Pfsense in HA and pfblockerNG DNS query

  • Hi all.
    I have configured two pfsense in Sync (HA) and added the pfBlockerNG module.

    Everything is working fine but I am detecting strange behavior. The dns queries arrive both on the master and on the backup, although the destination ip of the queries is that of the master. (I notice this behavior by checking the pfclockerNG alerts)

    The infrastructure expects clients to query a Microsoft DNS (AD) first.

    The Microsoft DNS server (AD) has set the pfsense master's ip as forwarder.

    However, some DNS queries also arrive on the backup pfsense.

    Some idea?

  • Too bad you did not get a reply, I think others might see this issue as well. I understand the Windows 10 ip stack will shotgun DNS queries to all servers in some conditions and whoever responds to the clinet first wins. In a small LAN this might be OK but I am betting that a large university like Georgia Tech might have some DNS administrators very upset.

  • Moderator

    @rodeo21 Are you using pfBlockerNG-devel?

  • @bbcan177

    I just did the update today to pfBlockerNG-devel 3.0.0_8

  • Hi @rodeo21 I would think this would be more of an issue related to multicast and the CARP VIPs. This is the source of most HA IP issues. If DNS requests are hitting your backup node, this would mean the issue is occurring well before pfBlocker (or unbound) gets involved. Have you tried removing pfBlocker to see if the DNS issues go away (or still exist)? You'll probably have to look at different logs, but there still should be something to check.

  • @talaverde
    HA is a complex animal, some interfaces use CARP VIPs and packages use the XMLRPC to sync. XMLRPC has issues where you can use a dedicated user and some vendors(Snort/Cisco) did not think you could do that so they force you to use root/admin to sync your data.