Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange NSLOOKUP Results on Windows Clients

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AlientFrost
      last edited by

      Recently added a Let's Encrypt cert to my pfSense box. Using Acme Certificates "app" and a No-IP premium DDNS host - piece of cake. Set my pfSense domain to bounceme.net. Everything running smoothly. My pfSense box is now "pfsense.bounceme.net" and the cert works. (domain has been changed in this post)

      However on my Windows clients using DHCP, I am having a weird thing happen when running nslookup. The reply is the same IP (I'm pretty sure it belongs to NO-IP.com) along with the NO-IP suffix added to every search. However, when I add "mylocal" domain in the DHCP scope, everything works fine, but I cannot ping host names only, only FQDN's.

      Everything works, web browsing, Linux boxes, VPN, etc. but I've never seen nslookup do what it is doing. Tells me something is wrong, or mis-configured.

      Any ideas?

      With bounceme.net set as pfSense domain under System\General Setup:

      $ nslookup cnn.com
      Server:  pfSense.bounceme.net
      Address:  10.100.10.1

      Non-authoritative answer:
      Name:    cnn.com.bounceme.net
      Address:  81.82.9.141

      $ nslookup usatoday.com
      Server:  pfSense.bounceme.net
      Address:  10.100.10.1

      Non-authoritative answer:
      Name:    usatoday.com.bounceme.net
      Address:  81.82.9.141

      $ nslookup cnn.com. 10.100.10.1
      Server:  pfSense.bounceme.net
      Address:  10.100.10.1

      Non-authoritative answer:
      Name:    cnn.com
      Addresses:  2a04:4e42::323
                2a04:4e42:200::323
                2a04:4e42:600::323
                2a04:4e42:400::323
                151.101.65.67
                151.101.129.67
                151.101.1.67
                151.101.193.67

      With bounceme.net STILL set as domain, with  
      Domain name: "mylocal" in DHCP scope
      :

      $ nslookup cnn.com
      Server:  pfSense.bounceme.net
      Address:  10.100.10.1

      Non-authoritative answer:
      Name:    cnn.com
      Addresses:  2a04:4e42:400::323
                2a04:4e42:600::323
                2a04:4e42:200::323
                2a04:4e42::323
                151.101.65.67
                151.101.129.67
                151.101.193.67
                151.101.1.67

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        It is simply appending the search domain to the queries.

        When you append a . that tells the resolver not to do that.

        That is not pfSense adding the domain. nslookup is just telling you what windows is doing.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          So you do not control bounceme.net ?  Then you shouldn't be using it internally, since you can not control what is public on it.  Also out of the box unbound is set to transparent zone.  So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.

          So if your client appends the search suffix to your query  ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?

          Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set.  And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) .  But unbound has no record of.

          https://www.unbound.net/documentation/unbound.conf.html
          local-zone: <type>Configure a local zone. The type determines the answer  to  give
                        if  there  is  no  match  from  local-data.  The types are deny,
                        refuse, static, transparent, redirect, nodefault,  typetranspar-
                        ent,  inform,  inform_deny,  always_transparent,  always_refuse,
                        always_nxdomain, and are explained below. After that the default
                        settings  are  listed.  Use  local-data:  to enter data into the
                        local zone.  Answers  for  local  zones  are  authoritative  DNS
                        answers. By default the zones are class IN.

          static
                          If there is a match from local data, the query  is  answered.
                          Otherwise,  the  query  is  answered with nodata or nxdomain.
                          For a negative answer a SOA is  included  in  the  answer  if
                          present as local-data for the zone apex domain.

          transparent
                          If  there  is a match from local data, the query is answered.
                          Otherwise if the query has a different  name,  the  query  is
                          resolved  normally.  If  the  query  is  for a name given in
                          localdata but no such type of data  is  given  in  localdata,
                          then  a  noerror nodata answer is returned.  If no local-zone
                          is given local-data causes a transparent zone to  be  created
                          by default.

          static.png
          static.png_thumb</type>

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • A
            AlientFrost
            last edited by

            @Derelict:

            It is simply appending the search domain to the queries.

            When you append a . that tells the resolver not to do that.

            That is not pfSense adding the domain. nslookup is just telling you what windows is doing.

            So, not a DNS Guru, there really is nothing wrong here?

            1 Reply Last reply Reply Quote 0
            • A
              AlientFrost
              last edited by

              @johnpoz:

              So you do not control bounceme.net ?  Then you shouldn't be using it internally, since you can not control what is public on it.  Also out of the box unbound is set to transparent zone.  So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.

              So if your client appends the search suffix to your query  ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?

              Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set.  And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) .  But unbound has no record of.

              https://www.unbound.net/documentation/unbound.conf.html
              local-zone: <type>Configure a local zone. The type determines the answer  to  give
                            if  there  is  no  match  from  local-data.  The types are deny,
                            refuse, static, transparent, redirect, nodefault,  typetranspar-
                            ent,  inform,  inform_deny,  always_transparent,  always_refuse,
                            always_nxdomain, and are explained below. After that the default
                            settings  are  listed.  Use  local-data:  to enter data into the
                            local zone.  Answers  for  local  zones  are  authoritative  DNS
                            answers. By default the zones are class IN.

              static
                              If there is a match from local data, the query  is  answered.
                              Otherwise,  the  query  is  answered with nodata or nxdomain.
                              For a negative answer a SOA is  included  in  the  answer  if
                              present as local-data for the zone apex domain.

              transparent
                              If  there  is a match from local data, the query is answered.
                              Otherwise if the query has a different  name,  the  query  is
                              resolved  normally.  If  the  query  is  for a name given in
                              localdata but no such type of data  is  given  in  localdata,
                              then  a  noerror nodata answer is returned.  If no local-zone
                              is given local-data causes a transparent zone to  be  created
                              by default.</type>

              I "sorta" have control of the bounceme.net domain. It is a premium DDNS host. I only did this to get the cert. Usually I would use .mylocal. at this point I am going to try the "static" setting. Thanks for the info!!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control??  You clearly seem to have it set as a search suffix for some reason?  This bounceme.net

                ;; QUESTION SECTION:
                ;bounceme.net.                  IN      NS

                ;; ANSWER SECTION:
                bounceme.net.          86400  IN      NS      nf1.no-ip.com.
                bounceme.net.          86400  IN      NS      nf2.no-ip.com.
                bounceme.net.          86400  IN      NS      nf3.no-ip.com.
                bounceme.net.          86400  IN      NS      nf4.no-ip.com.
                bounceme.net.          86400  IN      NS      nf5.no-ip.com.

                Why are you using that domain on your pfsense?  You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..

                I have queried their name servers for your examples and they do not respond with answers only SOA… You got something more going on then what your showing..

                dig usatoday.com.bounceme.net

                ; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;usatoday.com.bounceme.net.    IN      A

                ;; AUTHORITY SECTION:
                bounceme.net.          3540    IN      SOA    nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60

                ;; Query time: 17 msec
                ;; SERVER: 192.168.9.253#53(192.168.9.253)
                ;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
                ;; MSG SIZE  rcvd: 114

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • A
                  AlientFrost
                  last edited by

                  @johnpoz:

                  From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control??  You clearly seem to have it set as a search suffix for some reason?  This bounceme.net

                  ;; QUESTION SECTION:
                  ;bounceme.net.                  IN      NS

                  ;; ANSWER SECTION:
                  bounceme.net.          86400  IN      NS      nf1.no-ip.com.
                  bounceme.net.          86400  IN      NS      nf2.no-ip.com.
                  bounceme.net.          86400  IN      NS      nf3.no-ip.com.
                  bounceme.net.          86400  IN      NS      nf4.no-ip.com.
                  bounceme.net.          86400  IN      NS      nf5.no-ip.com.

                  Why are you using that domain on your pfsense?  You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..

                  I have queried their name servers for your examples and they do not respond with answers only SOA… You got something more going on then what your showing..

                  dig usatoday.com.bounceme.net

                  ; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
                  ;; global options: +cmd
                  ;; Got answer:
                  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
                  ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

                  ;; OPT PSEUDOSECTION:
                  ; EDNS: version: 0, flags:; udp: 4096
                  ;; QUESTION SECTION:
                  ;usatoday.com.bounceme.net.    IN      A

                  ;; AUTHORITY SECTION:
                  bounceme.net.          3540    IN      SOA    nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60

                  ;; Query time: 17 msec
                  ;; SERVER: 192.168.9.253#53(192.168.9.253)
                  ;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
                  ;; MSG SIZE  rcvd: 114

                  Thank you for the helpful responses. As I mentioned, this all started trying to use a Let's Encrypt SSL cert for the site using ACME CERTIFICATES, which wa a success. The bounceme.net domain is not "my" DDNS domain used - changed it for security purposes for publshing t tis forum. But I AM using a NOIP.com Premium account with one of their premium domains used with this host.

                  I've since set my DNS to "static" vs. "transparent" and all seems to be back to normal.

                  Bit more background. I use OpenDNS servers in DNS Server Settings. Also using network wide PIA VPN, as well as a port 53 redirection rule prohibiting clients from using their own DNS. I have no port forwarding open other than the ACME CERTIFICATES NAT. Using various tests I see no DNS leaking whatsoever, however that is not eh scope of this discussion.

                  I was only concerned about the nslookup answers I was receiving on Windows DHCP clients, and just wanted to know why, and if it was dangerous.

                  Given the additional information, in your opinion would this setup be wrong? And if so what would you recommend? Again, using a Let's Encrypt CERT is the scope.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Do you have public users that hit your pfsense web gui?  If not I see no reason to use acme cert for an admin only interface - put a cert on their you signed with pfsense CA and trust that CA… Done for 10+ years... Not renew every 90 days..

                    As to why your getting back answers for usatoday.com.whatever - That should not happen on domain you control, unless you have a wildcard set on it.. Which normally bad practice..

                    If your using unbound in resolver mode - your dns server settings are pretty pointless... Unbound would be resolving not forwarding out of the box..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.