DNS Resolution issue
-
Hello all. I've been banging my head against a wall for awhile now trying to figure this out. I have a offense sg 2440, running pfsense 2.3.2-RELEASE-p1. I have my LAN interface, and OPT1 is setup with an untagged interface and 2 tagged vLANS. Any devices that I connect to OPT1, I can not get out to the internet. If I do an nslookup for google.com it returns this:
** server can't find google.com.example.com: SERVFAIL
Why is it appending my domain to the end of the lookup? It seems to do this on my wife's MacBook, my android phone and tablet, by my MacBook Pro is able to resolve just fine. It's really messing with my head. I'm guessing it has to do with the DNS resolver, but I can't figure it out. Help please? I'm sure I've left out some important info so please tell me what else you need to know.
Thank you!
-
If I run dig @8.8.8.8 google.com from my wife MacBook, it returns the IP for google.com
dig @8.8.8.8 www.google.com ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57030 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 300 IN A 216.58.216.196 ;; Query time: 64 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Nov 25 21:11:28 2016 ;; MSG SIZE rcvd: 48 -
Has nothing to do with the resolver, the resolve doesn't add stuff. Your clients are appending the domain.
If you want to do nslookup without appending then put a . on the end of your query.
DNS client on the OS will normally append the local domain as search domain, but when it gets no answer it will start dropping those off..
If you set debug in your nslookup you will see its asking for my local domain local.lan in my case and getting nxback. Are you using some local search domain that is actual public.. example.com?? That is not going to comeback nx because there really is a example.com
Notice here it asks for www.google.com.example.com, but then it continues on and gets an answer for just www.google.com
> nslookup Default Server: pfsense.local.lan Address: 192.168.9.253 > set debug > www.google.com Server: pfsense.local.lan Address: 192.168.9.253 ------------ Got answer: HEADER: opcode = QUERY, id = 2, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: www.google.com.local.lan, type = A, class = IN AUTHORITY RECORDS: -> local.lan ttl = 10800 (3 hours) primary name server = pfsense.local.lan responsible mail addr = root.local.lan serial = 1 refresh = 3600 (1 hour) retry = 1200 (20 mins) expire = 604800 (7 days) default TTL = 10800 (3 hours);; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 86400 IN A 93.184.216.34 ;; AUTHORITY SECTION: example.com. 86383 IN NS a.iana-servers.net. example.com. 86383 IN NS b.iana-servers.net. -
Thank you for your response. You at helped me to know what it wasn't, which made me start looking elsewhere and found out my problem. Boy do I feel like a dummy. I had my PF box connected to my home router, not directly to my modem. My DNS requests were getting dropped in my router. I connected to my modem directly and boom it started working as expected. I also figured why i was working on my MBP, i had name servers listed in my /etc/resolv.conf from another project I was working on and forgot they were there.
Thank again, I owe you!
-
Not exactly sure how had your pfsense setup?
but yeah
internet - modem - router/wifirouter - pfsense - wired clients
not the optimal setup.
Normally you would want
internet - modem - pfsense - switch/AP/etc..
So that all your devices are on networks behind pfsense be wired or wireless this way you don't double nat and you don't have issues with stuff on wifi or connected to your router in front of pfsense having to go through a port forward, etc. etc.
Glad you got it sorted.. Don't really owe me anything ;) Just pay it forward if you can by helping someone on the board that you know the answer to their question.
