Not configured DNS ip in packet capture

Quartz

When I do a packet capture and try to go to a website, inside the packet capture I don't see a DNS request to the DNS I configured(1.1.1.1) but to a different ip. If I do a packet capture with Wireshark on a computer that is configured with the same DNS than I see the correct request. Why is this happening and how can it be fixed? Attached are screenshots of both captures. pfsense capture.png wireshark capture.png

Gertjan

@quartz

Your first image :
Can you tell what IP is who first ?
What was your filter setup ?

edit : This one : 192.48.79.30 is "j.gtld-servers.net" so I tend to think device 192.168.73.45 is resolving.

131.253.21.1 is "ns3.msedge.net" is a domain name server, this is the one that can tell you what A, or MX, or AAA, or etc belongs to a given domain name.

204.79.197.1 is "ns1.msedge.net", a (I think) name domain server from Microsoft.

A Microsoft device that does resolving ? Hey, why not.
Out of the box, a Microsoft device uses DHCP, and takes the DNS server from the obtained DHCP lease. That should be, by default, the upstream router that is often also the DHCP server. This router, pfSense, out of the box, does the resolving for the LAN devices.

The resolver 1.1.1.1 is only needed if you want 1.1.1.1 to have your DNS requests, something that pfSense do for you.

johnpoz

@gertjan said in Not configured DNS ip in packet capture:

192.168.73.45 is resolving.

that would be logical if its talking to the gltd servers, etc. My question to @Quartz is what exactly is this 73.45 device?

Quartz

@gertjan
192.168.73.45 is the ip of the WAN interface on the pfsense router, everything else I have no idea what it is. All those ips are DNS requests or answers. The only filter applied is DNS. On the WAN interface the DNS server is set to static 1.1.1.1 and alternate 1.0.0.1 but I don't see answers from those ips. I was expecting to see the same answers in the first image as the ones in the second except the ip would be 192.168.73.45 instead of 192.168.99.2

Quartz

@johnpoz
192.168.73.45 is my WAN interface.

johnpoz

@quartz So sniff on your wan doing those.. Here is what you would could see depending on your settings in dns.

So if you did not set unbound to forward, then it would resolve and yes you would see traffic leaving your wan for the roots and gltd servers and whatever the authoritative ns for whatever name your wanting to resolve.

This is default out of the box.

But also if you setup pfsense with anything other than 127.0.0.1 in its dns settings, say 1.0.0.1 or 1.1.1.1

It would or could use those when trying to lookup something for itself, say for an update, or where to check if package updates, etc So you could see traffic to roots and the like, and also to these other 1.1.1.1 etc.. depending on what is doing the query. If unbound is resolving then it would never ask those, if your forwarding in unbound, it wouldn't resolve - you can not resolve and also forward. Its an either or setup.

This 2nd sniff is on your lan side network(s) so say 192.168.99.2 directly asking 1.1.1.1 could also show up those on your wan, even though unbound is resolving. Because if the client directly asks 1.1.1.1 its not asking unbound.. So in that scenario you would also see traffic to roots and the like, and also to these 1.1.1.1 IPs from your wan IP, because it would be natted to your wan IP.

Quartz

@johnpoz unbound is not set to forward but to resolve. So unbound has a database with roots, gltd servers and autoritative ns? If unbound is resolving that means the DNS servers(System\General Setup\DNS Server Settings) are just for backup? I was under the impression that unbound only resolves internal ip addresses as it is with most home routers.

I don't understand the second part of your answer. If I'm asking directly 1.1.1.1 why would unbound resolve it? Unless I have a set rule that would force all DNS requests from the LAN to go through unbound. network interfacesh.png Under "General DNS Resolver Options\Network interfaces"(picture) it says "The default behavior is to respond to queries on every available IPv4 and IPv6 address." Does that mean it responds to queries from the internet?

johnpoz

@quartz said in Not configured DNS ip in packet capture:

I was under the impression that unbound only resolves internal ip addresses as it is with most home routers.

Not sure where you got that idea? Out of the box pfsense resolves local resources that it knows about, and any other fqdn you ask for - say www.google.com

Home routers do the same thing, but they normally just forward, but clients sill ask them for www.google.com and it returns the answer and even caches it for the length of the ttl it got back from where it forwarded it too.

Quartz

@johnpoz Any input on the other questions?

johnpoz

@quartz said in Not configured DNS ip in packet capture:

If I'm asking directly 1.1.1.1 why would unbound resolve it?

This? I don't understand the question - unbound isn't resolving anything, if your client asks 1.1.1.1 then yes you would see that.

If your client asks unbound, then it would resolve. Already went overall of that.

Or this?

Does that mean it responds to queries from the internet?

Not unless you opened up wan to allow it, and also altered the default acls, that only allow queries from your local networks.

Quartz

@johnpoz Thank you