• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver reverse lookups question

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 2 Posters 686 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    A Former User
    last edited by A Former User Jul 27, 2021, 5:42 PM Jul 27, 2021, 4:54 PM

    Hi all,

    Running pfSense 2.5.2, I have followed the following Netgate article to enable DNS over TLS:
    https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html.

    All is well, except for the fact that local lookups are now quirky, as in returning the right name for the firewall in nslookup requests, observed when connected on VLANs (the .10 VLAN in this case is the 'trusted' VLAN in my situation):

    C:\Users\w10test>nslookup microsoft.com
    Server:  UnKnown
    Address:  192.168.10.1
    
    Non-authoritative answer:
    Name:    microsoft.com
    Addresses:  40.113.200.201
              40.76.4.15
              13.77.161.179
              40.112.72.205
              104.215.148.63
    

    This behavior happens on VLANs that are outside of the native VLAN where pfSense is located in. As soon as I plugin the laptop to the management VLAN, it nicely returns 'firewall.home.lan', which is the name I set under General Settings:

    C:\Users\w10test>nslookup microsoft.com
    Server:  firewall.home.lan
    Address:  192.168.1.1
    
    Non-authoritative answer:
    Name:    microsoft.com
    Addresses:  40.113.200.201
              40.76.4.15
              13.77.161.179
              40.112.72.205
              104.215.148.63
    

    I understand "server: UnKnown" is due to all DNS requests being forwarded to Quad9 (which I have selected as public resolver) because that's what the article prescribes, which of course subsequently fails to resolve names that are intended to be resolved locally.

    DNS Resolver is configured with following options:

    • Network Interfaces: all of my VLANs + localhost
    • Outgoing Network Interfaces: WAN
    • DNSSEC, query forwarding and SSL/TLS for forwarded queries is enabled
    • Static DHCP reservations checkbox is enabled

    When searching the forum, I found, among other posts (which not yet led to a solution) a post from @johnpoz here, talking about host overrides that are to be used to return the name of the pfSense system, fixing what I currently notice.

    My question is: Is this the right thing to do, or are there more elegant alternatives?
    Looking for advice. Thanks!

    J 1 Reply Last reply Jul 27, 2021, 6:00 PM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @A Former User
      last edited by johnpoz Jul 27, 2021, 6:02 PM Jul 27, 2021, 6:00 PM

      @mg85 said in DNS Resolver reverse lookups question:

      https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html.

      That should prob be updated to address the changes that were done for dns lookups..

      setting.png

      pfsense should always just ask itself for dns. Which then if the resource is not local - then sure it could use dot to whatever you want to forward too.

      There was an issue with the old way of putting dns in the general tab, where pfsense might ask something remote vs just asking the local unbound, which then in turn asks upstream..

      Your client asking pfsense for dns, should always return the local host name of pfsense. Or something is wrong with resolving your local stuff.

      If you see unknown like you did - then yeah something is not right.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      ? 1 Reply Last reply Jul 27, 2021, 6:17 PM Reply Quote 0
      • ?
        A Former User @johnpoz
        last edited by Jul 27, 2021, 6:17 PM

        @johnpoz thanks so much!
        I have just set that option to "Use local DNS (127.0.0.1), ignore remote DNS Servers".
        Hope the pfSense team is picking up on adapting the manual, as you indicate ;).

        The behavior that "unknown" is returned with nslookups is however not yet gone.
        In your post, you mentioned you created host overrides for your VLANs. I have applied this just to test, which indeed returns the DNS suffix I have set under the DHCP configuration for that VLAN.

        Do you recommend to implement the host overrides this way?
        This is by the way not a huge issue, as I can resolve local hosts by providing the full FQDN (e.g. "printer.iot.home.lan", which returns 192.168.20.5, which is my printers IP.

        Thanks again!

        J 1 Reply Last reply Jul 27, 2021, 6:24 PM Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator @A Former User
          last edited by johnpoz Jul 27, 2021, 6:32 PM Jul 27, 2021, 6:24 PM

          if your goal is for say devices on 192.168.x/24 using 192.168.x.1 (pfsense) as their dns to return say pfsense.xdomain.tld and devices on say 192.168.y/24 using 192.168.y.1 (pfsense on this vlan) to return pfsense.ydomain.tld then yes a simple host override is the easy solution..

          example... my pfsense domain is local.lan, if I ask 192.168.9.253 (pfsense lan IP) it comes back with pfsense name..

          domain.png

          $ nslookup www.netgate.com 192.168.9.253
          Server:  sg4860.local.lan
          Address:  192.168.9.253
          
          Non-authoritative answer:
          Name:    group3.sites.hscoscdn00.net
          Addresses:  2606:2c40::c73c:671e
                    2606:2c40::c73c:67e2
                    199.60.103.226
                    199.60.103.30
          Aliases:  www.netgate.com
                    1826203.group3.sites.hubspot.net
          

          If I talk to one of its other IPs, 192.168.3.253 for example which is pfsense IP for my "dmz" vlan then it comes back as..

          $ nslookup www.netgate.com 192.168.3.253                      
          Server:  sg4860.dmz.local.lan                                 
          Address:  192.168.3.253                                       
                                                                        
          Non-authoritative answer:                                     
          Name:    group3.sites.hscoscdn00.net                          
          Addresses:  2606:2c40::c73c:67e2                              
                    2606:2c40::c73c:671e                                
                    199.60.103.30                                       
                    199.60.103.226                                      
          Aliases:  www.netgate.com                                     
                    1826203.group3.sites.hubspot.net                    
          

          You could prob get fancier today with views and such - but that is much more work to setup ;) then just a simple host override for what you want specific IPs to resolve to via PTR.

          here are my host overrides

          hostoverrides.png

          so if I query say the 4.253 address.

          $ nslookup www.netgate.com 192.168.4.253
          Server:  sg4860.wpsk.local.lan
          Address:  192.168.4.253
          

          Once setup its a easy way to know exactly what vlan your on ;) since the name is returned in the pfsense domain for its IP address on that vlan.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          ? 1 Reply Last reply Jul 27, 2021, 7:02 PM Reply Quote 0
          • ?
            A Former User @johnpoz
            last edited by Jul 27, 2021, 7:02 PM

            @johnpoz gotcha, much appreciated! Implementing this right away ;).

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received