DNS query to WAN port doesn't resolve against DNS Resolver



  • I hope this isn’t going to be too confusing… here we go 🙂

    I have a pfsense micro-server installed between various lans, it’s use to segment off a couple lab environments. I have a working DNS Resolver installed and configured which properly resolves queries from the LAN and OPT1 interfaces. If I try to query against the WAN side, the DNS is refused. Since this is a lab within labs, every interface is wide open. Maybe this will help…

    WAN_IP=192.168.1.254
    LAN_IP=172.16.1.1
    OPT1_IP=172.16.10.1

    Within the 192 network, it’s gateway is 192.168.1.1 with a static route to 192.168.1.254 for networks 172.16.1/10.

    Inside the LAN 172 network, I can test dns like so…

    shaker@replica2:~$ dig @172.16.1.1 ucp1.domain.ee

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @172.16.1.1 ucp1.domain.ee
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43613
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;ucp1.domain.ee. IN A

    ;; ANSWER SECTION:
    ucp1.domain.ee. 3600 IN A 172.16.1.101

    ;; Query time: 0 msec
    ;; SERVER: 172.16.1.1#53(172.16.1.1)
    ;; WHEN: Fri May 18 20:42:36 EDT 2018
    ;; MSG SIZE  rcvd: 59

    Now let’s test against the WAN side…

    DevMac2:~ $ dig @192.168.1.254 ucp1.domain.ee

    ; <<>> DiG 9.10.6 <<>> @192.168.1.254 ucp1.domain.ee
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 16265
    ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; Query time: 37 msec
    ;; SERVER: 192.168.1.254#53(192.168.1.254)
    ;; WHEN: Fri May 18 20:44:40 EDT 2018
    ;; MSG SIZE  rcvd: 12

    Thoughts?





  • Rebel Alliance

    And your ACL settings in unbound are what exactly?  See the ACL tab…



  • I left the access list empty, but your question prompted me to review the doc https://doc.pfsense.org/index.php/Unbound_DNS_Resolver and apparently, in some cases you do have to explicitly permit access by various networks. I then created a access list for the 192 network and tested it. Appears to have resolved the issue. Appreciate the tip!


  • Rebel Alliance

    Unless you disable all auto added ACLs, only internal interface networks are added.  So yeah on a wan interface you would need to add the acl to allow query.

    By default, IPv4 and IPv6 networks residing on internal interfaces of this system are permitted. Allowed networks must be manually configured on the Access Lists tab if the auto-added entries are disabled."


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy