Name resolution issue with static IP, DHCP Static Mapping works
-
Hello community
My pfSense setup:
System: VMware Virtual Machine
Version: 2.5.1-Release (am64)I am facing the following DHCP / DNS problem:
To ensure that the internal hostnames are resolved correctly, I configured the DNS forwarder as follows:
Scenario 1:
- I have made a DHCP Static Mapping in the DHCP server for a Windows 2016 server, on the server itself I have not entered the IP address statically. The result is that I can ping any other client on the network and the name is resolved correctly:
Scenario 2:
- I enter the IP address on the server as static. The result is that the hostname of any client is no longer resolved on a ping, the ping only works if I enter the FQDN (It makes no difference if I leave DHCP Static Mapping enabled on the DHCP server or not).
My LAB configuration is very simple, the pfSense box is responsible for DHCP and DNS resolution, I have not configured an Active Directory or an internal DNS server. This behavior confuses me, my understanding is that the name resolution should be the same when entering the static IP as when setting DHCP Static Mapping?
Any help and / or explanation is very much appreciated.
Thank you.
-
And the winner would be :
Scenario 3: edit your DHCP Static Mapping and assign an IPs like 172.20.1.101.
This IP should be outside of the DHCP pool on that interface, but in the network.Done.
I also advise you to undo this :
unbound - the default settings - works best when using it as a resolver, not a dumb forwarder.
If you need to forward to some other internal DNS resolver/forwader, then well, ok, keep this option.Optional : Uncheck this :
If you don't know why, just do so - trust me.
Or look up one of the thousands of posts on this forum about the subject.And true : I ask you to change something which is a default setting.
-
Thank you @Gertjan for your quick reply!
@gertjan said in Name resolution issue with static IP, DHCP Static Mapping works:
And the winner would be :
Scenario 3: edit your DHCP Static Mapping and assign an IPs like 172.20.1.101.
This IP should be outside of the DHCP pool on that interface, but in the network.Well, that is exactly what I've done so far:
- I have a DHCP Range from 172.20.1.2 to 172.20.1.20
- Added a Static Mapping for the Windows 2016 Server with an IP address outside of the DHCP Range: 172.20.1.101
Done.
I also advise you to undo this :
I've disabled DNS Forwarder as you recommendet and enabled DNS Resolver instead (just default settings).
That did the trick! I am now able to resolve HOSTNAME Windows Server 2016 (DHCP Static Mapping) <> Windows 10 Client (DHCP).
However, on my Ubuntu 20.04 LTS Server (with DHCP Static Mapping 172.20.1.102), I am not able to resolve any Clients HOSTNAME except the pfSense Box itself:
unbound - the default settings - works best when using it as a resolver, not a dumb forwarder.
If you need to forward to some other internal DNS resolver/forwader, then well, ok, keep this option.Optional : Uncheck this :
If you don't know why, just do so - trust me.
Or look up one of the thousands of posts on this forum about the subject.And true : I ask you to change something which is a default setting.
That's absolutely OK for me as long as it works reliably and safely.
-
@latency0ms said in Name resolution issue with static IP, DHCP Static Mapping works:
However, on my Ubuntu 20.04 LTS Server (with DHCP Static Mapping 172.20.1.102), I am not able to resolve any Clients HOSTNAME except the pfSense Box itself:
Is the search domain set on this machine and is it equal to the others and pfSense?
-
No, I have not set any specific search domain on the Ubuntu Server - my current /etc/netplan/00-installer-config-yaml looks like this:
I thought that didn't need to be defined locally since I applied a DHCP Static Mapping for this server.
-
Setting these two options under DNS Resolver did the trick:
-
??
These are set by default.
But you were not wrong : do not set the first one, as it might have consequences that you are not gona like.
For reach host that you need to be identified by a known host name in your network, make a Static DHCP MAC lease on the DHCP server page- and the second 'check' "Stati DHCP" will take care of things -
@gertjan
Got that, so I removed DHCP Registration from DNS Resolver as you recommendet:
-
When I remove the option DHCP Registartion from DNS Resolver, I can only ping clients that have a DHCP Static Mapping, DHCP clients with a dynamic address are no longer pingable.
As soon as I enable DHCP Registration again, the clients with a dynamic DHCP address are reachable again.
This leads me to conclude that this function is needed anyway. What is the argument against enabling this function?
-
@latency0ms said in Name resolution issue with static IP, DHCP Static Mapping works:
DHCP clients with a dynamic address are no longer pingable.
ping works, just use the IP of these devices.
Or are you using ping as a dns test ?
Use nslookup.Do you want to access the device with a known device name like
no name - or a name like host3745888g_uuuy or do you prefer : PC-in-bath-room ?
You probably prefer the last one, so set up a Static DHCP MAC lease for these devices ones, and you'll be fine.
They will always have the same IP - always have a name YPU gave them and not some default strange name, and the DNS resolver will not get reset with every new DHCP lease.Devices like phones etc from people that visit your network : you don't want to connect to them, so you don't need a DNS name, so you don't have to set up a static lease.
-
@gertjan
Still, can you please (even though there are quite a few posts on this) briefly explain why the feature Register DHCP leases in the DNS Resolver should be disabled according to your best practice?Your answer will be very much appreciated.
-
@latency0ms said in Name resolution issue with static IP, DHCP Static Mapping works:
(even though there are quite a few posts on this)
Ok, a quicky :
The DHCP server maintains a file on disk with outstanding an outdated leases.
See it here : /var/dhcpd/var/db/dhcpd6.leases : a small file with an extremely readable content.When you check this box :
It does not interact with unbound, the Resolver. Neither with the" dhcpd" daemon, the dhpc server for one or more LAN's.
Checking this box launches another program that keeps on running - another daemon.
I'll check the box or a minute so I can show it to you :[2.5.1-RELEASE][admin@pfsense.my-networkl.net]/root: ps ax | grep leases .... 89854 - Ss 0:00.00 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d my-network.net -p /var/run/unbound.pid -u /var/unbound/dhcpleases_entries.conf -h /etc/hosts ....And to see what it does, well ..... here it is https://github.com/pfsense/FreeBSD-ports/blob/devel/sysutils/dhcpleases/files/dhcpleases.c
Look at the program - it's open source so a click opens the source and you can read it.
I'll recap :
It puts a 'watch' on the /var/dhcpd/var/db/dhcpd.leases file. When it changes (because a new lease came in, and the dhcpd server updates the file), the daemon dhcpleases reads it, reads the host file, and writes it to /var/unbound/dhcpleases_entries.conf. unbound reads this file when it starts. Open it to see what's in it ^^
Finally, the process dhcpleases restart unbound.
Cool, right ?
Depends.
It restarts unbound on every new or renewed DHCP lease.
You have one PC ? => No big deal.
You have 8 LAN's and 6000 devices ? => unbound gets chain gunned.Example : you bought this nice home automation thingy device on AliExpress - let's say : your new your door bell with web cam . It asks a new lease every 60 seconds (because it looses its wifi radio signal, reconnects, launches a DHCP request and again and again). And unbound gets restart every 60 seconds. People wind up posting here to ask "why".