DNS Resolver does not respond to request on LAN IP
-
Hi,
DNS Resolver (with DNS forwarding activated) only responds to requests on 127.0.0.1, but refuses to respond to requests on the LAN IP (192.168.2.200), even when I try this from the pfSense machine itself:
[2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 127.0.0.1 Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: www.google.com Address: 216.58.214.100 Name: www.google.com Address: 2a00:1450:4001:812::2004 [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 192.168.2.200 Server: 192.168.2.200 Address: 192.168.2.200#53 ** server can't find www.google.com: REFUSEDI found this out when I tried to setup other machines in my LAN to use pfSense as DNS, but got the refused error.
As you can see from the attached screenshot, I have setup DNS Resolver to listen to all interfaces, and 192.168.2.200 is the address assigned to the LAN interface.
My network setup: I have setup pfSense 2.3.4 in a KVM VM for testing purposes. WAN is detached, LAN is connected to a bridge on the VM host (192.168.2.30). To enable internet access, I have setup a gateway for LAN in pfSense. I know this is not necessarily the intended setup. Generally, it works, however: I can access the LAN and the Internet from the pfSense box, including downloading packages for pfSense, etc.
What did I miss?
Thanks!
-
Dig might have more detail of the problem. What is the output of
dig -x @192.168.2.200 www.google.com
-
Thanks for looking into this!
[2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @192.168.2.200 -x www.google.com ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6573 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; Query time: 0 msec ;; SERVER: 192.168.2.200#53(192.168.2.200) ;; WHEN: Mon May 15 08:21:44 CEST 2017 ;; MSG SIZE rcvd: 12For purposes of comparison, the same request @127.0.0.1:
[2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @127.0.0.1 -x www.google.com ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36977 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;com.google.www.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: in-addr.arpa. 3469 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600 ;; Query time: 305 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 15 08:21:12 CEST 2017 ;; MSG SIZE rcvd: 124
-
dig @127.0.0.1 -x www.google.com works if you uncheck DNS Query Forwarding Enable Forwarding Mode?
-
I don't think anything changes, if I disable that:
[2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @127.0.0.1 -x www.google.com ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21799 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;com.google.www.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: in-addr.arpa. 3600 IN SOA b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600 ;; Query time: 219 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 15 17:12:46 CEST 2017 ;; MSG SIZE rcvd: 124and
[2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @192.168.2.200 -x www.google.com ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33417 ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; Query time: 0 msec ;; SERVER: 192.168.2.200#53(192.168.2.200) ;; WHEN: Mon May 15 17:13:18 CEST 2017 ;; MSG SIZE rcvd: 12