pfSense fails to provide a DNS response.
-
HI
I've got an application running on a Linux server that looks at an email address, splits it down to the domain name then sends a DNS query out to find the relevant MX records for the domain.With pfSense acting as my DNS server (resolver, not forwarder) I get no response back so no MX records are found.
However if I download and enable Simple DNS Plus (https://simpledns.com) on a PC on the network then I get a response from this and MX results.
I've run a wireshark trace on the Linux server capturing what is sent out and what is replied to by Simple DNS Plus.
192.168.1.2 is the Linux Server
192.168.1.5 is the PC on the LAN.597 2018-07-18 11:00:18.125994 192.168.1.2 57231 255.255.255.255 53 DNS Standard query 0x0001 MX domain.co.uk 73 598 2018-07-18 11:00:18.126844 192.168.1.5 53 192.168.1.2 57231 DNS Standard query response 0x0001 MX domain.co.uk MX 10 mail2.domain.co.uk MX 5 mail.domain.co.uk A 195.61.28.1 A 195.61.28.1 148 599 2018-07-18 11:00:18.128494 192.168.1.2 25846 255.255.255.255 53 DNS Standard query 0x0001 A mail2.domain.co.uk 79 600 2018-07-18 11:00:18.128945 192.168.1.5 53 192.168.1.2 25846 DNS Standard query response 0x0001 A mail2.domain.co.uk A 195.61.28.1 95
Is it possible to have pfSense respond to these requests ?
Thanks -
I get MX responses from the DNS Resolver just fine here. There may be something else about the queries making them fail. Anything in the resolver log? Any special options changed in the DNS resolver (is it checking DNSSEC, for example)?
-
Thanks for replying.
From my Linux box 192.168.1.2
I've run nslookup and confirmed the DNS Server config, then run an mxlookup.
nslookup
> server Default server: 192.168.1.1 Address: 192.168.1.1#53 Default server: 8.8.8.8 Address: 8.8.8.8#53 Default server: 127.0.0.1 Address: 127.0.0.1#53 > set q=MX > domain.co.uk Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: domain.co.uk mail exchanger = 5 mail.domain.co.uk. domain.co.uk mail exchanger = 10 mail2.domain.co.uk. Authoritative answers can be found from: mail2.domain.co.uk internet address = 195.61.28.1 mail.domain.co.uk internet address = 195.61.28.1
To me that suggests that 192.168.1.1 (pfSense) has replied, but I don't see any reference to domain.co.uk in the logs.
I think the issue is how the application does the DNS lookup. It starts by sending a broadcast out and Simple DNS PLUS will respond to that, but pfSense doesn't.
17:49:13.577 [mailer] DNSEntry::Lookup - '255.255.255.255' adding... 17:49:13.577 [mailer] DNS: 845874dbg3 DnsLookup - send 17:49:13.577 [845874dbg3] DNSEntry::Thread - '255.255.255.255' requesting... 17:49:13.577 [845874dbg3] DNSEntry::Thread - '255.255.255.255' address 255.255.255.255 found 17:49:13.578 [mailer] 0000 00 01 01 00 00 01 00 00 00 00 00 00 07 64 6f 6d .............dom 17:49:13.578 [mailer] 0010 61 69 6e 2e 63 6f 2e 75 6b 00 00 0f 00 01 ain.co.uk..... 17:49:13.578 [845874dbg3] 12 AsyncSocket::DNSResult - address for 255.255.255.255 is 255.255.255.255 This is what is shown when Simple DNS Plus replies: 17:55:28.740 [mailer] DNS: 845874dbg3 DnsLookup - send 17:55:28.740 [mailer] Buf: buf 0xf6ff2560, data=0xf6ff2c79, size 1740, len 31, age 0s, ptr (nil) 17:49:13.578 [mailer] 0000 00 01 01 00 00 01 00 00 00 00 00 00 07 64 6f 6d .............dom 17:49:13.578 [mailer] 0010 61 69 6e 2e 63 6f 2e 75 6b 00 00 0f 00 01 ain.co.uk..... 17:55:29.085 [mailer] DNS: 845874dbg3 DnsLookup - receive 17:55:29.085 [mailer] Buf: buf 0xf6f95414, data=0xf6f9566e, size 600, len 106, age 0s, ptr 0x80f12a8 ((null)) [0.0.0.0:55212,192.168.1.5:53]
Once the IP Address for the DNS server is known, the application queries it as normal.
Any ideas how to do this ?
Thanks -
I've run a packet capture on the LAN interface of pfSense with the host as 255.255.255.255
18:04:08.974522 IP 192.168.1.2.52232 > 255.255.255.255.53: UDP, length 31 18:04:13.978787 IP 192.168.1.2.50050 > 255.255.255.255.53: UDP, length 31
So it does look like the request is getting to pfSense... so why is DNS not responding ?
-
pfSense doesn't listen for broadcast DNS requests like that. The application must actually send the DNS request to the pfSense IP address in that segment. The application is broken if it isn't, or something in the host OS isn't respecting the DNS configuration. It's 100% a client issue.
The other DNS server only works because it supports broadcast DNS, so it's enabling the broken behavior.
-
Thanks
I'll try to get in touch with the app devs and see why it's configured this way.