Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No Answer when querying public servers and answer is a private IP

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 165 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterwood
      last edited by

      Hi,

      The best explanation I can give is that there is no "Answer Section" when the query is sent to a public DNS server and the answer is a private IP.

      I created an A type DNS entry privateip.switchvox.com with IP 10.12.1.251.

      This is resolvable from anywhere (that I have tried) except when my DNS server is pfSense.

      I have two different pfSense installations: pfSense-2.4.4-Release-p1; pfSense-2.3-Release.

      I tried with two different domains on two different DNS service providers: dotster.com and aws/route53.

      I get the same result i.e. if the answer is a private IP the "Answer Section" is missing.

      The answer actually shows in the dig +trace but pfSense never serves it:

      [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com +trace +all
      
      ; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com +trace +all
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25317
      ;; flags: qr ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags: do; udp: 4096
      ;; QUESTION SECTION:
      ;.                              IN      NS
      
      ;; ANSWER SECTION:
      .                       85734   IN      NS      m.root-servers.net.
      .                       85734   IN      NS      b.root-servers.net.
      .                       85734   IN      NS      c.root-servers.net.
      .                       85734   IN      NS      d.root-servers.net.
      .                       85734   IN      NS      e.root-servers.net.
      .                       85734   IN      NS      f.root-servers.net.
      .                       85734   IN      NS      g.root-servers.net.
      .                       85734   IN      NS      h.root-servers.net.
      .                       85734   IN      NS      a.root-servers.net.
      .                       85734   IN      NS      i.root-servers.net.
      .                       85734   IN      NS      j.root-servers.net.
      .                       85734   IN      NS      k.root-servers.net.
      .                       85734   IN      NS      l.root-servers.net.
      .                       85734   IN      RRSIG   NS 8 0 518400 20190509170000 20190426160000 25266 . nTgVx3qc4/Xqml7i43n802u2pyDFOAEE1p/1Fw7dXclYkan3DY0U12YK Qjn6gVqaPZunsVr1jOaTiUN7qF7YvRTiyMUJpx+Zbis1kePb98yciCXJ Of5TyFzEjkdAOqnV1L8dfAuSkkK5wf3dx4itaRKEGdgRtMDYB2T9xZOp 5w51bzEIDNvT0nF/q+xk6AjeWh/jGiQDD8sIKuYC2nZNt2UFBchrBt/k kpt/4vjVf41vH915SUI9XURpIpI/vDqbegnjgUVV7EptrM37Qp+kxwa9 ETPThVrfNzryTX5OyRjWvle/xjvqHVDWzlZm+r8dRSufHyF06ge1ifNp x3otwQ==
      
      ;; Query time: 0 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Fri Apr 26 15:40:23 PDT 2019
      ;; MSG SIZE  rcvd: 525
      
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43062
      ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags: do; udp: 1472
      ;; QUESTION SECTION:
      ;privateip.switchvox.com.       IN      A
      
      ;; AUTHORITY SECTION:
      com.                    172800  IN      NS      a.gtld-servers.net.
      com.                    172800  IN      NS      b.gtld-servers.net.
      com.                    172800  IN      NS      c.gtld-servers.net.
      com.                    172800  IN      NS      d.gtld-servers.net.
      com.                    172800  IN      NS      e.gtld-servers.net.
      com.                    172800  IN      NS      f.gtld-servers.net.
      com.                    172800  IN      NS      g.gtld-servers.net.
      com.                    172800  IN      NS      h.gtld-servers.net.
      com.                    172800  IN      NS      i.gtld-servers.net.
      com.                    172800  IN      NS      j.gtld-servers.net.
      com.                    172800  IN      NS      k.gtld-servers.net.
      com.                    172800  IN      NS      l.gtld-servers.net.
      com.                    172800  IN      NS      m.gtld-servers.net.
      com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
      com.                    86400   IN      RRSIG   DS 8 1 86400 20190509170000 20190426160000 25266 . jHLMjZJae2wFGYycipQUDyn3+2QiUP25yOZ1R61c2+JLEXsxvZhGpel4 F3eJK7PhUkeMthvBWopXG6RCK9apcOhxFR7HxB2ieQoGz0KPcuAKxpbq CfUChNiGk6dYUVH+vDTfEnBnKicx+HtgbGzQXEIFEgdNW8ANrjJJMbv+ 5nXJKgSNJIX9YbQDEduNtJckffxuG5rdTgUDJZgfFkg0ZMoQV4hMG8I9 gqmFbRn4XnG3mUnxeLpsG3aYwkX0+PfXBcMoDc/Nil7U0bFm4pLGttcq C60rc1tzjEtLCxecWlIXEqzh49aV5duNWnvEBtR+RX04M4iMTWow6tWZ 5zg/CQ==
      
