DNS Forwarder or Resolver doesn't resolve some names

bobby92

hi,
I have set up two pfsense in failover, VLAN etc, all it works but i have some problems with DNS. There are some domains, that cannot be resolved.

I will not use the real domains because they are owned by my customers.

DNS Forwarder is enabled.

Using "dig" I have this:

# dig @8.8.8.8 CUSTOMERDOMAINXXX.XXX

; <<>> DiG 9.11.2 <<>> @8.8.8.8 CUSTOMERDOMAINXXX.XXX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18257
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;CUSTOMERDOMAINXXX.XXX   IN      A

;; ANSWER SECTION:
CUSTOMERDOMAINXXX.XXX. 41 IN      CNAME   CUSTOMERDNS.XXX
CUSTOMERDNS.XXX. 299 IN CNAME OTHERDNS.XXX
OTHERDNS.XXX 59 IN A 172.20.33.212
OTHERDNS.XXX 59 IN A 172.20.121.27

;; Query time: 66 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: gio nov 16 14:58:31 CET 2017
;; MSG SIZE  rcvd: 211

Using Google DNS all it's ok. The addresses are resolved with two private IPs.

Using DNS Resolver, (10.14.200.254 is the gateway):

# dig @10.14.200.254 CUSTOMERDOMAINXXX.XXX

; <<>> DiG 9.11.2 <<>> @10.14.200.254 CUSTOMERDOMAINXXX.XXX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23373
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;CUSTOMERDOMAINXXX.XXX.   IN      A

;; Query time: 35 msec
;; SERVER: 10.14.200.254#53(10.14.200.254)
;; WHEN: gio nov 16 14:58:23 CET 2017
;; MSG SIZE  rcvd: 56

Nothing!
For test I changed the config, disabled DNS forwarder and enabled DNS Resolver:

; <<>> DiG 9.11.2 <<>> @10.14.200.254 CUSTOMERDOMAINXXX.XXX
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 705
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;CUSTOMERDOMAINXXX.XXX.   IN  A

;; ANSWER SECTION:
CUSTOMERDOMAINXXX.XXX. 299 IN CNAME   CUSTOMERDNS.XXX.
CUSTOMERDNS.XXX. 299 IN CNAME OTHERDNS.XXX

;; AUTHORITY SECTION:
eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-1053.awsdns-03.org.
eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-2023.awsdns-60.co.uk.
eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-341.awsdns-42.com.
eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-739.awsdns-28.net.

;; Query time: 1077 msec
;; SERVER: 10.14.200.254#53(10.14.200.254)
;; WHEN: Thu Nov 16 16:58:40 CET 2017
;; MSG SIZE  rcvd: 313

Some DNS servers appared, but not IPs!

Other domain names are resolved:
For example:

; <<>> DiG 9.11.2 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20451
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		299	IN	A	216.58.198.3

;; Query time: 41 msec
;; SERVER: 10.14.200.254#53(10.14.200.254)
;; WHEN: Thu Nov 16 19:13:17 CET 2017
;; MSG SIZE  rcvd: 54

Have you ever had this kind of issues?

Thanks

johnpoz

"The addresses are resolved with two private IPs."

That borked to be honest.. You do have public domains resolve to private IPs.. This is rebinding attack waiting to happen.. If you want the resolver to be able to resolve these domains then you would have to turn off rebinding protection for those domains, or turn it off completely.

Your best bet is to just set the domain as private in the custom box of unbound..
https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

Why would you customer public domains resolver to rfc1918 space in the first place?