Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarder or Resolver doesn't resolve some names

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 434 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bobby92
      last edited by

      hi,
      I have set up two pfsense in failover, VLAN etc, all it works but i have some problems with DNS. There are some domains, that cannot be resolved.

      I will not use the real domains because they are owned by my customers.

      DNS Forwarder is enabled.

      Using "dig" I have this:

      
      # dig @8.8.8.8 CUSTOMERDOMAINXXX.XXX
      
      ; <<>> DiG 9.11.2 <<>> @8.8.8.8 CUSTOMERDOMAINXXX.XXX
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18257
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;CUSTOMERDOMAINXXX.XXX   IN      A
      
      ;; ANSWER SECTION:
      CUSTOMERDOMAINXXX.XXX. 41 IN      CNAME   CUSTOMERDNS.XXX
      CUSTOMERDNS.XXX. 299 IN CNAME OTHERDNS.XXX
      OTHERDNS.XXX 59 IN A 172.20.33.212
      OTHERDNS.XXX 59 IN A 172.20.121.27
      
      ;; Query time: 66 msec
      ;; SERVER: 8.8.8.8#53(8.8.8.8)
      ;; WHEN: gio nov 16 14:58:31 CET 2017
      ;; MSG SIZE  rcvd: 211
      
      

      Using Google DNS all it's ok. The addresses are resolved with two private IPs.

      Using DNS Resolver, (10.14.200.254 is the gateway):

      
      # dig @10.14.200.254 CUSTOMERDOMAINXXX.XXX
      
      ; <<>> DiG 9.11.2 <<>> @10.14.200.254 CUSTOMERDOMAINXXX.XXX
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23373
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;CUSTOMERDOMAINXXX.XXX.   IN      A
      
      ;; Query time: 35 msec
      ;; SERVER: 10.14.200.254#53(10.14.200.254)
      ;; WHEN: gio nov 16 14:58:23 CET 2017
      ;; MSG SIZE  rcvd: 56
      
      

      Nothing!
      For test I changed the config, disabled DNS forwarder and enabled DNS Resolver:

      
      ; <<>> DiG 9.11.2 <<>> @10.14.200.254 CUSTOMERDOMAINXXX.XXX
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 705
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;CUSTOMERDOMAINXXX.XXX.   IN  A
      
      ;; ANSWER SECTION:
      CUSTOMERDOMAINXXX.XXX. 299 IN CNAME   CUSTOMERDNS.XXX.
      CUSTOMERDNS.XXX. 299 IN CNAME OTHERDNS.XXX
      
      ;; AUTHORITY SECTION:
      eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-1053.awsdns-03.org.
      eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-2023.awsdns-60.co.uk.
      eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-341.awsdns-42.com.
      eu-west-1.elb.amazonaws.com. 1800 IN    NS  ns-739.awsdns-28.net.
      
      ;; Query time: 1077 msec
      ;; SERVER: 10.14.200.254#53(10.14.200.254)
      ;; WHEN: Thu Nov 16 16:58:40 CET 2017
      ;; MSG SIZE  rcvd: 313
      
      

      Some DNS servers appared, but not IPs!

      Other domain names are resolved:
      For example:

      
      ; <<>> DiG 9.11.2 <<>> google.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20451
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 65494
      ;; QUESTION SECTION:
      ;google.com.			IN	A
      
      ;; ANSWER SECTION:
      google.com.		299	IN	A	216.58.198.3
      
      ;; Query time: 41 msec
      ;; SERVER: 10.14.200.254#53(10.14.200.254)
      ;; WHEN: Thu Nov 16 19:13:17 CET 2017
      ;; MSG SIZE  rcvd: 54
      
      

      Have you ever had this kind of issues?

      Thanks

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "The addresses are resolved with two private IPs."

        That borked to be honest.. You do have public domains resolve to private IPs.. This is rebinding attack waiting to happen.. If you want the resolver to be able to resolve these domains then you would have to turn off rebinding protection for those domains, or turn it off completely.

        Your best bet is to just set the domain as private in the custom box of unbound..
        https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

        Why would you customer public domains resolver to rfc1918 space in the first place?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.