Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    All LAN boxes resolve local hosts but the pfSense gateway

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffboyce
      last edited by

      Greetings -

      I have a minor quirk in my network dns resolution process, that while I don't think it is causing any problems right now, I would like someone more knowledgeable to educate me and maybe I can fix it.

      In short, the problem is that the pfSense gateway box itself can not resolve fully qualified host names of any of the LAN boxes on the network.

      All the boxes on my LAN are getting DHCP and DNS settings from a dnsmasq server on the network that is separate from my pfSense router / gateway box.  The dnsmasq box has been present on the network for many years before the pfSense gateway box was installed.

      A generic network diagram would be:

      Windows LAN box:  192.168.112.101

      dnsmasq server:  192.168.112.51

      pfSense gateway:  192.168.112.11

      A Windows box on the network has an internet connection and can resolve all host names.  The network settings provided to the Windows box by the dnsmasq server include the following:

      C:\Users\jeffb>ipconfig /all
      Windows IP Configuration
        Host Name . . . . . . . . . . . . : jab-prec3610
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : mei.lan

      Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . : mei.lan
        Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
        Physical Address. . . . . . . . . : 98-90-96-A2-5F-02
        DHCP Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        Link-local IPv6 Address . . . . . : fe80::28f1:3c0b:c6a8:91ea%11(Preferred)
        IPv4 Address. . . . . . . . . . . : 192.168.112.101(Preferred)
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Lease Obtained. . . . . . . . . . : Tuesday, June 20, 2017 2:32:03 PM
        Lease Expires . . . . . . . . . . : Thursday, June 22, 2017 7:31:41 AM
        Default Gateway . . . . . . . . . : 192.168.112.11
        DHCP Server . . . . . . . . . . . : 192.168.112.51
        DHCPv6 IAID . . . . . . . . . . . : 244879510
        DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D4-D6-D5-98-90-96-A2-5F-02
        DNS Servers . . . . . . . . . . . : 192.168.112.51
        Primary WINS Server . . . . . . . : 192.168.112.50
        NetBIOS over Tcpip. . . . . . . . : Enabled

      Applicable DNS settings on the dnsmasq server include the following:

      domain-needed
        bogus-priv
        filterwin2k
        strict-order
        server=/pfgateway.mei.lan/192.168.112.11
        local=/mei.lan/

      I am using the DNS Resolver on the pfSense box, and it includes the following settings:

      DNS Resolver = enabled
        Network Interfaces = all
        Outgoing Network Interfaces = all
        System Domain Local Zone Type = transparent
        DNSSEC = not checked
        DNS Query Forwarding = not checked
        DHCP Registration = not checked
        Static DHCP = checked
        Domain Override = 112.168.192.in-addr.arpa  192.168.112.51  taxa.mei.lan

      The dashboard on the pfSense box shows:
        DNS Servers = 127.0.0.1

      The DNS Forwarder on the pfSense box is not enabled.

      I am assuming that I have a minor configuration change that could be made on the pfSense box that would correct my issue, but didn't know what, and didn't want to randomly experiment with changing the settings.  I know that I could manually add the host names and IP addresses into the /etc/host file of the pfSense box, but don't know if that would be retained across upgrades.

      So in summary, what change would I need to make to enable the pfSense box to resolve fully qualified host names of other boxes on the LAN?

      Thanks.
      Jeff

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        so pfsense domain is mei.lan

        But then your dnsmasq box also thinks its authoritative for mei.lan

        And your wondering why pfsense can not lookup host.mei.lan ?

        I see your domain override for your PTR.  But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • J
          jeffboyce
          last edited by

          so pfsense domain is mei.lan

          Yes.

          But then your dnsmasq box also thinks its authoritative for mei.lan

          I believe so.  That shows my lack of knowledge regarding how this is integrated between the two boxes.  Any specific pointers to good reference documents that would educate me on this particular issue are welcome, as I haven't found the answer on my own over the last month or so.

          And your wondering why pfsense can not lookup host.mei.lan ?

          I can't tell if that is a rhetorical question, sarcasm, or otherwise.  But, yes, I believe that is the question I am asking.  If you are implying that the answer is the logical result of your first two statements, then I will of course need some more explanation to understand it.

          I see your domain override for your PTR.  But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan

          I don't recall the reason why the domain override is there, and my notes don't make it any clearer to me.  I have showed you all my configuration information, so if there is something missing that should be present to fix this I need to understand what that is.  I am not really clear on what a domain override is, or does.

          My logical understanding of this is that the pfSense box only knows to look outward (to the internet) for name resolution, but doesn't know to look inward (LAN) to resolve my local domain.  That is what got me to the point of thinking that it is a minor configuration error on the pfSense box and not a problem on the dnsmaq box or elsewhere.  But I don't understand what I need to change on the pfSense box to fix it.

          Further explanation, or pointers to good reference documentation is appreciated.

          Thanks.
          Jeff

          1 Reply Last reply Reply Quote 0
          • G
            gjaltemba
            last edited by

            Have you tried adding

            Domain Override = mei.lan    192.168.112.51    taxa.mei.lan

            1 Reply Last reply Reply Quote 0
            • J
              jeffboyce
              last edited by

              Thanks gjaltemba,

              After much research and reading about what domain override is and what it does, I did put that in my domain override yesterday afternoon before I saw your reply.  Upon testing it appears to solve my issue.  In hind site the simple description of what domain override does on the pfSense Unbound DNS Resolver help page https://doc.pfsense.org/index.php/Unbound_DNS_Resolver seems to describe my case.  However, I was getting stuck in my searches through the forum and other Google results that describe domain overrides used in combination with VPN tunnels and other situations that confused me more than helped.

              Now I have to figure out whether I really need that first override that I had listed, as I don't understand what it should do.  I may remove it and see what the effects are.  Looking through my notes I put it there trying to solve a split DNS issue, which is still unsolved.  I have an OwnCloud site on my network that I would like to be able to access from within my LAN using the same domain name that is used from outside the LAN.  Right now I have to use cloudserver.mei.lan from within the LAN and cloudserver.companyname.com from outside the LAN.  When using the cloudserver.companyname.com from within the LAN, I get the pfSense page that identifies a potential DNS rebind attack detected, instead of the login page for the cloud server.

              Jeff

              1 Reply Last reply Reply Quote 0
              • G
                gjaltemba
                last edited by

                Domain Override = 112.168.192.in-addr.arpa    192.168.112.51    taxa.mei.lan

                This one is for reverse lookup. Get name from ip.

                nslookup 192.168.112.51

                1 Reply Last reply Reply Quote 0
                • J
                  jeffboyce
                  last edited by

                  Ahh, I see the usefulness of that now.  It will stay.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.