Cannot resolve RFC 1918 ip's

  • I've got a few remote pfSense instances running on remote locations and installed a new one over the weekend but I cannot understand what is going on:

    LAN clients resolve anything except a hostname that has an RFC 1918 ip. The same hostname resolves fine on pfSense itself (ssh access / nslookup).
    The RFC1918 hostname is coming from a domain I set up on Route53/AWS, been running like this for >3 years.

    On a LAN client I can set as name server and then it resolves the same hostname to the RFC1918 ip just fine, switching back to pfSense DNS Resolver (the lan gateway ip basically) breaks RFC1918 hostnames from resolving, hosts with a public IP resolve just fine on the LAN client.

    Is there a settings on either pfSense or DNS Resolver somewhere that blocks LAN clients from resolving hostnames using a WAN name server that return an RFC1918 ip?

    I've got 3 other instances that are seemingly configured in the exact same way, LAN clients on those instances can resolve the hostname just fine.
    It's got me pretty much baffled, perhaps I will just take a backup of one "working" pfsense instances and applying it to this new one but I sure would like to know what I'm missing.

    Any help welcome!

  • Add its domain as private to the Resolver config. In Advanced Options enter:

    private-domain: "<the.hosts.domain>"

  • Thanks viragomann!! That fixed it straight away! You're faster than Enterprise TAC :p

    Next question is why the other pfSense instances resolve hosts without that entry in the Resolver - Advanced Options.

  • Possibly these pfSense are members of the requested domain?
    Or DNSSEC disabled?

  • No, the pfsense's are all configured under the same domain, albeit a different one from the one I'm trying to resolve from the LAN clients. Only difference is that the 3 other pfSense instances are all installs from +- 3-4 years ago (2.3.x) and went over time through all the upgrades to 2.4.5p1. This last instance was a fresh 2.4.5p1 install. Can't figure it out but I'm glad your suggestion worked!

  • LAYER 8 Global Moderator

    Pfsense does rebind protection, if you forward or resolve it will not return rfc1918 space.

    Clients like some windows will not do this, doesn't care.. But not good practice to have rfc1918 in public domains. You saying if you point client to you can resolve some fqdn to rfc1918 points to bad idea!!

    As already mentioned you can allow pfsense (unbound or even dnsmasq, different setting) to resolve rfc1918 from something you forward to or resolve with like the above private domain setting.

    Or you could turn off rebind protection completely in pfsense.

Log in to reply