Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver does not respond to request on LAN IP

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      highc
      last edited by

      Hi,

      DNS Resolver (with DNS forwarding activated) only responds to requests on 127.0.0.1, but refuses to respond to requests on the LAN IP (192.168.2.200), even when I try this from the pfSense machine itself:

      [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 127.0.0.1
      Server:         127.0.0.1
      Address:        127.0.0.1#53
      
      Non-authoritative answer:
      Name:   www.google.com
      Address: 216.58.214.100
      Name:   www.google.com
      Address: 2a00:1450:4001:812::2004
      
      [2.3.4-RELEASE][root@pfSense.domain.com]/root: nslookup www.google.com 192.168.2.200
      Server:         192.168.2.200
      Address:        192.168.2.200#53
      
      ** server can't find www.google.com: REFUSED
      

      I found this out when I tried to setup other machines in my LAN to use pfSense as DNS, but got the refused error.

      As you can see from the attached screenshot, I have setup DNS Resolver to listen to all interfaces, and 192.168.2.200 is the address assigned to the LAN interface.

      My network setup: I have setup pfSense 2.3.4 in a KVM VM for testing purposes. WAN is detached, LAN is connected to a bridge on the VM host (192.168.2.30). To enable internet access, I have setup a gateway for LAN in pfSense. I know this is not necessarily the intended setup. Generally, it works, however: I can access the LAN and the Internet from the pfSense box, including downloading packages for pfSense, etc.

      What did I miss?

      Thanks!

      ![DNS Resolver Options.png](/public/imported_attachments/1/DNS Resolver Options.png)
      ![DNS Resolver Options.png_thumb](/public/imported_attachments/1/DNS Resolver Options.png_thumb)
      ![LAN Interface Settings.png](/public/imported_attachments/1/LAN Interface Settings.png)
      ![LAN Interface Settings.png_thumb](/public/imported_attachments/1/LAN Interface Settings.png_thumb)

      pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
      pfSense 2.6 on Super Micro 5018D-FN4T (retired)

      1 Reply Last reply Reply Quote 0
      • G
        gjaltemba
        last edited by

        Dig might have more detail of the problem. What is the output of

        dig -x @192.168.2.200 www.google.com

        1 Reply Last reply Reply Quote 0
        • H
          highc
          last edited by

          Thanks for looking into this!

          [2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @192.168.2.200 -x www.google.com
          
          ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6573
          ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
          ;; WARNING: recursion requested but not available
          
          ;; Query time: 0 msec
          ;; SERVER: 192.168.2.200#53(192.168.2.200)
          ;; WHEN: Mon May 15 08:21:44 CEST 2017
          ;; MSG SIZE  rcvd: 12
          

          For purposes of comparison, the same request @127.0.0.1:

          [2.3.4-RELEASE][root@pfSense.domain.com]/root: dig @127.0.0.1 -x www.google.com
          
          ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com
          ; (1 server found)
          ;; global options: +cmd
          ;; Got answer:
          ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36977
          ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
          
          ;; OPT PSEUDOSECTION:
          ; EDNS: version: 0, flags:; udp: 4096
          ;; QUESTION SECTION:
          ;com.google.www.in-addr.arpa.   IN      PTR
          
          ;; AUTHORITY SECTION:
          in-addr.arpa.           3469    IN      SOA     b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600
          
          ;; Query time: 305 msec
          ;; SERVER: 127.0.0.1#53(127.0.0.1)
          ;; WHEN: Mon May 15 08:21:12 CEST 2017
          ;; MSG SIZE  rcvd: 124
          

          pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
          pfSense 2.6 on Super Micro 5018D-FN4T (retired)

          1 Reply Last reply Reply Quote 0
          • G
            gjaltemba
            last edited by

            dig @127.0.0.1 -x www.google.com works if you uncheck  DNS Query Forwarding Enable Forwarding Mode?

            1 Reply Last reply Reply Quote 0
            • H
              highc
              last edited by

              I don't think anything changes, if I disable that:

              [2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @127.0.0.1 -x www.google.com 
              
              ; <<>> DiG 9.11.1 <<>> @127.0.0.1 -x www.google.com
              ; (1 server found)
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 21799
              ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
              
              ;; OPT PSEUDOSECTION:
              ; EDNS: version: 0, flags:; udp: 4096
              ;; QUESTION SECTION:
              ;com.google.www.in-addr.arpa.	IN	PTR
              
              ;; AUTHORITY SECTION:
              in-addr.arpa.		3600	IN	SOA	b.in-addr-servers.arpa. nstld.iana.org. 2017042619 1800 900 604800 3600
              
              ;; Query time: 219 msec
              ;; SERVER: 127.0.0.1#53(127.0.0.1)
              ;; WHEN: Mon May 15 17:12:46 CEST 2017
              ;; MSG SIZE  rcvd: 124
              

              and

              [2.3.4-RELEASE][root@pfSense.kruemel.org]/root: dig @192.168.2.200 -x www.google.com
              
              ; <<>> DiG 9.11.1 <<>> @192.168.2.200 -x www.google.com
              ; (1 server found)
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 33417
              ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
              ;; WARNING: recursion requested but not available
              
              ;; Query time: 0 msec
              ;; SERVER: 192.168.2.200#53(192.168.2.200)
              ;; WHEN: Mon May 15 17:13:18 CEST 2017
              ;; MSG SIZE  rcvd: 12
              

              pfSense+ 24.03 on Netgate SG-2100 (replaced SG-2440)
              pfSense 2.6 on Super Micro 5018D-FN4T (retired)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.