All LAN boxes resolve local hosts but the pfSense gateway
-
Greetings -
I have a minor quirk in my network dns resolution process, that while I don't think it is causing any problems right now, I would like someone more knowledgeable to educate me and maybe I can fix it.
In short, the problem is that the pfSense gateway box itself can not resolve fully qualified host names of any of the LAN boxes on the network.
All the boxes on my LAN are getting DHCP and DNS settings from a dnsmasq server on the network that is separate from my pfSense router / gateway box. The dnsmasq box has been present on the network for many years before the pfSense gateway box was installed.
A generic network diagram would be:
Windows LAN box: 192.168.112.101
dnsmasq server: 192.168.112.51
pfSense gateway: 192.168.112.11
A Windows box on the network has an internet connection and can resolve all host names. The network settings provided to the Windows box by the dnsmasq server include the following:
C:\Users\jeffb>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : jab-prec3610
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mei.lanEthernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mei.lan
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 98-90-96-A2-5F-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::28f1:3c0b:c6a8:91ea%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.112.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, June 20, 2017 2:32:03 PM
Lease Expires . . . . . . . . . . : Thursday, June 22, 2017 7:31:41 AM
Default Gateway . . . . . . . . . : 192.168.112.11
DHCP Server . . . . . . . . . . . : 192.168.112.51
DHCPv6 IAID . . . . . . . . . . . : 244879510
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D4-D6-D5-98-90-96-A2-5F-02
DNS Servers . . . . . . . . . . . : 192.168.112.51
Primary WINS Server . . . . . . . : 192.168.112.50
NetBIOS over Tcpip. . . . . . . . : EnabledApplicable DNS settings on the dnsmasq server include the following:
domain-needed
bogus-priv
filterwin2k
strict-order
server=/pfgateway.mei.lan/192.168.112.11
local=/mei.lan/I am using the DNS Resolver on the pfSense box, and it includes the following settings:
DNS Resolver = enabled
Network Interfaces = all
Outgoing Network Interfaces = all
System Domain Local Zone Type = transparent
DNSSEC = not checked
DNS Query Forwarding = not checked
DHCP Registration = not checked
Static DHCP = checked
Domain Override = 112.168.192.in-addr.arpa 192.168.112.51 taxa.mei.lanThe dashboard on the pfSense box shows:
DNS Servers = 127.0.0.1The DNS Forwarder on the pfSense box is not enabled.
I am assuming that I have a minor configuration change that could be made on the pfSense box that would correct my issue, but didn't know what, and didn't want to randomly experiment with changing the settings. I know that I could manually add the host names and IP addresses into the /etc/host file of the pfSense box, but don't know if that would be retained across upgrades.
So in summary, what change would I need to make to enable the pfSense box to resolve fully qualified host names of other boxes on the LAN?
Thanks.
Jeff -
so pfsense domain is mei.lan
But then your dnsmasq box also thinks its authoritative for mei.lan
And your wondering why pfsense can not lookup host.mei.lan ?
I see your domain override for your PTR. But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan
-
so pfsense domain is mei.lan
Yes.
But then your dnsmasq box also thinks its authoritative for mei.lan
I believe so. That shows my lack of knowledge regarding how this is integrated between the two boxes. Any specific pointers to good reference documents that would educate me on this particular issue are welcome, as I haven't found the answer on my own over the last month or so.
And your wondering why pfsense can not lookup host.mei.lan ?
I can't tell if that is a rhetorical question, sarcasm, or otherwise. But, yes, I believe that is the question I am asking. If you are implying that the answer is the logical result of your first two statements, then I will of course need some more explanation to understand it.
I see your domain override for your PTR. But where is your domain override telling pfsense to go check your dnsmasq when it wants to look up host.mei.lan
I don't recall the reason why the domain override is there, and my notes don't make it any clearer to me. I have showed you all my configuration information, so if there is something missing that should be present to fix this I need to understand what that is. I am not really clear on what a domain override is, or does.
My logical understanding of this is that the pfSense box only knows to look outward (to the internet) for name resolution, but doesn't know to look inward (LAN) to resolve my local domain. That is what got me to the point of thinking that it is a minor configuration error on the pfSense box and not a problem on the dnsmaq box or elsewhere. But I don't understand what I need to change on the pfSense box to fix it.
Further explanation, or pointers to good reference documentation is appreciated.
Thanks.
Jeff -
Have you tried adding
Domain Override = mei.lan 192.168.112.51 taxa.mei.lan
-
Thanks gjaltemba,
After much research and reading about what domain override is and what it does, I did put that in my domain override yesterday afternoon before I saw your reply. Upon testing it appears to solve my issue. In hind site the simple description of what domain override does on the pfSense Unbound DNS Resolver help page https://doc.pfsense.org/index.php/Unbound_DNS_Resolver seems to describe my case. However, I was getting stuck in my searches through the forum and other Google results that describe domain overrides used in combination with VPN tunnels and other situations that confused me more than helped.
Now I have to figure out whether I really need that first override that I had listed, as I don't understand what it should do. I may remove it and see what the effects are. Looking through my notes I put it there trying to solve a split DNS issue, which is still unsolved. I have an OwnCloud site on my network that I would like to be able to access from within my LAN using the same domain name that is used from outside the LAN. Right now I have to use cloudserver.mei.lan from within the LAN and cloudserver.companyname.com from outside the LAN. When using the cloudserver.companyname.com from within the LAN, I get the pfSense page that identifies a potential DNS rebind attack detected, instead of the login page for the cloud server.
Jeff
-
Domain Override = 112.168.192.in-addr.arpa 192.168.112.51 taxa.mei.lan
This one is for reverse lookup. Get name from ip.
nslookup 192.168.112.51
-
Ahh, I see the usefulness of that now. It will stay.
