C:>

                  My vpn networks are 10.0.8 and 10.0.200, I just put in a wide open acl of 10.0/16, my local networks are various 192.168 segments so same thing wide open acl for 192.168/16 and then my ipv6 networks from HE.

                  Here you can see my vpn connection info,

                  Ethernet adapter Local Area Connection:

                  Connection-specific DNS Suffix  . : local.lan
                    Description . . . . . . . . . . . : TAP-Windows Adapter V9
                    Physical Address. . . . . . . . . : 00-FF-EE-16-B9-3C
                    DHCP Enabled. . . . . . . . . . . : Yes
                    Autoconfiguration Enabled . . . . : Yes
                    Link-local IPv6 Address . . . . . : fe80::fd9b:6799:7fc9:2969%23(Preferred)
                    IPv4 Address. . . . . . . . . . . : 10.0.8.100(Preferred)
                    Subnet Mask . . . . . . . . . . . : 255.255.255.0
                    Lease Obtained. . . . . . . . . . : Wednesday, August 03, 2016 9:25:07 AM
                    Lease Expires . . . . . . . . . . : Thursday, August 03, 2017 9:25:07 AM
                    Default Gateway . . . . . . . . . :
                    DHCP Server . . . . . . . . . . . : 10.0.8.254
                    DHCPv6 IAID . . . . . . . . . . . : 369164270
                    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-4C-CA-26-3C-97-0E-99-DF-75
                    DNS Servers . . . . . . . . . . . : 192.168.9.253
                    NetBIOS over Tcpip. . . . . . . . : Enabled

                  acl.jpg
                  acl.jpg_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • G
                    godefroi
                    last edited by

                    Both of my "Interfaces" settings in the resolver configuration are "All". My tunnel network is 10.56.235.0/24 and my resolver ACL has two networks in it, 192.168.10.0/24 and 10.56.235.0/24.

                    From the pfSense command line, I can successfully resolve:

                    > dig gateway @192.168.10.254
                    
                    ; <<>> DiG 9.10.4-P2 <<>> gateway @192.168.10.254
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52322
                    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                    
                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4096
                    ;; QUESTION SECTION:
                    ;gateway.			IN	A
                    
                    ;; ANSWER SECTION:
                    gateway.		1	IN	A	192.168.10.254
                    
                    ;; Query time: 0 msec
                    ;; SERVER: 192.168.10.254#53(192.168.10.254)
                    ;; WHEN: Wed Aug 03 14:19:33 MST 2016
                    ;; MSG SIZE  rcvd: 52
                    

                    Doing the same from over the VPN, however, times out:

                    > dig gateway @192.168.10.254
                    
                    ; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.254
                    ;; global options: +cmd
                    ;; connection timed out; no servers could be reached
                    

                    I can query a different DNS server over the VPN, however:

                    > dig gateway @192.168.10.241
                    
                    ; <<>> DiG 9.9.2-P2 <<>> gateway @192.168.10.241
                    ;; global options: +cmd
                    ;; Got answer:
                    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58311
                    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                    
                    ;; OPT PSEUDOSECTION:
                    ; EDNS: version: 0, flags:; udp: 4096
                    ;; QUESTION SECTION:
                    ;gateway.                       IN      A
                    
                    ;; ANSWER SECTION:
                    gateway.                1       IN      A       192.168.10.254
                    
                    ;; Query time: 56 msec
                    ;; SERVER: 192.168.10.241#53(192.168.10.241)
                    ;; WHEN: Wed Aug 03 13:36:41 2016
                    ;; MSG SIZE  rcvd: 52
                    

                    I can see the states in the diagnostics/states page; the query that goes to .241 results in two states, one on the ovpns2 interface and one on the LAN. The query to .254 results only in the ovpns2 interface state.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.