Strange NSLOOKUP Results on Windows Clients
-
Recently added a Let's Encrypt cert to my pfSense box. Using Acme Certificates "app" and a No-IP premium DDNS host - piece of cake. Set my pfSense domain to bounceme.net. Everything running smoothly. My pfSense box is now "pfsense.bounceme.net" and the cert works. (domain has been changed in this post)
However on my Windows clients using DHCP, I am having a weird thing happen when running nslookup. The reply is the same IP (I'm pretty sure it belongs to NO-IP.com) along with the NO-IP suffix added to every search. However, when I add "mylocal" domain in the DHCP scope, everything works fine, but I cannot ping host names only, only FQDN's.
Everything works, web browsing, Linux boxes, VPN, etc. but I've never seen nslookup do what it is doing. Tells me something is wrong, or mis-configured.
Any ideas?
With bounceme.net set as pfSense domain under System\General Setup:
$ nslookup cnn.com
Server: pfSense.bounceme.net
Address: 10.100.10.1Non-authoritative answer:
Name: cnn.com.bounceme.net
Address: 81.82.9.141$ nslookup usatoday.com
Server: pfSense.bounceme.net
Address: 10.100.10.1Non-authoritative answer:
Name: usatoday.com.bounceme.net
Address: 81.82.9.141$ nslookup cnn.com. 10.100.10.1
Server: pfSense.bounceme.net
Address: 10.100.10.1Non-authoritative answer:
Name: cnn.com
Addresses: 2a04:4e42::323
2a04:4e42:200::323
2a04:4e42:600::323
2a04:4e42:400::323
151.101.65.67
151.101.129.67
151.101.1.67
151.101.193.67With bounceme.net STILL set as domain, with
Domain name: "mylocal" in DHCP scope:$ nslookup cnn.com
Server: pfSense.bounceme.net
Address: 10.100.10.1Non-authoritative answer:
Name: cnn.com
Addresses: 2a04:4e42:400::323
2a04:4e42:600::323
2a04:4e42:200::323
2a04:4e42::323
151.101.65.67
151.101.129.67
151.101.193.67
151.101.1.67
-
It is simply appending the search domain to the queries.
When you append a . that tells the resolver not to do that.
That is not pfSense adding the domain. nslookup is just telling you what windows is doing.
-
So you do not control bounceme.net ? Then you shouldn't be using it internally, since you can not control what is public on it. Also out of the box unbound is set to transparent zone. So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.
So if your client appends the search suffix to your query ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?
Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set. And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) . But unbound has no record of.
https://www.unbound.net/documentation/unbound.conf.html
local-zone: <type>Configure a local zone. The type determines the answer to give
if there is no match from local-data. The types are deny,
refuse, static, transparent, redirect, nodefault, typetranspar-
ent, inform, inform_deny, always_transparent, always_refuse,
always_nxdomain, and are explained below. After that the default
settings are listed. Use local-data: to enter data into the
local zone. Answers for local zones are authoritative DNS
answers. By default the zones are class IN.static
If there is a match from local data, the query is answered.
Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if
present as local-data for the zone apex domain.transparent
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is
resolved normally. If the query is for a name given in
localdata but no such type of data is given in localdata,
then a noerror nodata answer is returned. If no local-zone
is given local-data causes a transparent zone to be created
by default.
</type>
-
It is simply appending the search domain to the queries.
When you append a . that tells the resolver not to do that.
That is not pfSense adding the domain. nslookup is just telling you what windows is doing.
So, not a DNS Guru, there really is nothing wrong here?
-
So you do not control bounceme.net ? Then you shouldn't be using it internally, since you can not control what is public on it. Also out of the box unbound is set to transparent zone. So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.
So if your client appends the search suffix to your query ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?
Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set. And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) . But unbound has no record of.
https://www.unbound.net/documentation/unbound.conf.html
local-zone: <type>Configure a local zone. The type determines the answer to give
if there is no match from local-data. The types are deny,
refuse, static, transparent, redirect, nodefault, typetranspar-
ent, inform, inform_deny, always_transparent, always_refuse,
always_nxdomain, and are explained below. After that the default
settings are listed. Use local-data: to enter data into the
local zone. Answers for local zones are authoritative DNS
answers. By default the zones are class IN.static
If there is a match from local data, the query is answered.
