4. No Answer when querying public servers and answer is a private IP

No Answer when querying public servers and answer is a private IP

  • P

    Hi,

    The best explanation I can give is that there is no "Answer Section" when the query is sent to a public DNS server and the answer is a private IP.

    I created an A type DNS entry privateip.switchvox.com with IP 10.12.1.251.

    This is resolvable from anywhere (that I have tried) except when my DNS server is pfSense.

    I have two different pfSense installations: pfSense-2.4.4-Release-p1; pfSense-2.3-Release.

    I tried with two different domains on two different DNS service providers: dotster.com and aws/route53.

    I get the same result i.e. if the answer is a private IP the "Answer Section" is missing.

    The answer actually shows in the dig +trace but pfSense never serves it:

    [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com +trace +all

; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com +trace +all
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25317
;; flags: qr ra ad; QUERY: 1, ANSWER: 14, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       85734   IN      NS      m.root-servers.net.
.                       85734   IN      NS      b.root-servers.net.
.                       85734   IN      NS      c.root-servers.net.
.                       85734   IN      NS      d.root-servers.net.
.                       85734   IN      NS      e.root-servers.net.
.                       85734   IN      NS      f.root-servers.net.
.                       85734   IN      NS      g.root-servers.net.
.                       85734   IN      NS      h.root-servers.net.
.                       85734   IN      NS      a.root-servers.net.
.                       85734   IN      NS      i.root-servers.net.
.                       85734   IN      NS      j.root-servers.net.
.                       85734   IN      NS      k.root-servers.net.
.                       85734   IN      NS      l.root-servers.net.
.                       85734   IN      RRSIG   NS 8 0 518400 20190509170000 20190426160000 25266 . nTgVx3qc4/Xqml7i43n802u2pyDFOAEE1p/1Fw7dXclYkan3DY0U12YK Qjn6gVqaPZunsVr1jOaTiUN7qF7YvRTiyMUJpx+Zbis1kePb98yciCXJ Of5TyFzEjkdAOqnV1L8dfAuSkkK5wf3dx4itaRKEGdgRtMDYB2T9xZOp 5w51bzEIDNvT0nF/q+xk6AjeWh/jGiQDD8sIKuYC2nZNt2UFBchrBt/k kpt/4vjVf41vH915SUI9XURpIpI/vDqbegnjgUVV7EptrM37Qp+kxwa9 ETPThVrfNzryTX5OyRjWvle/xjvqHVDWzlZm+r8dRSufHyF06ge1ifNp x3otwQ==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 15:40:23 PDT 2019
;; MSG SIZE  rcvd: 525

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43062
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 15, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;privateip.switchvox.com.       IN      A

;; AUTHORITY SECTION:
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20190509170000 20190426160000 25266 . jHLMjZJae2wFGYycipQUDyn3+2QiUP25yOZ1R61c2+JLEXsxvZhGpel4 F3eJK7PhUkeMthvBWopXG6RCK9apcOhxFR7HxB2ieQoGz0KPcuAKxpbq CfUChNiGk6dYUVH+vDTfEnBnKicx+HtgbGzQXEIFEgdNW8ANrjJJMbv+ 5nXJKgSNJIX9YbQDEduNtJckffxuG5rdTgUDJZgfFkg0ZMoQV4hMG8I9 gqmFbRn4XnG3mUnxeLpsG3aYwkX0+PfXBcMoDc/Nil7U0bFm4pLGttcq C60rc1tzjEtLCxecWlIXEqzh49aV5duNWnvEBtR+RX04M4iMTWow6tWZ 5zg/CQ==

;; ADDITIONAL SECTION:
a.gtld-servers.net.     172800  IN      A       192.5.6.30
b.gtld-servers.net.     172800  IN      A       192.33.14.30
c.gtld-servers.net.     172800  IN      A       192.26.92.30
d.gtld-servers.net.     172800  IN      A       192.31.80.30
e.gtld-servers.net.     172800  IN      A       192.12.94.30
f.gtld-servers.net.     172800  IN      A       192.35.51.30
g.gtld-servers.net.     172800  IN      A       192.42.93.30
h.gtld-servers.net.     172800  IN      A       192.54.112.30
i.gtld-servers.net.     172800  IN      A       192.43.172.30
j.gtld-servers.net.     172800  IN      A       192.48.79.30
k.gtld-servers.net.     172800  IN      A       192.52.178.30
l.gtld-servers.net.     172800  IN      A       192.41.162.30
m.gtld-servers.net.     172800  IN      A       192.55.83.30
a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
c.gtld-servers.net.     172800  IN      AAAA    2001:503:83eb::30
d.gtld-servers.net.     172800  IN      AAAA    2001:500:856e::30
e.gtld-servers.net.     172800  IN      AAAA    2001:502:1ca1::30
f.gtld-servers.net.     172800  IN      AAAA    2001:503:d414::30
g.gtld-servers.net.     172800  IN      AAAA    2001:503:eea3::30
h.gtld-servers.net.     172800  IN      AAAA    2001:502:8cc::30
i.gtld-servers.net.     172800  IN      AAAA    2001:503:39c1::30
j.gtld-servers.net.     172800  IN      AAAA    2001:502:7094::30
k.gtld-servers.net.     172800  IN      AAAA    2001:503:d2d::30
l.gtld-servers.net.     172800  IN      AAAA    2001:500:d937::30
m.gtld-servers.net.     172800  IN      AAAA    2001:501:b1f9::30

