Pfsense does not respond to dns requests from LAN Host's

Rafel S

----My Setup----

PC Test IP in LAN side == 192.168.145.11
LAN IP == 192.168.145.1
WAN IP == DHCP

DHCP on LAN == 192.168.145.0
DNS Servers on DHCP

1. 192.168.145.1
2. 8.8.8.8
3. 8.8.4.4

Rule Permit ANY in LAN

----General Setup----
DNS Server Settings

1. 192.168.145.1
2. 8.8.8.8
3. 8.8.4.4

----DNS Resolver----
General DNS Resolver Options

Enable == ✓
Porte == 53
SSL Certificate == Default
SSL Port == Default
Network Interfaces == ALL
Outgoing Interfaces == LAN
System Domain Local == Transperent
DNSSEC == ✓
DNS Query Forwarding == X
DHCP Registration == ✓
Static DHCP == ✓

HOST Overrides

Hostname / Domain / IP to Return Host
teste / localdomain / 192.168.145.11

Note: In Pfsense Shell I can resolve the DNS teste.localdomain. And I can ping from pc to pfsense

frazao

@Rafel-S said in Pfsense does not respond to dns requests from LAN Host's:

neral DNS Resolver Options
Enable == ✓

what DNS query are your trying to get in the LAN network PC?
can you resolve teste.localdomain in the PC?
or google.com?

frazao

@Rafel-S said in Pfsense does not respond to dns requests from LAN Host's:

C Test IP in LAN side == 192.168.145.11

why is the wireshark image have an IP 192.168.145.12... what is this?

Rafel S

Sorry the 192.168.145.12 is another computer in the lan and in the 192.168.145.11 pc i can resolve google but cant resolve the teste.localdomain == 192.168.145.11

frazao

look at the wireshark print.
The dns query has 2x localdomain.

It should be teste.localdomain.
And its showing teste.localdomain.localdomain.

Something must be wrong in DNS configurations. Is the PC configured to use localdomain domain?

Rafel S

PC 192.168.145.12
DNS
192.168.145.1
8.8.8.8
8.8.4.4

PC 192.168.145.11
DNS
192.168.145.1

the icmp i did is from 192.168.145.12 "ping teste.loocaldomain" in ubunto console

im gonna try to ping teste.localdomain.loocaldomain to see what happens

UPDATE: PC 192.168.145.11 recognize localdomain as domain and cant ping teste.localdomain

frazao

at the ubuntu console try:

nslookup
inside de nslookup console:
server 192.168.145.1
teste.localdomain

what is the result?

Rafel S

Result:

johnpoz

Well clearly you could not talk to 145.1 on 53 then... Or its not listening..

BTW having your clients point to both pfsense and some outside dns is just a borked config out of the gate... google sure and the hell not going to resolve anything.localdomain -- you can never be sure which NS a client will ask when it has more than 1 listed. So if your going to point a client to more than 1 NS, all of the NS need to be able to resolve the same stuff.

Validate your unbound is actually running..

And I can tell you this wrong more than likely

Outgoing Interfaces == LAN

So unbound is suppose to resolve say something.publicdomain.com via its lan interface? What would it be talking to on your lan that would allow it access to the internet to do that?

Vs you stating what you believe are the settings. Your host override there.. Is it actually in unbound, or do you have it maybe setup in the forwarder? But from your nslookup there you can not even ask unbound anything, or its not even running or you get back either a nx or servfail or resfused... not a timeout. Or unbound was trying to resolve something and it timed out looking for it - maybe because its trying to resolve via the lan interface? since you don't have your host override setup correctly?

Try resolving pfsense name for a test.. Post up your actual rules on the interface this client is on. Validate unbound is running and listening.. Validate your host override in the correct place..

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: ps -ax | grep unbound
60328  -  Ss        0:51.70 /usr/local/sbin/unbound -c /var/unbound/unbound.conf

So you can see its running from above, and here is listening on my lan IP

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: netstat -anl | grep 192.168.9.253.53
tcp4       0      0 192.168.9.253.53                              *.*                                           LISTEN
udp4       0      0 192.168.9.253.53                              *.*                                           

Here is host override and test of it

frazao

@Rafel-S clearly the service is not running... try to see if the DNS service is actualliy running on port 53.

Rafel S

frazao

@frazao said in Pfsense does not respond to dns requests from LAN Host's:

the DNS service is actualliy running on port 53.

i don't see service running. check the status menu.

Rafel S

I started already is disabled

Rafel S

doens't let me start it

Rafel S

This post is deleted!

frazao

check if dns forward is causing it to stop.

Rafel S

dns forwarrd is disable at all

johnpoz

And what is running on 53? Your not showing what pid is listing on 53..

Here do this.

sockstat | grep .53

example

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: sockstat | grep .53
unbound unbound 33787 3 udp4 192.168.3.253:53 :
unbound unbound 33787 4 tcp4 192.168.3.253:53 :
<snipped rest for brevity>

frazao

@Rafel-S said in Pfsense does not respond to dns requests from LAN Host's:

ns't let me start it

Check log files. paste it to here.

Rafel S

@johnpoz said in Pfsense does not respond to dns requests from LAN Host's:

sockstat | grep .53