DNS query to WAN port doesn't resolve against DNS Resolver

  • I hope this isn't going to be too confusing… here we go :)

    I have a pfsense micro-server installed between various lans, it's use to segment off a couple lab environments. I have a working DNS Resolver installed and configured which properly resolves queries from the LAN and OPT1 interfaces. If I try to query against the WAN side, the DNS is refused. Since this is a lab within labs, every interface is wide open. Maybe this will help...


    Within the 192 network, it's gateway is with a static route to for networks 172.16.1/10.

    Inside the LAN 172 network, I can test dns like so...

    shaker@replica2:~$ dig @ ucp1.domain.ee

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ ucp1.domain.ee
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43613
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ; EDNS: version: 0, flags:; udp: 4096
    ;ucp1.domain.ee. IN A

    ucp1.domain.ee. 3600 IN A

    ;; Query time: 0 msec
    ;; SERVER:
    ;; WHEN: Fri May 18 20:42:36 EDT 2018
    ;; MSG SIZE  rcvd: 59

    Now let's test against the WAN side...

    DevMac2:~ $ dig @ ucp1.domain.ee

    ; <<>> DiG 9.10.6 <<>> @ ucp1.domain.ee
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16265
    ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; Query time: 37 msec
    ;; SERVER:
    ;; WHEN: Fri May 18 20:44:40 EDT 2018
    ;; MSG SIZE  rcvd: 12


  • LAYER 8 Global Moderator

    And your ACL settings in unbound are what exactly?  See the ACL tab..

  • I left the access list empty, but your question prompted me to review the doc https://doc.pfsense.org/index.php/Unbound_DNS_Resolver and apparently, in some cases you do have to explicitly permit access by various networks. I then created a access list for the 192 network and tested it. Appears to have resolved the issue. Appreciate the tip!

  • LAYER 8 Global Moderator

    Unless you disable all auto added ACLs, only internal interface networks are added.  So yeah on a wan interface you would need to add the acl to allow query.

    By default, IPv4 and IPv6 networks residing on internal interfaces of this system are permitted. Allowed networks must be manually configured on the Access Lists tab if the auto-added entries are disabled."

Log in to reply