DNS query want work



  • Buonasera a tutti! ;)

    I just setup my pfSense to query my Pi-Hole run on my raspberry… Are more than 10h that I using this settings and everything work grate, I can query my host with its name and querying the web.
    Trying fo find something I have noticed that querying the website:

    raspberrypi.org
    

    something went wrong… My Raspberry solve the query correctly:

    dig @172.16.0.2 www.raspberrypi.org
    
    ; <<>> DiG 9.8.3-P1 <<>> @172.16.0.2 www.raspberrypi.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31916
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.raspberrypi.org.		IN	A
    
    ;; ANSWER SECTION:
    www.raspberrypi.org.	228	IN	CNAME	lb.raspberrypi.org.
    lb.raspberrypi.org.	229	IN	A	46.235.227.11
    lb.raspberrypi.org.	229	IN	A	93.93.128.230
    lb.raspberrypi.org.	229	IN	A	93.93.130.39
    lb.raspberrypi.org.	229	IN	A	93.93.128.211
    lb.raspberrypi.org.	229	IN	A	93.93.135.188
    lb.raspberrypi.org.	229	IN	A	93.93.128.133
    lb.raspberrypi.org.	229	IN	A	93.93.130.214
    lb.raspberrypi.org.	229	IN	A	93.93.130.104
    
    ;; Query time: 3 msec
    ;; SERVER: 172.16.0.2#53(172.16.0.2)
    ;; WHEN: Wed Jul 19 21:24:03 2017
    ;; MSG SIZE  rcvd: 197
    

    But If I try to dig my pfsense box the result is:

    $ dig www.raspberrypi.org
    
    ; <<>> DiG 9.8.3-P1 <<>> www.raspberrypi.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18813
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.raspberrypi.org.		IN	A
    
    ;; Query time: 1 msec
    ;; SERVER: 172.16.0.1#53(172.16.0.1)
    ;; WHEN: Wed Jul 19 21:23:46 2017
    ;; MSG SIZE  rcvd: 37
    

    of course, if I change the URL with one of this IP I can reach the website perfectly.

    I can't understand why… Someone can help me?


  • Rebel Alliance Global Moderator

    "I just setup my pfSense to query my Pi-Hole run on my raspberry"

    You did that via dnsmasq (the forwarder) or unbound (resolver in forwarder mode)?

    Why would you not just set your clients to query your pihole directly, and then send pihole to pfsense where pfsense is in resolver mode?

    You are getting SERVFAIL.. That could mean quite a few things - look at your logs on pfsense, up them logging level of whatever your using forwarder or resolver.  For all we know you installed the bind package and are using that?



  • @johnpoz:

    "I just setup my pfSense to query my Pi-Hole run on my raspberry"

    You did that via dnsmasq (the forwarder) or unbound (resolver in forwarder mode)?

    Why would you not just set your clients to query your pihole directly, and then send pihole to pfsense where pfsense is in resolver mode?

    You are getting SERVFAIL.. That could mean quite a few things - look at your logs on pfsense, up them logging level of whatever your using forwarder or resolver.  For all we know you installed the bind package and are using that?

    I have done that because I had some problem with the VPN and the DNS. But I have changed my setting like have you suggested me.

    LAN –> Pi-Hole --> (OpenDNS1, OpenDNS2, pfSense fwm)
    pfSense --> (OpenDNS1, OpenDNS2)

    Or you are suggesting to remove the OpenDNS entry from the Pi-Hole and leaving the querying all to the pfSense?


  • Rebel Alliance Global Moderator

    If your pihole queries opendns, how would your resolve local stuff?  Ie any override you have set in pfsense, any dhcp clients you have registering in psfense, etc.

    Make sure you uncheck to forward reverse for rfc1918, on your pihole under advanced dns as well.  Or it will not forward PTR queries for rfc1918 addresses.

    You should not setup anything to query multiple dns that do not resolve the same thing.. You can never be sure which one will be asked or return answer first, etc..  So if I ask some public dns for local shit you will get back nx, etc.  And not resolve your local stuff so if you setup something that resolves local and something that does not.. Maybe when your looking for something local your pubic gets asked and now your query fails.

    So if you want to resolve local, then ALWAYS and only ask your local - let it forward or resolve stuff that is not local.



  • @johnpoz:

    Make sure you uncheck to forward reverse for rfc1918, on your pihole under advanced dns as well.  Or it will not forward PTR queries for rfc1918 addresses.

    This checkbox need to be checked or not? This double negation made a doubt…