;; Query time: 73 msec
;; SERVER: 192.58.128.30#53(192.58.128.30)
;; WHEN: Fri Apr 26 15:40:26 PDT 2019
;; MSG SIZE  rcvd: 1183

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29227
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;privateip.switchvox.com.       IN      A

;; AUTHORITY SECTION:
switchvox.com.          172800  IN      NS      ns1.nameresolve.com.
switchvox.com.          172800  IN      NS      ns2.nameresolve.com.
switchvox.com.          172800  IN      NS      ns3.nameresolve.com.
switchvox.com.          172800  IN      NS      ns4.nameresolve.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190503044426 20190426033426 3800 com. F93eyh7LoSe/qEEfNCYLGLM32BxFcqw+zM2hbjPuIMXi2GnWrjDmN3Nt JiaoJzf6IXKOA21Vjlr3HMDZZoV6CoK5V4GQscusO5V4sCfjJRj72cnV wThZnBOEU/uOtAwkv8jkO2IX/zeMU6GQl4fFvLSiA63hd9zdObQ1kes6 d6I=
LMB0UFPOFRCBQ4E567NHUGMKFVMEB8AU.com. 86400 IN NSEC3 1 1 0 - LMB45BHF58HOKQ965AABRTSBLUEUKU22 NS DS RRSIG
LMB0UFPOFRCBQ4E567NHUGMKFVMEB8AU.com. 86400 IN RRSIG NSEC3 8 2 86400 20190430043607 20190423032607 3800 com. Xmvq5PuVAAmXCCeLTqkL6HF+qboVWuVrUrWELj7ZvCZ8tu1KyrwSet/H H93s/DsY9ZHC9EAK/geg4ZzmAiT/MScKEUmDfOoA82CahbiWPFUMelSD A2luCFYyMIYMpi+UpJ5qy0GniEgwoZQIk/WjEn6CPQhiff5u1D2e0Uik +D8=

;; ADDITIONAL SECTION:
ns1.nameresolve.com.    172800  IN      A       66.96.142.146
ns2.nameresolve.com.    172800  IN      A       65.254.254.170
ns3.nameresolve.com.    172800  IN      A       66.96.142.148
ns4.nameresolve.com.    172800  IN      A       65.254.254.172

;; Query time: 6 msec
;; SERVER: 192.41.162.30#53(192.41.162.30)
;; WHEN: Fri Apr 26 15:40:28 PDT 2019
;; MSG SIZE  rcvd: 685

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61805
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1680
;; QUESTION SECTION:
;privateip.switchvox.com.       IN      A

;; ANSWER SECTION:
privateip.switchvox.com. 1800   IN      A       10.12.1.251

;; Query time: 98 msec
;; SERVER: 66.96.142.146#53(66.96.142.146)
;; WHEN: Fri Apr 26 15:40:28 PDT 2019
;; MSG SIZE  rcvd: 68

    [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com

; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26138
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;privateip.switchvox.com.       IN      A

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 15:40:49 PDT 2019
;; MSG SIZE  rcvd: 52

    On pfSense if I query the DNS servers configured in "General Setup" I get a response:

    [2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root: dig privateip.switchvox.com @208.67.222.222

; <<>> DiG 9.12.2-P1 <<>> privateip.switchvox.com @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61798
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;privateip.switchvox.com.       IN      A

;; ANSWER SECTION:
privateip.switchvox.com. 1800   IN      A       10.12.1.251

;; Query time: 278 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Apr 26 15:47:40 PDT 2019
;; MSG SIZE  rcvd: 68

[2.4.4-RELEASE][admin@pfstemp.switchvox.com]/root:

    If I login to pfSense Web UI and go to Diagnostics -> DNS Lookup and search for privateip.switchvox.com I get "Host privateip.switchox.com could not be resolved.".

    What is going on? Any help fixing this is greatly appreciated.

    Thank you,

    -- Peter

    0
  • LAYER 8 Netgate

    That is by design to protect users against DNS rebinding attacks.

    Public servers returning private addresses is an unsound practice.

    If you wish to enable those answers for a specific domain, put this in the DNS Resolver custom options:

    server:
private-domain: "switchvox.com"
    0
    P
     1 Reply
  • P

    @Derelict Thanks a lot. The custom options enabled the responses. Thanks again.

    1
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy