• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Strange DNS querys on wrong WAN.

Scheduled Pinned Locked Moved DHCP and DNS
4 Posts 2 Posters 988 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mrzaz
    last edited by Sep 18, 2016, 9:08 AM

    Hello,
    I have a strange behaviour that I can't figure out what it originates from.

    I have 3 WAN, where WAN3 is going through a mobile broadband dongle.

    WAN1 is the main outoing, but WAN2 is used, by rules, for outgoing from some machines. (outgoing loadbalancing)
    WAN3 is not set as default and do not have any rules pointing traffic to this interface. (at the moment)

    I have DNS Forwarder setup and 2 DNS IPs defined pointing to WAN1 under general.
    I have checked and only dnsmasq and NOT unbound is enabled. (unbound is not even in the service table as it is switched off)

    I also have the following:
    DNS Query Forwarding
    Query DNS servers sequentially = TRUE
    (If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel.)

    According to this, only the DNS servers defined should be queryd and NOT root server 8.8.8.8

    BUT, what I see when doing packet capture is that something still generates DNS traffic from the pfSense WAN3 IP to google root DNS 8.8.8.8
    and I can not figure out what and also HOW as it should not be possible depending how pfsense is configured.

    Anyone that have any idea on HOW and WHY this requests goes out and from WHAT ?

    I run pfSense 2.3.2

    Dan Lundqvist
    Stockholm, Sweden

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Sep 18, 2016, 9:47 AM

      Is 8.8.8.8 set as the monitor IP address for the WAN3 gateway?

      What is the output from this in Diagnostics > Command prompt

      netstat -rn | grep 8.8.8.8

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • M
        mrzaz
        last edited by Sep 18, 2016, 12:10 PM Sep 18, 2016, 11:49 AM

        @Derelict:

        Is 8.8.8.8 set as the monitor IP address for the WAN3 gateway?

        What is the output from this in Diagnostics > Command prompt

        netstat -rn | grep 8.8.8.8

        Yes.

        8.8.8.8            192.168.95.1      UGHS        ue0

        Don't mind the private address.  Just a workaround to circumvent the HiLink router in the dongle.
        I have it setup to Disable firewall and enabled DMZ between dongle and pfsense. (.1 = dongle and .2 = pfSense interface.)

        The DNS lookups that I see, looks very much like traffic originated from an Windows machine on the LAN. (not anything from the pfSense iteself)
        To various URLs and also PTR reverse lookups and stuff.

        And as said, I do not have any DNS defined in general pointing to WAN3.

        I have normal ARPs and also some SSDP but these are normal and local, and can be ignored.  (and filtered out. at least SSDP)
        But the DNS will go out through the mobile connection = eat on MaxAggregatedBandwidth/month for the subscription.

        I could find that there is one machine on the LAN that does direct 8.8.8.8 lookups (and also looks to have similar kinds of lookups as seen on WAN3),
        HOWEVER as the WAN3 is not default GW so it should not route that DNS traffic out on WAN3 but on WAN1 as this is the default GW.   
        Strange.

        //Danne

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Sep 18, 2016, 8:24 PM

          That will send everything for 8.8.8.8 out that specific interface. It is probably the result of network clients being hard-set to use that for DNS.

          I don't think there's anything you can do besides:

          1. Not use it as a monitoring IP address

          2. Block DNS queries to that address from that LAN.

          3. Forward DNS queries to that address to your preferred DNS.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received