Nslookup command not working on second LAN

emammadov · May 30, 2018, 6:05 AM

Hi,

We have WAN, LAN (192.168.2.0/24) , LAN2 (192.168.4.0/24) and OPT1 (for switches). Everything is okay on LAN, I run nslookup command in cmd on LAN, it shows pfsense: Default Server: pfsense.smart.az Address: 192.168.2.1.

But on LAN2, when I run nslookup command it shows: Default Server: UnKnown
Address: fe80::1.
And beside this, for example, nslookup google.com
Server: UnKnown
Address: fe80::1

*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for google.com

What is the problem related with it?

stephenw10 · May 22, 2018, 2:56 PM

Is that host getting an IP address via DHCP? From pfSense? Are you handing it DNS addresses? By default it wil hand clients the interface address.

Do you have a firewall rule on the OPT1 interface to allow DNS?

Steve

emammadov · May 30, 2018, 6:12 AM

Yes, hosts are getting ip adresses via dhcp from pfsense. DNS of Hosts on LAN network is 192.168.2.1, and DNS of Hosts on LAN2 network is 192.168.4.1. I am submitting screenshot of rules as an attachment.

Gertjan · May 30, 2018, 9:45 AM

Can you run a

ipconfig /all

on that Win10 PC ?

edit : check rule number 4 on LAN2 : if the device is not a pfSense admins device, and destination is the alias "pfSense Login" (the pfSense LAN IP or LAN2 IP ?) then traffic will be blocked.

emammadov · May 30, 2018, 11:09 AM

My pc is WIn10 OS, but this issue happens on Win7 machines as well. But why devices on LAN network is working well? There is no problems with them. The only problem on LAN2 Network is nslookup command. I should only block https port to pfsense login page (https://192.168.2.1 & 192.168.4.1)?

C:\Users\Elvin>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Elvin-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : smart.az

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : smart.az
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 2C-44-FD-39-2E-C2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fd0c:96bf:c956:b00:71a2:729d:2148:1718(Preferred)
Temporary IPv6 Address. . . . . . : fd0c:96bf:c956:b00:7067:f052:fb88:dcc2(Preferred)
Link-local IPv6 Address . . . . . : fe80::71a2:729d:2148:1718%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.4.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, May 30, 2018 1:11:03 PM
Lease Expires . . . . . . . . . . : Wednesday, May 30, 2018 3:11:03 PM
Default Gateway . . . . . . . . . : 192.168.4.1
DHCP Server . . . . . . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 53232893
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-EB-85-64-2C-44-FD-39-2E-C2
DNS Servers . . . . . . . . . . . : fe80::1%15
192.168.4.1
95.86.129.42
95.86.129.43
NetBIOS over Tcpip. . . . . . . . : Enabled

JeGr · May 30, 2018, 12:40 PM

@emammadov said in Nslookup command not working on second LAN:

Yes, hosts are getting ip adresses via dhcp from pfsense. DNS of Hosts on LAN network is 192.168.2.1, and DNS of Hosts on LAN2 network is 192.168.4.1. I am submitting screenshot of rules as an attachment.

Your screenshot is showing fe80::1 as Address for the DNS and in your ipconfig /all one can see you have IPv6 (fd0c:: adresses) on that computer, yet your firewall rules only allow IPv4 access to anywhere, no IPv6 at all. Windows 10 is preferring IPv6 over IPv4 when it has access so I'd say that is at least one if not the root cause of your problem. And why do you use fd00:: addresses and no public IP6 space?

Greets,
Jens

emammadov · May 30, 2018, 1:36 PM

I disabled all rules that blocks trafffic, but we have still the same problem. This problem is not only on Windows 10 machines, also exist on Windows 7 machines. I wonder why there is no problem with it on LAN network? I don't know how to use public IPV6 space.

Gertjan · May 30, 2018, 1:43 PM

Strange.

"Windows" has a list of DNS servers : 2 local (1 IPv4 and some sort of IPv6) and 2 remote.
Still, it look like it persist on using IPv6 only - hitting the firewall on pfsense.

What are your LAN2 settings ?

johnpoz · May 30, 2018, 2:47 PM

@emammadov said in Nslookup command not working on second LAN:

fd0c:96bf:c956:b00:71a2:729d:2148:1718(Preferred)

Why are you using ULA?

Here is what I would suggest, disable IPv6 - does that fix your problem.. Is unbound listening on ipv6?

When your ready to correctly setup IPv6, then enable it.

JeGr · May 30, 2018, 2:50 PM

@johnpoz My exact thoughts. Makes no sense to use ULA without specific reason that way and then blocking it on the gateway :)

johnpoz · May 30, 2018, 3:00 PM

Just at loss myself to why you would setup ULA and then block ipv6.. So yeah dns not going to work ipv6 when you don't allow it to even talk to pfsense to query anything on ipv6.

I am a fan of ipv6, and run it on a few of my segments. But if you do not take the time to correctly set it up, then yeah your going to have a bad day.

Until your ready to take the time, you will reduce the grief level by just turning it off.. windows makes it easy with as simple reg entry.

So either he did not show full output of ipconfig /all or he did take the time to disable the transition interfaces teredo, isatap and 6to4 since out of the box those are going to be there on windows machine but he is not showing them.

emammadov · May 31, 2018, 8:46 AM

I disabled blocking IPV6 on firewall rules. but we are still having the same issue. Actually in our organization and also in our country we prefer to use IPV4. We have the same rules in LAN2 network as in LAN Network. LAN network is working okay. If I uncheckIPV6 in network adapter settings, then it begins to work.

