DNS Forwarder Service | Some query and verification

maelove.am · Nov 25, 2022, 8:32 AM

We do have pfsense running version 2.6.0, I just want to clarify if I miss some configuration

Internet and dns query works fine
Typical network setup, ISP>pfsense>coreSW>AP>workstations
DNS Forwarder was enable on pfsense and running
DHCP was configured on coreSW with dns-list pointing to firewall LAN IP

Then here comes the thing that keep me wondering for a week now:

When I do traceroute going to internet let say 8.8.8.8
I noticed that each private IP (let say the first hop) like the gateway IP (which in this case the vlan interface of the coreSW) has domain name with this format
"<IP>.lightspeed.moblal.sbcglobal.net"
and when I do network scan, all devices hostname show this format
Run some network inventory like runzero and it tag this domain with type RDNS which is base on research is a PTR or reverse dns thing

My questions are:

how to disable it? or this is normal behavior of pfsense upon using dns forwarder service?
Which reverse lookup zone pfsense is using to tag my private IPs with this domain
'lightspeed.moblal.sbcglobal.net' that not even our domain name
OR this domain is from public DNS that I put under system>general setup>DNS Server Settings?

Appreciate the help or any feedback from pfsense guru here in this forum
I hope I put this topic on the right section.

Thank you in advance, let me know if you need more clarification on the settings of my pfsense espc on the dns forwarding service

Gertjan · Nov 25, 2022, 9:06 AM

@maelove-am

We do :

2 : I agree.
3 : For my own curiosity : resolving isn't what you need ?
4 : pfSense isn't the DHCP server, do I get that right ? The DHCP runs from a switch ?

Then :

1 : Like - an a windows PC on my LAN :

C:\Users\Gauche>tracert 8.8.8.8

Détermination de l’itinéraire vers dns.google [8.8.8.8]
avec un maximum de 30 sauts :

  1    <1 ms    <1 ms    <1 ms  pfSense.my-local-LAN-network.net [192.168.1.1]
  2     1 ms    <1 ms    <1 ms  MyISPBOX [192.168.10.1]
  3    10 ms     9 ms     9 ms  80.10.239.117
  4    27 ms    27 ms    28 ms  ae119-0.ncbor202.rbci.orange.net [80.10.154.10]
  5    34 ms    33 ms    33 ms  ae42-0.nipoi202.rbci.orange.net [193.252.100.30]
  6    27 ms    28 ms    28 ms  193.252.137.14
  7    27 ms    27 ms    27 ms  google-45.gw.opentransit.net [193.251.255.116]
  8    28 ms    29 ms    29 ms  108.170.235.161
  9    27 ms    27 ms    27 ms  142.251.49.137
 10    27 ms    27 ms    26 ms  dns.google [8.8.8.8]

Itinéraire déterminé.

Can you show yours ?
An please tell if you run this command from pfSense or a device on your network.
You can even do both.

2 : I agree. When I ask the reverse of one of my LAN based devices :

C:\Users\Gauche>nslookup 192.168.1.33
Serveur :   pfSense.my-local-LAN-network.net
Address:  192.168.1.1

Nom :    diskstation2.my-local-LAN-network.net
Address:  192.168.1.33

Where pfSense is 192.168.1.1 - and unbound 'knows' about my local devices (I've set them up using DHCP static MAC leases, so the relation IP and host name are set)

3 : OR this domain is from public DNS

Right. I presume you haven't set no where on your local devices this network name 'lightspeed.moblal.sbcglobal.net'
What is your local DHCP server using as a network name ? Or, what is the network name your clients receive from the DHCP server ( ipconfig /all)

edit : I've instructed my resolver to forward to 8.8.8.8 for a while.
tracert (traceroute) and nslookup results where still correct for me.

maelove.am · Nov 25, 2022, 11:31 AM

@gertjan hello, first thank you for your comments

When I use dns resolver service before, I can't get it to work that's why I tried testing the dns forwarder instead.
What I did before on dns resolver was >> enabled it>>enable port forwarding option>>put public dns on general setup>dns setting
then on the client side, since I have my dhcp configured on the core switch, dhcp setup was to use firewall IP as DNS but I dunno what I'm missing here coz i doesn't work
yes your right, dhcp was configured on my coreSW, then default route to pfsense

then

this is my traceroute (executed on the client and from pfsense)

there you can see that the private IP within my VLAN86 has this domain..I can't figure out where the hell that domain came from

I run it on the test server that is directly connected to coreSW

there you can see reverse lookup also works where 86.10 is the gw ip of vlan86
my dns was 10.1 (pfsense lan ip)
and the domain for that IP for me is unknown.. I can't remember I did configure such domain
Do you think it's something on my dhcp setup on the coreSW?

this is my system>general setup

Yes, I haven't set this domain as network name for local devices

I don't have network name. this is what I configured so far on the coreSW for the DHCP

you can see there, I tested it to relay to another dhcp server 86.253 (test AD - xxx.local) then on the AD I put the 10.1 (pfsense) under dns forwarder
then when client obtain IP (see ipconfig /all) 86.254 (test client)

and run traceroute

you can see from the traceroute that the domain I put as PTR record works also, this for sure
i know this domain since I add it on the AD dns service as PTR records pointing my ip 86.10 to that domain

and do nslookup for 86.10 it gives me same domain

now going back to scenario where my dhcp server dns was set directly to pfsense, I can't figure out where this domain (lightspeed.moblal.sbcglobal.net) is coming from
any idea, what else I need to look for?
I just want to figured out where that domain is coming from.

Gertjan · Nov 29, 2022, 7:24 AM

@maelove-am

Why are you hiding RFC1918 (10/8, 172.16/12, 192.168/16) ?
Like these :

or are you really using non RFC1918 ?

maelove.am · Nov 29, 2022, 7:24 AM

@gertjan Hi, thanks for your comment

I just want not to disclose all the setup on this scenario since it's confidential regardless if I'm using RFC1918

Gertjan · Nov 29, 2022, 7:52 AM

@maelove-am

All right with that, but this opens the door to a possible huge failure.
It happens all the time : people use non RFC1918 == public IPs/Networks on their LANs, and they do not 'own' these IPs. That's where things go down hill fast.

I'm still a bit puzzled where this "lightspeed.moblal.sbcglobal.net" comes from.
I've just tested forward mode ... my local PTRs are still ok.

Btw :

Wasn't there a great big orange haired guy in the States that banned that brand for not being 'confidential' ?
(ok, silly, but what if he was right ?).

maelove.am · Dec 14, 2022, 3:16 PM

@gertjan hello there

Yeah, I'm puzzled too. I just can't prove if its from our huawei core switch or from pfsense itself.
But I don't see any documentation regarding huawei having that domain.. I already escalate it to huawei TAC and they just said this "if 172.1.83.10 is the address of HW switch, switch just replay a icmp packet, will not take these information (lightspeed.moblal.sbcglobal.net), and it is the behavior of PC."

and base from this forum, I think no-one yet encountered this ghost domain with their pfsense, so I think its not really the pfsense causing