Otherwise, the query is answered with nodata or nxdomain.
For a negative answer a SOA is included in the answer if
present as local-data for the zone apex domain.transparent
If there is a match from local data, the query is answered.
Otherwise if the query has a different name, the query is
resolved normally. If the query is for a name given in
localdata but no such type of data is given in localdata,
then a noerror nodata answer is returned. If no local-zone
is given local-data causes a transparent zone to be created
by default.</type>I "sorta" have control of the bounceme.net domain. It is a premium DDNS host. I only did this to get the cert. Usually I would use .mylocal. at this point I am going to try the "static" setting. Thanks for the info!!
-
From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control?? You clearly seem to have it set as a search suffix for some reason? This bounceme.net
;; QUESTION SECTION:
;bounceme.net. IN NS;; ANSWER SECTION:
bounceme.net. 86400 IN NS nf1.no-ip.com.
bounceme.net. 86400 IN NS nf2.no-ip.com.
bounceme.net. 86400 IN NS nf3.no-ip.com.
bounceme.net. 86400 IN NS nf4.no-ip.com.
bounceme.net. 86400 IN NS nf5.no-ip.com.Why are you using that domain on your pfsense? You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..
I have queried their name servers for your examples and they do not respond with answers only SOA… You got something more going on then what your showing..
; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;usatoday.com.bounceme.net. IN A;; AUTHORITY SECTION:
bounceme.net. 3540 IN SOA nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60;; Query time: 17 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
;; MSG SIZE rcvd: 114
-
From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control?? You clearly seem to have it set as a search suffix for some reason? This bounceme.net
;; QUESTION SECTION:
;bounceme.net. IN NS;; ANSWER SECTION:
bounceme.net. 86400 IN NS nf1.no-ip.com.
bounceme.net. 86400 IN NS nf2.no-ip.com.
bounceme.net. 86400 IN NS nf3.no-ip.com.
bounceme.net. 86400 IN NS nf4.no-ip.com.
bounceme.net. 86400 IN NS nf5.no-ip.com.Why are you using that domain on your pfsense? You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..
I have queried their name servers for your examples and they do not respond with answers only SOA… You got something more going on then what your showing..
; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;usatoday.com.bounceme.net. IN A;; AUTHORITY SECTION:
bounceme.net. 3540 IN SOA nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60;; Query time: 17 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
;; MSG SIZE rcvd: 114Thank you for the helpful responses. As I mentioned, this all started trying to use a Let's Encrypt SSL cert for the site using ACME CERTIFICATES, which wa a success. The bounceme.net domain is not "my" DDNS domain used - changed it for security purposes for publshing t tis forum. But I AM using a NOIP.com Premium account with one of their premium domains used with this host.
I've since set my DNS to "static" vs. "transparent" and all seems to be back to normal.
Bit more background. I use OpenDNS servers in DNS Server Settings. Also using network wide PIA VPN, as well as a port 53 redirection rule prohibiting clients from using their own DNS. I have no port forwarding open other than the ACME CERTIFICATES NAT. Using various tests I see no DNS leaking whatsoever, however that is not eh scope of this discussion.
I was only concerned about the nslookup answers I was receiving on Windows DHCP clients, and just wanted to know why, and if it was dangerous.
Given the additional information, in your opinion would this setup be wrong? And if so what would you recommend? Again, using a Let's Encrypt CERT is the scope.
-
Do you have public users that hit your pfsense web gui? If not I see no reason to use acme cert for an admin only interface - put a cert on their you signed with pfsense CA and trust that CA… Done for 10+ years... Not renew every 90 days..
As to why your getting back answers for usatoday.com.whatever - That should not happen on domain you control, unless you have a wildcard set on it.. Which normally bad practice..
If your using unbound in resolver mode - your dns server settings are pretty pointless... Unbound would be resolving not forwarding out of the box..