My ipconfig /all

C:\Users\Elvin>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Elvin-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : smart.az

Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : smart.az
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : 2C-44-FD-39-2E-C2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : fd0c:96bf:c956:b00:71a2:729d:2148:1718(Preferred)
Temporary IPv6 Address. . . . . . : fd0c:96bf:c956:b00:1dd3:ecb7:b782:60fd(Preferred)
Link-local IPv6 Address . . . . . : fe80::71a2:729d:2148:1718%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.4.10(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, May 31, 2018 11:41:00 AM
Lease Expires . . . . . . . . . . : Thursday, May 31, 2018 2:41:34 PM
Default Gateway . . . . . . . . . : 192.168.4.1
DHCP Server . . . . . . . . . . . : 192.168.4.1
DHCPv6 IAID . . . . . . . . . . . : 53232893
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-EB-85-64-2C-44-FD-39-2E-C2
DNS Servers . . . . . . . . . . . : fe80::1%15
192.168.4.1
95.86.129.42
95.86.129.43
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet1:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet1
Physical Address. . . . . . . . . : 00-50-56-C0-00-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::dd17:9eb1:aac2:f90a%6(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.229.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, May 31, 2018 11:41:09 AM
Lease Expires . . . . . . . . . . : Thursday, May 31, 2018 12:58:37 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.229.254
DHCPv6 IAID . . . . . . . . . . . : 268456022
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-EB-85-64-2C-44-FD-39-2E-C2
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter VMware Network Adapter VMnet8:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Virtual Ethernet Adapter for VMnet8
Physical Address. . . . . . . . . : 00-50-56-C0-00-08
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3853:e235:64ca:2359%14(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.92.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, May 31, 2018 11:41:12 AM
Lease Expires . . . . . . . . . . : Thursday, May 31, 2018 12:58:41 PM
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.92.254
DHCPv6 IAID . . . . . . . . . . . : 285233238
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-EB-85-64-2C-44-FD-39-2E-C2
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
Primary WINS Server . . . . . . . : 192.168.92.2
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 3:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-A0-DD-AC-8B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6abd:37:fbd9:a0a9:7ff1(Preferred)
Link-local IPv6 Address . . . . . : fe80::37:fbd9:a0a9:7ff1%5(Preferred)
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 218103808
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-EB-85-64-2C-44-FD-39-2E-C2
NetBIOS over Tcpip. . . . . . . . : Disabled

Gertjan · May 31, 2018, 9:00 AM

@emammadov said in Nslookup command not working on second LAN:

Actually in our organization and also in our country we prefer to use IPV4
I advise you to look up how to inform your "Win 10 K" stations about this (very conservative) strategy ;)
Recent OS's do prefer IPv6 above IPv4.

But, I agree, there is a real problem. Your "Win 10 K" are not showing a default behavior : if IPv6 (DNS access) doesn't work, try the IPv4 (DNS access).
Your PC's insists on using IPv6 for resolving and that's it.
Why this only happens on interface OPT1and not LAN .... beats me.

johnpoz · May 31, 2018, 10:26 AM

@emammadov said in Nslookup command not working on second LAN:

we prefer to use IPV4

Then just turn off IPv6 at the machine level = problem solved. There is zero resources that are only available on ipv6 on the internet. And those would only be darkweb and p0rn sort of sites. When google and amazon, netflix, etc. Become ipv6 only then yeah your going to need to run ipv6. Til then there is nothing saying you have to have it on.

Simple reg entry you can push out with group policy if you want turns it pretty much off and gets rid of all the nonsense interfaces as well teredo - which you show a address on. So that can be a security concern if you trying to block outbound access since it can tunnel out via that.

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

emammadov · Jun 1, 2018, 6:06 AM

Thank you very much for your help. I turned of IPV6 on my Windows machine, now it is working. But when I enter nslookup command in cmd on LAN network, it returns:

C:\Users\e.mammadov>nslookup microsoft.com
Server: pfsense.smart.az
Address: 192.168.2.1

Non-authoritative answer:
Name: microsoft.com
Addresses: 104.40.211.35
104.43.195.251

nslookup on LAN2 network:
C:\Users\Elvin>nslookup microsoft.com
Server: UnKnown
Address: 192.168.4.1

Non-authoritative answer:
Name: microsoft.com
Addresses: 104.40.211.35
104.43.195.251
23.100.122.175

Is it normal? in Lan network nslookup command returns the fqdn of pfsense (Server: pfsense.smart.az), but on Lan2 network it is unknown (Server: UnKnown).

johnpoz · Jun 1, 2018, 8:01 AM

You would need to create a host override for that IP of pfsense if you want it to return a ptr.

What I do is setup subdomain telling me which vlan a different IP is.

example.

server 192.168.2.253
Default Server: sg4860.wlan.local.lan
Address: 192.168.2.253

server 192.168.3.253
Default Server: sg4860.dmz.local.lan
Address: 192.168.3.253

server 192.168.9.253
Default Server: sg4860.local.lan
Address: 192.168.9.253

emammadov · Jun 1, 2018, 8:26 AM

Thank you very much for your help.