No DNS resolution on LAN
I have some troubles with DNS resolution on the pfSense LAN.
I've added a PASS ALL rule in the firewall, I can access to web site with IP address but there is no DNS resolution.
I can ping 22.214.171.124 and if I launch dig @126.96.36.199 google.com it works. However if I launch dig google.com it doesn't work. Ping google.com returns unknown host google.com, and Firefox can't resolve domains.
DNS queries can pass the firewall so it's not a firewall issue but I have no idea why there is no DNS resolution.
If you have any idea!
Thanks in advance.
So obviously the DNS server you use on the client can't resolve public names or is not reachable.
Do you provide DNS server by DHCP? Which DNS is used on the client?
Yes, I have configured DHCP for LAN, I made two tests, one with the DNS servers from my ISP and one with Google public DNS (188.8.131.52 / 184.108.40.206).
I think the DNS resolver of the client is working because when I plug the client directly to the WAN network the resolution is working. (The client is a Debian Jessie).
So what DNS is requested by the client if you don't state a server? A public one or the pfSense DNS Resolver / Forwarder?
The dig output will reveal which server is requested.
Is the access to the DNS server permitted by firewall rules?
This post is deleted!
The DHCP configuration provide 220.127.116.11 and 18.104.22.168 as DNS servers. Confirmed with nmcli dev show.
I have made a tcmdump to monitor dig requests and if I don't state a server dig doesn't send a request. It's a weird behaviour, because when I plug the client on the pfSense I can see that the client is sending request to 22.214.171.124 for A detectportal.firefox.com, so if the client is using 126.96.36.199 it's that the DHCP configuration is correct. I have no idea on what is wrong
The firewall is allowing access to DNS because when I state a server the resolution is working.
That's very strange.
I guess there is something wrong with your client. Have you tried another one? Are you sure it uses Network Manager?
I have tried with another client (Windows) and it works perfectly! There is an issue on my first client, but my solution is designed to work with Windows clients so I will not investigate more for this time.
Thank you for your time and your answers!
Have a nice day.
if I don’t state a server dig doesn’t send a request
What version of dig are you using? I have seen this on 9.12 versions if dns not in the resolv.conf file, etc.. On windows I have not tried 9.12 on other OSes So you have to place default NS in this file
If you want to validate client dns resolve - you should use its built in client.. Something as simple as a ping for example to validate it can resolve.