No Answer when querying public servers and answer is a private IP
-
Hi,
The best explanation I can give is that there is no "Answer Section" when the query is sent to a public DNS server and the answer is a private IP.
I created an A type DNS entry privateip.switchvox.com with IP 10.12.1.251.
This is resolvable from anywhere (that I have tried) except when my DNS server is pfSense.
I have two different pfSense installations: pfSense-2.4.4-Release-p1; pfSense-2.3-Release.
I tried with two different domains on two different DNS service providers: dotster.com and aws/route53.
I get the same result i.e. if the answer is a private IP the "Answer Section" is missing.
The answer actually shows in the dig +trace but pfSense never serves it:
[2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com +trace +all ; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com +trace +all ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25317 ;; flags: qr ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 85734 IN NS m.root-servers.net. . 85734 IN NS b.root-servers.net. . 85734 IN NS c.root-servers.net. . 85734 IN NS d.root-servers.net. . 85734 IN NS e.root-servers.net. . 85734 IN NS f.root-servers.net. . 85734 IN NS g.root-servers.net. . 85734 IN NS h.root-servers.net. . 85734 IN NS a.root-servers.net. . 85734 IN NS i.root-servers.net. . 85734 IN NS j.root-servers.net. . 85734 IN NS k.root-servers.net. . 85734 IN NS l.root-servers.net. . 85734 IN RRSIG NS 8 0 518400 20190509170000 20190426160000 25266 . nTgVx3qc4/Xqml7i43n802u2pyDFOAEE1p/1Fw7dXclYkan3DY0U12YK Qjn6gVqaPZunsVr1jOaTiUN7qF7YvRTiyMUJpx+Zbis1kePb98yciCXJ Of5TyFzEjkdAOqnV1L8dfAuSkkK5wf3dx4itaRKEGdgRtMDYB2T9xZOp 5w51bzEIDNvT0nF/q+xk6AjeWh/jGiQDD8sIKuYC2nZNt2UFBchrBt/k kpt/4vjVf41vH915SUI9XURpIpI/vDqbegnjgUVV7EptrM37Qp+kxwa9 ETPThVrfNzryTX5OyRjWvle/xjvqHVDWzlZm+r8dRSufHyF06ge1ifNp x3otwQ== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Apr 26 15:40:23 PDT 2019 ;; MSG SIZE rcvd: 525 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43062 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1472 ;; QUESTION SECTION: ;privateip.switchvox.com. IN A ;; AUTHORITY SECTION: com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20190509170000 20190426160000 25266 . jHLMjZJae2wFGYycipQUDyn3+2QiUP25yOZ1R61c2+JLEXsxvZhGpel4 F3eJK7PhUkeMthvBWopXG6RCK9apcOhxFR7HxB2ieQoGz0KPcuAKxpbq CfUChNiGk6dYUVH+vDTfEnBnKicx+HtgbGzQXEIFEgdNW8ANrjJJMbv+ 5nXJKgSNJIX9YbQDEduNtJckffxuG5rdTgUDJZgfFkg0ZMoQV4hMG8I9 gqmFbRn4XnG3mUnxeLpsG3aYwkX0+PfXBcMoDc/Nil7U0bFm4pLGttcq C60rc1tzjEtLCxecWlIXEqzh49aV5duNWnvEBtR+RX04M4iMTWow6tWZ 5zg/CQ== ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 ;; Query time: 73 msec ;; SERVER: 192.58.128.30#53(192.58.128.30) ;; WHEN: Fri Apr 26 15:40:26 PDT 2019 ;; MSG SIZE rcvd: 1183 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29227 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;privateip.switchvox.com. IN A ;; AUTHORITY SECTION: switchvox.com. 172800 IN NS ns1.nameresolve.com. switchvox.com. 172800 IN NS ns2.nameresolve.com. switchvox.com. 172800 IN NS ns3.nameresolve.com. switchvox.com. 172800 IN NS ns4.nameresolve.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190503044426 20190426033426 3800 com. F93eyh7LoSe/qEEfNCYLGLM32BxFcqw+zM2hbjPuIMXi2GnWrjDmN3Nt JiaoJzf6IXKOA21Vjlr3HMDZZoV6CoK5V4GQscusO5V4sCfjJRj72cnV wThZnBOEU/uOtAwkv8jkO2IX/zeMU6GQl4fFvLSiA63hd9zdObQ1kes6 d6I= LMB0UFPOFRCBQ4E567NHUGMKFVMEB8AU.com. 86400 IN NSEC3 1 1 0 - LMB45BHF58HOKQ965AABRTSBLUEUKU22 NS DS RRSIG LMB0UFPOFRCBQ4E567NHUGMKFVMEB8AU.com. 86400 IN RRSIG NSEC3 8 2 86400 20190430043607 20190423032607 3800 com. Xmvq5PuVAAmXCCeLTqkL6HF+qboVWuVrUrWELj7ZvCZ8tu1KyrwSet/H H93s/DsY9ZHC9EAK/geg4ZzmAiT/MScKEUmDfOoA82CahbiWPFUMelSD A2luCFYyMIYMpi+UpJ5qy0GniEgwoZQIk/WjEn6CPQhiff5u1D2e0Uik +D8= ;; ADDITIONAL SECTION: ns1.nameresolve.com. 172800 IN A 66.96.142.146 ns2.nameresolve.com. 172800 IN A 65.254.254.170 ns3.nameresolve.com. 172800 IN A 66.96.142.148 ns4.nameresolve.com. 172800 IN A 65.254.254.172 ;; Query time: 6 msec ;; SERVER: 192.41.162.30#53(192.41.162.30) ;; WHEN: Fri Apr 26 15:40:28 PDT 2019 ;; MSG SIZE rcvd: 685 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61805 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1680 ;; QUESTION SECTION: ;privateip.switchvox.com. IN A ;; ANSWER SECTION: privateip.switchvox.com. 1800 IN A 10.12.1.251 ;; Query time: 98 msec ;; SERVER: 66.96.142.146#53(66.96.142.146) ;; WHEN: Fri Apr 26 15:40:28 PDT 2019 ;; MSG SIZE rcvd: 68
[2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com ; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26138 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;privateip.switchvox.com. IN A ;; Query time: 99 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Apr 26 15:40:49 PDT 2019 ;; MSG SIZE rcvd: 52
On pfSense if I query the DNS servers configured in "General Setup" I get a response:
[2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com @208.67.222.222 ; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com @208.67.222.222 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61798 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;privateip.switchvox.com. IN A ;; ANSWER SECTION: privateip.switchvox.com. 1800 IN A 10.12.1.251 ;; Query time: 278 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Fri Apr 26 15:47:40 PDT 2019 ;; MSG SIZE rcvd: 68 [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root:
If I login to pfSense Web UI and go to Diagnostics -> DNS Lookup and search for privateip.switchvox.com I get "Host privateip.switchox.com could not be resolved.".
What is going on? Any help fixing this is greatly appreciated.
Thank you,
-- Peter
-
That is by design to protect users against DNS rebinding attacks.
Public servers returning private addresses is an unsound practice.
If you wish to enable those answers for a specific domain, put this in the DNS Resolver custom options:
server: private-domain: "switchvox.com"
-
@Derelict Thanks a lot. The custom options enabled the responses. Thanks again.