Strange NSLOOKUP Results on Windows Clients



  • Recently added a Let's Encrypt cert to my pfSense box. Using Acme Certificates "app" and a No-IP premium DDNS host - piece of cake. Set my pfSense domain to bounceme.net. Everything running smoothly. My pfSense box is now "pfsense.bounceme.net" and the cert works. (domain has been changed in this post)

    However on my Windows clients using DHCP, I am having a weird thing happen when running nslookup. The reply is the same IP (I'm pretty sure it belongs to NO-IP.com) along with the NO-IP suffix added to every search. However, when I add "mylocal" domain in the DHCP scope, everything works fine, but I cannot ping host names only, only FQDN's.

    Everything works, web browsing, Linux boxes, VPN, etc. but I've never seen nslookup do what it is doing. Tells me something is wrong, or mis-configured.

    Any ideas?

    With bounceme.net set as pfSense domain under System\General Setup:

    $ nslookup cnn.com
    Server:  pfSense.bounceme.net
    Address:  10.100.10.1

    Non-authoritative answer:
    Name:    cnn.com.bounceme.net
    Address:  81.82.9.141

    $ nslookup usatoday.com
    Server:  pfSense.bounceme.net
    Address:  10.100.10.1

    Non-authoritative answer:
    Name:    usatoday.com.bounceme.net
    Address:  81.82.9.141

    $ nslookup cnn.com. 10.100.10.1
    Server:  pfSense.bounceme.net
    Address:  10.100.10.1

    Non-authoritative answer:
    Name:    cnn.com
    Addresses:  2a04:4e42::323
              2a04:4e42:200::323
              2a04:4e42:600::323
              2a04:4e42:400::323
              151.101.65.67
              151.101.129.67
              151.101.1.67
              151.101.193.67

    With bounceme.net STILL set as domain, with  
    Domain name: "mylocal" in DHCP scope
    :

    $ nslookup cnn.com
    Server:  pfSense.bounceme.net
    Address:  10.100.10.1

    Non-authoritative answer:
    Name:    cnn.com
    Addresses:  2a04:4e42:400::323
              2a04:4e42:600::323
              2a04:4e42:200::323
              2a04:4e42::323
              151.101.65.67
              151.101.129.67
              151.101.193.67
              151.101.1.67


  • LAYER 8 Netgate

    It is simply appending the search domain to the queries.

    When you append a . that tells the resolver not to do that.

    That is not pfSense adding the domain. nslookup is just telling you what windows is doing.


  • LAYER 8 Global Moderator

    So you do not control bounceme.net ?  Then you shouldn't be using it internally, since you can not control what is public on it.  Also out of the box unbound is set to transparent zone.  So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.

    So if your client appends the search suffix to your query  ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?

    Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set.  And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) .  But unbound has no record of.

    https://www.unbound.net/documentation/unbound.conf.html
    local-zone: <type>Configure a local zone. The type determines the answer  to  give
                  if  there  is  no  match  from  local-data.  The types are deny,
                  refuse, static, transparent, redirect, nodefault,  typetranspar-
                  ent,  inform,  inform_deny,  always_transparent,  always_refuse,
                  always_nxdomain, and are explained below. After that the default
                  settings  are  listed.  Use  local-data:  to enter data into the
                  local zone.  Answers  for  local  zones  are  authoritative  DNS
                  answers. By default the zones are class IN.

    static
                    If there is a match from local data, the query  is  answered.
                    Otherwise,  the  query  is  answered with nodata or nxdomain.
                    For a negative answer a SOA is  included  in  the  answer  if
                    present as local-data for the zone apex domain.

    transparent
                    If  there  is a match from local data, the query is answered.
                    Otherwise if the query has a different  name,  the  query  is
                    resolved  normally.  If  the  query  is  for a name given in
                    localdata but no such type of data  is  given  in  localdata,
                    then  a  noerror nodata answer is returned.  If no local-zone
                    is given local-data causes a transparent zone to  be  created
                    by default.


    </type>



  • @Derelict:

    It is simply appending the search domain to the queries.

    When you append a . that tells the resolver not to do that.

    That is not pfSense adding the domain. nslookup is just telling you what windows is doing.

    So, not a DNS Guru, there really is nothing wrong here?



  • @johnpoz:

    So you do not control bounceme.net ?  Then you shouldn't be using it internally, since you can not control what is public on it.  Also out of the box unbound is set to transparent zone.  So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.

    So if your client appends the search suffix to your query  ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?

    Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set.  And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) .  But unbound has no record of.

    https://www.unbound.net/documentation/unbound.conf.html
    local-zone: <type>Configure a local zone. The type determines the answer  to  give
                  if  there  is  no  match  from  local-data.  The types are deny,
                  refuse, static, transparent, redirect, nodefault,  typetranspar-
                  ent,  inform,  inform_deny,  always_transparent,  always_refuse,
                  always_nxdomain, and are explained below. After that the default
                  settings  are  listed.  Use  local-data:  to enter data into the
                  local zone.  Answers  for  local  zones  are  authoritative  DNS
                  answers. By default the zones are class IN.

    static
                    If there is a match from local data, the query  is  answered.
                    Otherwise,  the  query  is  answered with nodata or nxdomain.
                    For a negative answer a SOA is  included  in  the  answer  if
                    present as local-data for the zone apex domain.

    transparent
                    If  there  is a match from local data, the query is answered.
                    Otherwise if the query has a different  name,  the  query  is
                    resolved  normally.  If  the  query  is  for a name given in
                    localdata but no such type of data  is  given  in  localdata,
                    then  a  noerror nodata answer is returned.  If no local-zone
                    is given local-data causes a transparent zone to  be  created
                    by default.</type>

    I "sorta" have control of the bounceme.net domain. It is a premium DDNS host. I only did this to get the cert. Usually I would use .mylocal. at this point I am going to try the "static" setting. Thanks for the info!!


  • LAYER 8 Global Moderator

    From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control??  You clearly seem to have it set as a search suffix for some reason?  This bounceme.net

    ;; QUESTION SECTION:
    ;bounceme.net.                  IN      NS

    ;; ANSWER SECTION:
    bounceme.net.          86400  IN      NS      nf1.no-ip.com.
    bounceme.net.          86400  IN      NS      nf2.no-ip.com.
    bounceme.net.          86400  IN      NS      nf3.no-ip.com.
    bounceme.net.          86400  IN      NS      nf4.no-ip.com.
    bounceme.net.          86400  IN      NS      nf5.no-ip.com.

    Why are you using that domain on your pfsense?  You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..

    I have queried their name servers for your examples and they do not respond with answers only SOA… You got something more going on then what your showing..

    dig usatoday.com.bounceme.net

    ; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;usatoday.com.bounceme.net.    IN      A

    ;; AUTHORITY SECTION:
    bounceme.net.          3540    IN      SOA    nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60

    ;; Query time: 17 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 114



  • @johnpoz:

    From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control??  You clearly seem to have it set as a search suffix for some reason?  This bounceme.net

    ;; QUESTION SECTION:
    ;bounceme.net.                  IN      NS

    ;; ANSWER SECTION:
    bounceme.net.          86400  IN      NS      nf1.no-ip.com.
    bounceme.net.          86400  IN      NS      nf2.no-ip.com.
    bounceme.net.          86400  IN      NS      nf3.no-ip.com.
    bounceme.net.          86400  IN      NS      nf4.no-ip.com.
    bounceme.net.          86400  IN      NS      nf5.no-ip.com.

    Why are you using that domain on your pfsense?  You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..

    I have queried their name servers for your examples and they do not respond with answers only SOA… You got something more going on then what your showing..

    dig usatoday.com.bounceme.net

    ; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;usatoday.com.bounceme.net.    IN      A

    ;; AUTHORITY SECTION:
    bounceme.net.          3540    IN      SOA    nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60

    ;; Query time: 17 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 114

    Thank you for the helpful responses. As I mentioned, this all started trying to use a Let's Encrypt SSL cert for the site using ACME CERTIFICATES, which wa a success. The bounceme.net domain is not "my" DDNS domain used - changed it for security purposes for publshing t tis forum. But I AM using a NOIP.com Premium account with one of their premium domains used with this host.

    I've since set my DNS to "static" vs. "transparent" and all seems to be back to normal.

    Bit more background. I use OpenDNS servers in DNS Server Settings. Also using network wide PIA VPN, as well as a port 53 redirection rule prohibiting clients from using their own DNS. I have no port forwarding open other than the ACME CERTIFICATES NAT. Using various tests I see no DNS leaking whatsoever, however that is not eh scope of this discussion.

    I was only concerned about the nslookup answers I was receiving on Windows DHCP clients, and just wanted to know why, and if it was dangerous.

    Given the additional information, in your opinion would this setup be wrong? And if so what would you recommend? Again, using a Let's Encrypt CERT is the scope.


  • LAYER 8 Global Moderator

    Do you have public users that hit your pfsense web gui?  If not I see no reason to use acme cert for an admin only interface - put a cert on their you signed with pfsense CA and trust that CA… Done for 10+ years... Not renew every 90 days..

    As to why your getting back answers for usatoday.com.whatever - That should not happen on domain you control, unless you have a wildcard set on it.. Which normally bad practice..

    If your using unbound in resolver mode - your dns server settings are pretty pointless... Unbound would be resolving not forwarding out of the box..


Log in to reply