DNS Resolution issue



  • Hello all. I've been banging my head against a wall for awhile now trying to figure this out. I have a offense sg 2440, running pfsense 2.3.2-RELEASE-p1. I have my LAN interface, and OPT1 is setup with an untagged interface and 2 tagged vLANS. Any devices that I connect to OPT1, I can not get out to the internet. If I do an nslookup for google.com it returns this:

    ** server can't find google.com.example.com: SERVFAIL

    Why is it appending my domain to the end of the lookup? It seems to do this on my wife's MacBook, my android phone and tablet, by my MacBook Pro is able to resolve just fine. It's really messing with my head. I'm guessing it has to do with the DNS resolver, but I can't figure it out. Help please? I'm sure I've left out some important info so please tell me what else you need to know.

    Thank you!



  • If I run  dig @8.8.8.8 google.com from my wife MacBook, it returns the IP for google.com

    dig @8.8.8.8 www.google.com
    
    ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57030
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.google.com.			IN	A
    
    ;; ANSWER SECTION:
    www.google.com.		300	IN	A	216.58.216.196
    
    ;; Query time: 64 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Fri Nov 25 21:11:28 2016
    ;; MSG SIZE  rcvd: 48
    

  • Rebel Alliance Global Moderator

    Has nothing to do with the resolver, the resolve doesn't add stuff.  Your clients are appending the domain.

    If you want to do nslookup without appending then put a . on the end of your query.

    DNS client on the OS will normally append the local domain as search domain, but when it gets no answer it will start dropping those off..

    If you set debug in your nslookup you will see its asking for my local domain local.lan in my case and getting nxback.  Are you using some local search domain that is actual public.. example.com??  That is not going to comeback nx because there really is a example.com

    Notice here it asks for www.google.com.example.com, but then it continues on and gets an answer for just www.google.com

    
    > nslookup
    Default Server:  pfsense.local.lan
    Address:  192.168.9.253
    
    > set debug
    > www.google.com
    Server:  pfsense.local.lan
    Address:  192.168.9.253
    
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
    
        QUESTIONS:
            www.google.com.local.lan, type = A, class = IN
        AUTHORITY RECORDS:
        ->  local.lan
            ttl = 10800 (3 hours)
            primary name server = pfsense.local.lan
            responsible mail addr = root.local.lan
            serial  = 1
            refresh = 3600 (1 hour)
            retry   = 1200 (20 mins)
            expire  = 604800 (7 days)
            default TTL = 10800 (3 hours)
    
    
    
    ;; QUESTION SECTION:
    ;example.com.                   IN      A
    
    ;; ANSWER SECTION:
    example.com.            86400   IN      A       93.184.216.34
    
    ;; AUTHORITY SECTION:
    example.com.            86383   IN      NS      a.iana-servers.net.
    example.com.            86383   IN      NS      b.iana-servers.net.
    
    


  • @johnpoz

    Thank you for your response. You at helped me to know what it wasn't, which made me start looking elsewhere and found out my problem. Boy do I feel like a dummy. I had my PF box connected to my home router, not directly to my modem. My DNS requests were getting dropped in my router. I connected to my modem directly and boom it started working as expected. I also figured why i was working on my MBP, i had name servers listed in my /etc/resolv.conf from another project I was working on and forgot they were there.

    Thank again, I owe you!


  • Rebel Alliance Global Moderator

    Not exactly sure how had your pfsense setup?

    but yeah

    internet - modem - router/wifirouter - pfsense - wired clients

    not the optimal setup.

    Normally you would want

    internet - modem - pfsense - switch/AP/etc..

    So that all your devices are on networks behind pfsense be wired or wireless this way you don't double nat and you don't have issues with stuff on wifi or connected to your router in front of pfsense having to go through a port forward, etc. etc.

    Glad you got it sorted.. Don't really owe me anything ;)  Just pay it forward if you can by helping someone on the board that you know the answer to their question.