Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Resolver does not respond to request on LAN IP

    DHCP and DNS
    2
    5
    2421
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      highc last edited by

      Hi,

      DNS Resolver (with DNS forwarding activated) only responds to requests on 127.0.0.1, but refuses to respond to requests on the LAN IP (192.168.2.200), even when I try this from the pfSense machine itself:

      [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 127.0.0.1
      Server:         127.0.0.1
      Address:        127.0.0.1#53
      
      Non-authoritative answer:
      Name:   www.google.com
      Address: 216.58.214.100
      Name:   www.google.com
      Address: 2a00:1450:4001:812::2004
      
      [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 192.168.2.200
      Server:         192.168.2.200
      Address:        192.168.2.200#53
      
      ** server can't find www.google.com: REFUSED
      

      I found this out when I tried to setup other machines in my LAN to use pfSense as DNS, but got the refused error.

      As you can see from the attached screenshot, I have setup DNS Resolver to listen to all interfaces, and 192.168.2.200 is the address assigned to the LAN interface.

      My network setup: I have setup pfSense 2.3.4 in a KVM VM for testing purposes. WAN is detached, LAN is connected to a bridge on the VM host (192.168.2.30). To enable internet access, I have setup a gateway for LAN in pfSense. I know this is not necessarily the intended setup. Generally, it works, however: I can access the LAN and the Internet from the pfSense box, including downloading packages for pfSense, etc.

      What did I miss?

      Thanks!

      ![DNS Resolver Options.png](/public/imported_attachments/1/DNS Resolver Options.png)
      ![DNS Resolver Options.png_thumb](/public/imported_attachments/1/DNS Resolver Options.png_thumb)
      ![LAN Interface Settings.png](/public/imported_attachments/1/LAN Interface Settings.png)
      ![LAN Interface Settings.png_thumb](/public/imported_attachments/1/LAN Interface Settings.png_thumb)

      1 Reply Last reply Reply Quote 0
      • G
        gjaltemba last edited by

        Dig might have more detail of the problem. What is the output of

        dig -x @192.168.2.200 www.google.com

        1 Reply Last reply Reply Quote 0
        • H
          highc last edited by

          Thanks for looking into this!

          [2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @192.168.2.200 -x www.google.com
          
          ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6573
          ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
          ;; WARNING: recursion requested but not available
          
          ;; Query time: 0 msec
          ;; SERVER: 192.168.2.200#53(192.168.2.200)
          ;; WHEN: Mon May 15 08:21:44 CEST 2017
          ;; MSG SIZE  rcvd: 12
          

          For purposes of comparison, the same request @127.0.0.1:

          [2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @127.0.0.1 -x www.google.com
          
          ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36977
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;com.google.www.in-addr.arpa.   IN      PTR
          
          ;; AUTHORITY SECTION:
          in-addr.arpa.           3469    IN      SOA     b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600
          
          ;; Query time: 305 msec
          ;; SERVER: 127.0.0.1#53(127.0.0.1)
          ;; WHEN: Mon May 15 08:21:12 CEST 2017
          ;; MSG SIZE  rcvd: 124
          
          1 Reply Last reply Reply Quote 0
          • G
            gjaltemba last edited by

            dig @127.0.0.1 -x www.google.com works if you uncheck  DNS Query Forwarding Enable Forwarding Mode?

            1 Reply Last reply Reply Quote 0
            • H
              highc last edited by

              I don't think anything changes, if I disable that:

              [2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @127.0.0.1 -x www.google.com 
              
              ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com
              ; (1 server found)
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21799
              ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
              
              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 4096
              ;; QUESTION SECTION:
              ;com.google.www.in-addr.arpa.	IN	PTR
              
              ;; AUTHORITY SECTION:
              in-addr.arpa.		3600	IN	SOA	b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600
              
              ;; Query time: 219 msec
              ;; SERVER: 127.0.0.1#53(127.0.0.1)
              ;; WHEN: Mon May 15 17:12:46 CEST 2017
              ;; MSG SIZE  rcvd: 124
              

              and

              [2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @192.168.2.200 -x www.google.com
              
              ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com
              ; (1 server found)
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33417
              ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
              ;; WARNING: recursion requested but not available
              
              ;; Query time: 0 msec
              ;; SERVER: 192.168.2.200#53(192.168.2.200)
              ;; WHEN: Mon May 15 17:13:18 CEST 2017
              ;; MSG SIZE  rcvd: 12
              
              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense Plus
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy