All LAN boxes resolve local hosts but the pfSense gateway

jeffboyce

Greetings -

I have a minor quirk in my network dns resolution process, that while I don't think it is causing any problems right now, I would like someone more knowledgeable to educate me and maybe I can fix it.

In short, the problem is that the pfSense gateway box itself can not resolve fully qualified host names of any of the LAN boxes on the network.

All the boxes on my LAN are getting DHCP and DNS settings from a dnsmasq server on the network that is separate from my pfSense router / gateway box.  The dnsmasq box has been present on the network for many years before the pfSense gateway box was installed.

A generic network diagram would be:

Windows LAN box:  192.168.112.101

dnsmasq server:  192.168.112.51

pfSense gateway:  192.168.112.11

A Windows box on the network has an internet connection and can resolve all host names.  The network settings provided to the Windows box by the dnsmasq server include the following:

C:\Users\jeffb>ipconfig /all
Windows IP Configuration
  Host Name . . . . . . . . . . . . : jab-prec3610
  Primary Dns Suffix  . . . . . . . :
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : mei.lan

Ethernet adapter Local Area Connection:
  Connection-specific DNS Suffix  . : mei.lan
  Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
  Physical Address. . . . . . . . . : 98-90-96-A2-5F-02
  DHCP Enabled. . . . . . . . . . . : Yes
  Autoconfiguration Enabled . . . . : Yes
  Link-local IPv6 Address . . . . . : fe80::28f1:3c0b:c6a8:91ea%11(Preferred)
  IPv4 Address. . . . . . . . . . . : 192.168.112.101(Preferred)
  Subnet Mask . . . . . . . . . . . : 255.255.255.0
  Lease Obtained. . . . . . . . . . : Tuesday, June 20, 2017 2:32:03 PM
  Lease Expires . . . . . . . . . . : Thursday, June 22, 2017 7:31:41 AM
  Default Gateway . . . . . . . . . : 192.168.112.11
  DHCP Server . . . . . . . . . . . : 192.168.112.51
  DHCPv6 IAID . . . . . . . . . . . : 244879510
  DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D4-D6-D5-98-90-96-A2-5F-02
  DNS Servers . . . . . . . . . . . : 192.168.112.51
  Primary WINS Server . . . . . . . : 192.168.112.50
  NetBIOS over Tcpip. . . . . . . . : Enabled

Applicable DNS settings on the dnsmasq server include the following:

domain-needed
  bogus-priv
  filterwin2k
  strict-order
  server=/pfgateway.mei.lan/192.168.112.11
  local=/mei.lan/

I am using the DNS Resolver on the pfSense box, and it includes the following settings:

DNS Resolver = enabled
  Network Interfaces = all
  Outgoing Network Interfaces = all
  System Domain Local Zone Type = transparent
  DNSSEC = not checked
  DNS Query Forwarding = not checked
  DHCP Registration = not checked
  Static DHCP = checked
  Domain Override = 112.168.192.in-addr.arpa  192.168.112.51  taxa.mei.lan

The dashboard on the pfSense box shows:
  DNS Servers = 127.0.0.1

The DNS Forwarder on the pfSense box is not enabled.

I am assuming that I have a minor configuration change that could be made on the pfSense box that would correct my issue, but didn't know what, and didn't want to randomly experiment with changing the settings.  I know that I could manually add the host names and IP addresses into the /etc/host file of the pfSense box, but don't know if that would be retained across upgrades.

So in summary, what change would I need to make to enable the pfSense box to resolve fully qualified host names of other boxes on the LAN?

Thanks.
Jeff

johnpoz

so pfsense domain is mei.lan

But then your dnsmasq box also thinks its authoritative for mei.lan

And your wondering why pfsense can not lookup host.mei.lan ?

I see your domain override for your PTR.  But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan

jeffboyce

so pfsense domain is mei.lan

Yes.

But then your dnsmasq box also thinks its authoritative for mei.lan

I believe so.  That shows my lack of knowledge regarding how this is integrated between the two boxes.  Any specific pointers to good reference documents that would educate me on this particular issue are welcome, as I haven't found the answer on my own over the last month or so.

And your wondering why pfsense can not lookup host.mei.lan ?

I can't tell if that is a rhetorical question, sarcasm, or otherwise.  But, yes, I believe that is the question I am asking.  If you are implying that the answer is the logical result of your first two statements, then I will of course need some more explanation to understand it.

I see your domain override for your PTR.  But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan

I don't recall the reason why the domain override is there, and my notes don't make it any clearer to me.  I have showed you all my configuration information, so if there is something missing that should be present to fix this I need to understand what that is.  I am not really clear on what a domain override is, or does.

My logical understanding of this is that the pfSense box only knows to look outward (to the internet) for name resolution, but doesn't know to look inward (LAN) to resolve my local domain.  That is what got me to the point of thinking that it is a minor configuration error on the pfSense box and not a problem on the dnsmaq box or elsewhere.  But I don't understand what I need to change on the pfSense box to fix it.

Further explanation, or pointers to good reference documentation is appreciated.

Thanks.
Jeff

gjaltemba

Have you tried adding

Domain Override = mei.lan    192.168.112.51    taxa.mei.lan

jeffboyce

Thanks gjaltemba,

After much research and reading about what domain override is and what it does, I did put that in my domain override yesterday afternoon before I saw your reply.  Upon testing it appears to solve my issue.  In hind site the simple description of what domain override does on the pfSense Unbound DNS Resolver help page https://doc.pfsense.org/index.php/Unbound_DNS_Resolver seems to describe my case.  However, I was getting stuck in my searches through the forum and other Google results that describe domain overrides used in combination with VPN tunnels and other situations that confused me more than helped.

Now I have to figure out whether I really need that first override that I had listed, as I don't understand what it should do.  I may remove it and see what the effects are.  Looking through my notes I put it there trying to solve a split DNS issue, which is still unsolved.  I have an OwnCloud site on my network that I would like to be able to access from within my LAN using the same domain name that is used from outside the LAN.  Right now I have to use cloudserver.mei.lan from within the LAN and cloudserver.companyname.com from outside the LAN.  When using the cloudserver.companyname.com from within the LAN, I get the pfSense page that identifies a potential DNS rebind attack detected, instead of the login page for the cloud server.

Jeff

gjaltemba

Domain Override = 112.168.192.in-addr.arpa    192.168.112.51    taxa.mei.lan

This one is for reverse lookup. Get name from ip.

nslookup 192.168.112.51

jeffboyce

Ahh, I see the usefulness of that now.  It will stay.