DNS Forwarder or Resolver doesn't resolve some names
-
hi,
I have set up two pfsense in failover, VLAN etc, all it works but i have some problems with DNS. There are some domains, that cannot be resolved.I will not use the real domains because they are owned by my customers.
DNS Forwarder is enabled.
Using "dig" I have this:
# dig @8.8.8.8 CUSTOMERDOMAINXXX.XXX ; <<>> DiG 9.11.2 <<>> @8.8.8.8 CUSTOMERDOMAINXXX.XXX ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18257 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;CUSTOMERDOMAINXXX.XXX IN A ;; ANSWER SECTION: CUSTOMERDOMAINXXX.XXX. 41 IN CNAME CUSTOMERDNS.XXX CUSTOMERDNS.XXX. 299 IN CNAME OTHERDNS.XXX OTHERDNS.XXX 59 IN A 172.20.33.212 OTHERDNS.XXX 59 IN A 172.20.121.27 ;; Query time: 66 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: gio nov 16 14:58:31 CET 2017 ;; MSG SIZE rcvd: 211Using Google DNS all it's ok. The addresses are resolved with two private IPs.
Using DNS Resolver, (10.14.200.254 is the gateway):
# dig @10.14.200.254 CUSTOMERDOMAINXXX.XXX ; <<>> DiG 9.11.2 <<>> @10.14.200.254 CUSTOMERDOMAINXXX.XXX ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23373 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;CUSTOMERDOMAINXXX.XXX. IN A ;; Query time: 35 msec ;; SERVER: 10.14.200.254#53(10.14.200.254) ;; WHEN: gio nov 16 14:58:23 CET 2017 ;; MSG SIZE rcvd: 56Nothing!
For test I changed the config, disabled DNS forwarder and enabled DNS Resolver:; <<>> DiG 9.11.2 <<>> @10.14.200.254 CUSTOMERDOMAINXXX.XXX ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 705 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;CUSTOMERDOMAINXXX.XXX. IN A ;; ANSWER SECTION: CUSTOMERDOMAINXXX.XXX. 299 IN CNAME CUSTOMERDNS.XXX. CUSTOMERDNS.XXX. 299 IN CNAME OTHERDNS.XXX ;; AUTHORITY SECTION: eu-west-1.elb.amazonaws.com. 1800 IN NS ns-1053.awsdns-03.org. eu-west-1.elb.amazonaws.com. 1800 IN NS ns-2023.awsdns-60.co.uk. eu-west-1.elb.amazonaws.com. 1800 IN NS ns-341.awsdns-42.com. eu-west-1.elb.amazonaws.com. 1800 IN NS ns-739.awsdns-28.net. ;; Query time: 1077 msec ;; SERVER: 10.14.200.254#53(10.14.200.254) ;; WHEN: Thu Nov 16 16:58:40 CET 2017 ;; MSG SIZE rcvd: 313Some DNS servers appared, but not IPs!
Other domain names are resolved:
For example:; <<>> DiG 9.11.2 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20451 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 299 IN A 216.58.198.3 ;; Query time: 41 msec ;; SERVER: 10.14.200.254#53(10.14.200.254) ;; WHEN: Thu Nov 16 19:13:17 CET 2017 ;; MSG SIZE rcvd: 54Have you ever had this kind of issues?
Thanks
-
"The addresses are resolved with two private IPs."
That borked to be honest.. You do have public domains resolve to private IPs.. This is rebinding attack waiting to happen.. If you want the resolver to be able to resolve these domains then you would have to turn off rebinding protection for those domains, or turn it off completely.
Your best bet is to just set the domain as private in the custom box of unbound..
https://doc.pfsense.org/index.php/DNS_Rebinding_ProtectionsWhy would you customer public domains resolver to rfc1918 space in the first place?
