DNS (dnsmasq) only replies with LAN IP
-
I have pfSense setup with two vlans (WAN)
10.34.89.10and (LAN)10.34.84.35. I'm only using pfSense for it's wonderful DNS Forwarder management interface for our helpdesk folks to use and not really doing any firewalling. The LAN interface is only intended as a mgmt. vlan so don't care about DNS there. If they need to use the IP to manage DNS, that's fine.DNS Forwarder is setup with overrides for servers sitting on the WAN subnet. DNS queries work fine for all servers but pfSense itself. When querying pfsense.dom.com from a server on the WAN subnet, I'm getting the LAN IP for pfSense, instead of it's WAN IP.
Not a big deal because servers are using the pfSense IP for DNS resolution anyway but it would be nice to have the correct IP returned for things like Nagios or Ansible facts. Any way to fix it?
-
@dave-r2 said in DNS (dnsmasq) only replies with LAN IP:
Any way to fix it?
It's not broken.
This :
is meant to be resolved to the pfSense IP or IPs if it has more then one LAN.
Why should a client on a LAN obtain the WAN IP ?
The 'real' WAN IPv4 can obtained by visiting http://checkip.dyndns.org/.
Why do your LAN clients need to know the 'WAN' IP of pfSense (which isn't necessarily the real WAN IP) ?
And just for my own curiosity : why the forwarder ? You have another local DNS solution, upstream for pfSense ?
-
@gertjan I'm just using pfSense for DNS. It's not firewalling. It's not connected to a modem. I have two network segments (VLANs) which pfSense is part of. In this case, the "WAN" interface means nothing. It's really just another network. Both WAN and LAN are RFC1918 networks. The WAN interface is where the servers live. The LAN interface is on a more restricted network for administration.
Hosts on VLAN1 (WAN) query pfSense for DNS. Yes, there is an upstream resolver. The DNS Forwarder in pfSense will forward queries upstream if it does not know the answer locally. I am putting all the hosts on VLAN1 (as overrides) in the DNS Forwarder settings. This allows non-technical staff easy access to a DNS interface for setting up new servers on VLAN1 without having to resort to training them on Vim, Bind9, forward zones, reverse zones, views, and sh/bash cli. I tried setting up PowerDNS and PowerDNS-Admin last week instead and the setup is soooooo complicated... if anything ever broke it would take a week just to figure out where the problem is. So, I came back to pfSense.
I don't understand your screenshot. I'm not using local.tld for anything and the hostname is not set to pfsense. I tried changing the hostname and domain to something arbitraty and it's still answering queries with the LAN IP address. Maybe this is not possible. Maybe it's just the way pfSense is setup to work and I'm trying to bend it into something it's not intended for.
It seems like it should be a simple setting somewhere to tell pfSense which interface to reply with when hit with a lookup on itself but maybe not.
-
You can use host overrides to 'name' your interfaces.
I'm not using the forwarder myself, but I presume you an declare your own overrides at the bottom of the settings page of the forwarder. -
@gertjan Yeah, it's not working that way though. I've added an override but still getting the IP for the LAN segment. Even tried enabling the DHCP server with MAC address for the WAN interface and ticking the box for "Resolve DHCP first" but no luck. If there's not something obvious I missed I'll have to dig into the custom options for dnsmasq
UPDATE: You were right about the hostname config in General Setup. I looked at /etc/hosts and noticed the pfSense short name was in there, which is what I queried from a LAN host. I thought the domain and search settings on the host (/etc/resolv.conf) were supposed to tack on the domain portion when a short name was queried but I dunno now.. I changed the hostname as well as domain name in General Setup and added an override for the full hostname of the pfSense box and it's returning the override now. Thanks.