      ;; ADDITIONAL SECTION:
      a.gtld-servers.net.     172800  IN      A       192.5.6.30
      b.gtld-servers.net.     172800  IN      A       192.33.14.30
      c.gtld-servers.net.     172800  IN      A       192.26.92.30
      d.gtld-servers.net.     172800  IN      A       192.31.80.30
      e.gtld-servers.net.     172800  IN      A       192.12.94.30
      f.gtld-servers.net.     172800  IN      A       192.35.51.30
      g.gtld-servers.net.     172800  IN      A       192.42.93.30
      h.gtld-servers.net.     172800  IN      A       192.54.112.30
      i.gtld-servers.net.     172800  IN      A       192.43.172.30
      j.gtld-servers.net.     172800  IN      A       192.48.79.30
      k.gtld-servers.net.     172800  IN      A       192.52.178.30
      l.gtld-servers.net.     172800  IN      A       192.41.162.30
      m.gtld-servers.net.     172800  IN      A       192.55.83.30
      a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
      b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
      c.gtld-servers.net.     172800  IN      AAAA    2001:503:83eb::30
      d.gtld-servers.net.     172800  IN      AAAA    2001:500:856e::30
      e.gtld-servers.net.     172800  IN      AAAA    2001:502:1ca1::30
      f.gtld-servers.net.     172800  IN      AAAA    2001:503:d414::30
      g.gtld-servers.net.     172800  IN      AAAA    2001:503:eea3::30
      h.gtld-servers.net.     172800  IN      AAAA    2001:502:8cc::30
      i.gtld-servers.net.     172800  IN      AAAA    2001:503:39c1::30
      j.gtld-servers.net.     172800  IN      AAAA    2001:502:7094::30
      k.gtld-servers.net.     172800  IN      AAAA    2001:503:d2d::30
      l.gtld-servers.net.     172800  IN      AAAA    2001:500:d937::30
      m.gtld-servers.net.     172800  IN      AAAA    2001:501:b1f9::30
      
      ;; Query time: 73 msec
      ;; SERVER: 192.58.128.30#53(192.58.128.30)
      ;; WHEN: Fri Apr 26 15:40:26 PDT 2019
      ;; MSG SIZE  rcvd: 1183
      
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29227
      ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 5
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags: do; udp: 4096
      ;; QUESTION SECTION:
      ;privateip.switchvox.com.       IN      A
      
      ;; AUTHORITY SECTION:
      switchvox.com.          172800  IN      NS      ns1.nameresolve.com.
      switchvox.com.          172800  IN      NS      ns2.nameresolve.com.
      switchvox.com.          172800  IN      NS      ns3.nameresolve.com.
      switchvox.com.          172800  IN      NS      ns4.nameresolve.com.
      CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
      CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190503044426 20190426033426 3800 com. F93eyh7LoSe/qEEfNCYLGLM32BxFcqw+zM2hbjPuIMXi2GnWrjDmN3Nt JiaoJzf6IXKOA21Vjlr3HMDZZoV6CoK5V4GQscusO5V4sCfjJRj72cnV wThZnBOEU/uOtAwkv8jkO2IX/zeMU6GQl4fFvLSiA63hd9zdObQ1kes6 d6I=
      LMB0UFPOFRCBQ4E567NHUGMKFVMEB8AU.com. 86400 IN NSEC3 1 1 0 - LMB45BHF58HOKQ965AABRTSBLUEUKU22 NS DS RRSIG
      LMB0UFPOFRCBQ4E567NHUGMKFVMEB8AU.com. 86400 IN RRSIG NSEC3 8 2 86400 20190430043607 20190423032607 3800 com. Xmvq5PuVAAmXCCeLTqkL6HF+qboVWuVrUrWELj7ZvCZ8tu1KyrwSet/H H93s/DsY9ZHC9EAK/geg4ZzmAiT/MScKEUmDfOoA82CahbiWPFUMelSD A2luCFYyMIYMpi+UpJ5qy0GniEgwoZQIk/WjEn6CPQhiff5u1D2e0Uik +D8=
      
      ;; ADDITIONAL SECTION:
      ns1.nameresolve.com.    172800  IN      A       66.96.142.146
      ns2.nameresolve.com.    172800  IN      A       65.254.254.170
      ns3.nameresolve.com.    172800  IN      A       66.96.142.148
      ns4.nameresolve.com.    172800  IN      A       65.254.254.172
      
      ;; Query time: 6 msec
      ;; SERVER: 192.41.162.30#53(192.41.162.30)
      ;; WHEN: Fri Apr 26 15:40:28 PDT 2019
      ;; MSG SIZE  rcvd: 685
      
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61805
      ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags: do; udp: 1680
      ;; QUESTION SECTION:
      ;privateip.switchvox.com.       IN      A
      
      ;; ANSWER SECTION:
      privateip.switchvox.com. 1800   IN      A       10.12.1.251
      
      ;; Query time: 98 msec
      ;; SERVER: 66.96.142.146#53(66.96.142.146)
      ;; WHEN: Fri Apr 26 15:40:28 PDT 2019
      ;; MSG SIZE  rcvd: 68
      
      [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com
      
      ; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26138
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;privateip.switchvox.com.       IN      A
      
      ;; Query time: 99 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Fri Apr 26 15:40:49 PDT 2019
      ;; MSG SIZE  rcvd: 52
      
      

      On pfSense if I query the DNS servers configured in "General Setup" I get a response:

      [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com @208.67.222.222
      
      ; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com @208.67.222.222
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61798
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;privateip.switchvox.com.       IN      A
      
      ;; ANSWER SECTION:
      privateip.switchvox.com. 1800   IN      A       10.12.1.251
      
      ;; Query time: 278 msec
      ;; SERVER: 208.67.222.222#53(208.67.222.222)
      ;; WHEN: Fri Apr 26 15:47:40 PDT 2019
      ;; MSG SIZE  rcvd: 68
      
      [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root:
      
      

      If I login to pfSense Web UI and go to Diagnostics -> DNS Lookup and search for privateip.switchvox.com I get "Host privateip.switchox.com could not be resolved.".

      What is going on? Any help fixing this is greatly appreciated.

      Thank you,

      -- Peter

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        That is by design to protect users against DNS rebinding attacks.

        Public servers returning private addresses is an unsound practice.

        If you wish to enable those answers for a specific domain, put this in the DNS Resolver custom options:

        server:
        private-domain: "switchvox.com"
        

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        P 1 Reply Last reply Reply Quote 0
        • P
          peterwood @Derelict
          last edited by

          @Derelict Thanks a lot. The custom options enabled the responses. Thanks again.

          1 Reply Last reply Reply Quote 1
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.