Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Override Issue

    DHCP and DNS
    3
    7
    886
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tamu last edited by

      I just moved from an ALIX machine to a J1900 both running the latest code.

      I setup DNS Resolver this time and I installed my DNS Overrides.  I created a real dyndns address override and a non-existent dyndns override.  In pfsense (Diagnostics/DNS Lookup) when I query both of these overrides the result is as expected of my internal/private overrides.

      When I do the query or nslookup from client machines (who have their DNS pointing to pfsense - I see pfsense as the server in the nslookup) the real dyndns adrress query returns the public IP.  It will not return the override.  The test/non-existent dyndns returns the override.

      I have flushed dns many times and started/stopped DNS Resolver.

      I'm at a loss as to what to check next.  Any help or tips would be greatly appreciated.  I tried DNS Forwarder as well (which  overrides worked fine on my ALIX machine) and had the same issues.  I'm sure I'm just overlooking something.

      Thanks!

      –-
      Just to follow-up.  Just to verify I disabled DNS Resolver again on the interface and re-enabled DNS Forwarder and rebuilt the overrides.  The same behavior is happening with both DNS methods.

      I'm using one of the physical OPT interfaces for this particular LAN segment, don't know if that changes the behavior.  I'm also having an issue with NAT reflection with port-rules on this interface.  Port forwards are fine from external networks, but not coming from OPT1.  I'm not sure if there is a relationship.  My old setup was WAN-DHCP and LAN+LAN(VLAN1010).  This seems fairly basic.

      WAN-DHCP
      LAN - 192.168.1.x
      OPT1 - 192.168.2.x
      OPT1(VLAN1010) - 172.22.22.x

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Why don't you actually post your overrides your creating and your query for said override.

        If you created a host override and you query for said override - that is what is going to be returned.  So either you did not create the override correctly or it did not take.  Did you restart unbound?  Or you not doing the query to or what your thinking your doing a query for.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.01

        1 Reply Last reply Reply Quote 0
        • T
          tamu last edited by

          Yeah, I agree a host override is not complicated but it is not cooperating on 2.3.4 .  I did a reboot and several restarts of unbound.  I've switched back to DNS Forward for the time being for more testing.

          Here are a couple of samples

          hs3.ursula.com  -> host override 192.168.2.68
          mytest.dyndns.org -> host override 192.168.2.33

          From the Pfsense GUI - Diag/DNS Lookup Results for these two hosts:

          DNS Lookup
          Hostname  hs3.ursula.com

          Result Record type
          192.168.2.68 A

          Name server Query time
          127.0.0.1 13 msec
          208.67.222.222 16 msec
          208.67.220.220 133 msec
          8.8.8.8 18 msec

          Hostname mytest.dyndns.org

          Result Record type
          192.168.2.33 A

          Name server Query time
          127.0.0.1 13 msec
          208.67.222.222 13 msec
          208.67.220.220 15 msec
          8.8.8.8 15 msec

          From the client side (same results on different machines and OS types)
          The clients only DNS server is the pfsense interface 192.168.2.254

          Wireless LAN adapter Wi-Fi:

          Connection-specific DNS Suffix  . : localdomain
            Description . . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
            DHCP Enabled. . . . . . . . . . . : Yes
            IPv4 Address. . . . . . . . . . . : 192.168.2.193(Preferred)
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Lease Obtained. . . . . . . . . . : Sunday, July 9, 2017 2:28:20 PM
            Lease Expires . . . . . . . . . . : Sunday, July 9, 2017 5:57:58 PM
            Default Gateway . . . . . . . . . : 192.168.2.254
            DHCP Server . . . . . . . . . . . : 192.168.2.254
            DNS Servers . . . . . . . . . . . : 192.168.2.254

          C:\Users\xxxx>ipconfig /flushdns

          Windows IP Configuration

          Successfully flushed the DNS Resolver Cache.

          C:\Users\xxxx>nslookup
          254.2.168.192.in-addr.arpa
                  primary name server = localhost
                  responsible mail addr = nobody.invalid
                  serial  = 1
                  refresh = 600 (10 mins)
                  retry  = 1200 (20 mins)
                  expire  = 604800 (7 days)
                  default TTL = 10800 (3 hours)
          Default Server:  UnKnown
          Address:  192.168.2.254

          mytest.dyndns.org
          Server:  UnKnown
          Address:  192.168.2.254

          Name:    mytest.dyndns.org
          Address:  192.168.2.33

          hs3.ursula.com
          Server:  UnKnown
          Address:  192.168.2.254

          Non-authoritative answer:
          Name:    hs3.ursula.com
          Address:  72.18.128.8

          1 Reply Last reply Reply Quote 0
          • T
            tamu last edited by

            To your point, the clients are somehow resolving hostnames.  In DNS forwarder mode, I removed all DNS servers in the General DNS Settings Area. The DNS Override List is NOT checked.

            From pfsense I try to resolve getvera.com and as expected it did not resolve.  I go to a OS X client and verify that /etc/resolv.conf only list the GW 192.168.2.254.

            I do a nslookup and getvera.com resolves to 104.25.200.22

            –----

            very odd, this is an issue on a couple of clients with corporate control.  I kept on testing on other devices without GPO and behavior is exactly expected and overrides work.  There must be some DNS servers installed before the the DHCP acquired.

            thanks for your help

            1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate last edited by

              PLEASE use a real tool like dig or drill to diagnose DNS problems, not windows nslookup. Something is giving the answers you are receiving and I see no way that is unbound.

              Having DNS overrides in place AND having DNS servers listed that do not contain said overrides is asking for trouble. You really have no control over which server is actually going to answer. If it's the public server, you'll get the public address. If it's the local server, you'll get the local address. That answer will likely be cached somewhere. Inconsistent results will ensue.

              And instead of this:

              Here are a couple of samples

              hs3.ursula.com  -> host override 192.168.2.68
              mytest.dyndns.org -> host override 192.168.2.33

              Please post screen shots so we can see what you have done not what you think you have done.

              Chattanooga, Tennessee, USA
              The pfSense Book is free of charge!
              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • T
                tamu last edited by

                Hi Derelict,

                Thanks for your post. As you pointed out it is not unbound or dnsmasq.  It was the DNS search list on a couple of the clients that was the issue.  With wireshark you could see the DNS request from the client was appending the extra domain to the request.  As an easy workaround I just created an alias in the host override section.

                Thanks

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  So nothing to do with 2.3.4. OK.

                  Chattanooga, Tennessee, USA
                  The pfSense Book is free of charge!
                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post