DNS Override Issue
-
I just moved from an ALIX machine to a J1900 both running the latest code.
I setup DNS Resolver this time and I installed my DNS Overrides. I created a real dyndns address override and a non-existent dyndns override. In pfsense (Diagnostics/DNS Lookup) when I query both of these overrides the result is as expected of my internal/private overrides.
When I do the query or nslookup from client machines (who have their DNS pointing to pfsense - I see pfsense as the server in the nslookup) the real dyndns adrress query returns the public IP. It will not return the override. The test/non-existent dyndns returns the override.
I have flushed dns many times and started/stopped DNS Resolver.
I'm at a loss as to what to check next. Any help or tips would be greatly appreciated. I tried DNS Forwarder as well (which overrides worked fine on my ALIX machine) and had the same issues. I'm sure I'm just overlooking something.
Thanks!
–-
Just to follow-up. Just to verify I disabled DNS Resolver again on the interface and re-enabled DNS Forwarder and rebuilt the overrides. The same behavior is happening with both DNS methods.I'm using one of the physical OPT interfaces for this particular LAN segment, don't know if that changes the behavior. I'm also having an issue with NAT reflection with port-rules on this interface. Port forwards are fine from external networks, but not coming from OPT1. I'm not sure if there is a relationship. My old setup was WAN-DHCP and LAN+LAN(VLAN1010). This seems fairly basic.
WAN-DHCP
LAN - 192.168.1.x
OPT1 - 192.168.2.x
OPT1(VLAN1010) - 172.22.22.x -
Why don't you actually post your overrides your creating and your query for said override.
If you created a host override and you query for said override - that is what is going to be returned. So either you did not create the override correctly or it did not take. Did you restart unbound? Or you not doing the query to or what your thinking your doing a query for.
-
Yeah, I agree a host override is not complicated but it is not cooperating on 2.3.4 . I did a reboot and several restarts of unbound. I've switched back to DNS Forward for the time being for more testing.
Here are a couple of samples
hs3.ursula.com -> host override 192.168.2.68
mytest.dyndns.org -> host override 192.168.2.33From the Pfsense GUI - Diag/DNS Lookup Results for these two hosts:
DNS Lookup
Hostname hs3.ursula.comResult Record type
192.168.2.68 AName server Query time
127.0.0.1 13 msec
208.67.222.222 16 msec
208.67.220.220 133 msec
8.8.8.8 18 msecHostname mytest.dyndns.org
Result Record type
192.168.2.33 AName server Query time
127.0.0.1 13 msec
208.67.222.222 13 msec
208.67.220.220 15 msec
8.8.8.8 15 msecFrom the client side (same results on different machines and OS types)
The clients only DNS server is the pfsense interface 192.168.2.254Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
DHCP Enabled. . . . . . . . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.193(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, July 9, 2017 2:28:20 PM
Lease Expires . . . . . . . . . . : Sunday, July 9, 2017 5:57:58 PM
Default Gateway . . . . . . . . . : 192.168.2.254
DHCP Server . . . . . . . . . . . : 192.168.2.254
DNS Servers . . . . . . . . . . . : 192.168.2.254C:\Users\xxxx>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\xxxx>nslookup
254.2.168.192.in-addr.arpa
primary name server = localhost
responsible mail addr = nobody.invalid
serial = 1
refresh = 600 (10 mins)
retry = 1200 (20 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)
Default Server: UnKnown
Address: 192.168.2.254mytest.dyndns.org
Server: UnKnown
Address: 192.168.2.254Name: mytest.dyndns.org
Address: 192.168.2.33hs3.ursula.com
Server: UnKnown
Address: 192.168.2.254Non-authoritative answer:
Name: hs3.ursula.com
Address: 72.18.128.8 -
To your point, the clients are somehow resolving hostnames. In DNS forwarder mode, I removed all DNS servers in the General DNS Settings Area. The DNS Override List is NOT checked.
From pfsense I try to resolve getvera.com and as expected it did not resolve. I go to a OS X client and verify that /etc/resolv.conf only list the GW 192.168.2.254.
I do a nslookup and getvera.com resolves to 104.25.200.22
–----
very odd, this is an issue on a couple of clients with corporate control. I kept on testing on other devices without GPO and behavior is exactly expected and overrides work. There must be some DNS servers installed before the the DHCP acquired.
thanks for your help
-
PLEASE use a real tool like dig or drill to diagnose DNS problems, not windows nslookup. Something is giving the answers you are receiving and I see no way that is unbound.
Having DNS overrides in place AND having DNS servers listed that do not contain said overrides is asking for trouble. You really have no control over which server is actually going to answer. If it's the public server, you'll get the public address. If it's the local server, you'll get the local address. That answer will likely be cached somewhere. Inconsistent results will ensue.
And instead of this:
Here are a couple of samples
hs3.ursula.com -> host override 192.168.2.68
mytest.dyndns.org -> host override 192.168.2.33Please post screen shots so we can see what you have done not what you think you have done.
-
Hi Derelict,
Thanks for your post. As you pointed out it is not unbound or dnsmasq. It was the DNS search list on a couple of the clients that was the issue. With wireshark you could see the DNS request from the client was appending the extra domain to the request. As an easy workaround I just created an alias in the host override section.
Thanks
-
So nothing to do with 2.3.4. OK.