DNS Resolver does not respond to request on LAN IP



  • Hi,

    DNS Resolver (with DNS forwarding activated) only responds to requests on 127.0.0.1, but refuses to respond to requests on the LAN IP (192.168.2.200), even when I try this from the pfSense machine itself:

    [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 127.0.0.1
    Server:         127.0.0.1
    Address:        127.0.0.1#53
    
    Non-authoritative answer:
    Name:   www.google.com
    Address: 216.58.214.100
    Name:   www.google.com
    Address: 2a00:1450:4001:812::2004
    
    [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 192.168.2.200
    Server:         192.168.2.200
    Address:        192.168.2.200#53
    
    ** server can't find www.google.com: REFUSED
    

    I found this out when I tried to setup other machines in my LAN to use pfSense as DNS, but got the refused error.

    As you can see from the attached screenshot, I have setup DNS Resolver to listen to all interfaces, and 192.168.2.200 is the address assigned to the LAN interface.

    My network setup: I have setup pfSense 2.3.4 in a KVM VM for testing purposes. WAN is detached, LAN is connected to a bridge on the VM host (192.168.2.30). To enable internet access, I have setup a gateway for LAN in pfSense. I know this is not necessarily the intended setup. Generally, it works, however: I can access the LAN and the Internet from the pfSense box, including downloading packages for pfSense, etc.

    What did I miss?

    Thanks!

    ![DNS Resolver Options.png](/public/imported_attachments/1/DNS Resolver Options.png)
    ![DNS Resolver Options.png_thumb](/public/imported_attachments/1/DNS Resolver Options.png_thumb)
    ![LAN Interface Settings.png](/public/imported_attachments/1/LAN Interface Settings.png)
    ![LAN Interface Settings.png_thumb](/public/imported_attachments/1/LAN Interface Settings.png_thumb)



  • Dig might have more detail of the problem. What is the output of

    dig -x @192.168.2.200 www.google.com



  • Thanks for looking into this!

    [2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @192.168.2.200 -x www.google.com
    
    ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6573
    ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.2.200#53(192.168.2.200)
    ;; WHEN: Mon May 15 08:21:44 CEST 2017
    ;; MSG SIZE  rcvd: 12
    

    For purposes of comparison, the same request @127.0.0.1:

    [2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @127.0.0.1 -x www.google.com
    
    ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36977
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;com.google.www.in-addr.arpa.   IN      PTR
    
    ;; AUTHORITY SECTION:
    in-addr.arpa.           3469    IN      SOA     b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600
    
    ;; Query time: 305 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon May 15 08:21:12 CEST 2017
    ;; MSG SIZE  rcvd: 124
    


  • dig @127.0.0.1 -x www.google.com works if you uncheck  DNS Query Forwarding Enable Forwarding Mode?



  • I don't think anything changes, if I disable that:

    [2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @127.0.0.1 -x www.google.com 
    
    ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21799
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;com.google.www.in-addr.arpa.	IN	PTR
    
    ;; AUTHORITY SECTION:
    in-addr.arpa.		3600	IN	SOA	b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600
    
    ;; Query time: 219 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Mon May 15 17:12:46 CEST 2017
    ;; MSG SIZE  rcvd: 124
    

    and

    [2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @192.168.2.200 -x www.google.com
    
    ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33417
    ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.2.200#53(192.168.2.200)
    ;; WHEN: Mon May 15 17:13:18 CEST 2017
    ;; MSG SIZE  rcvd: 12
    

Log in to reply