Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple A records with DNS Forwarder/dnsmasq

    DHCP and DNS
    1
    1
    406
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MasterYous
      last edited by MasterYous

      I've observed a very strange behavior with the DNS forwarder. Let me try to explain, to see if someone can tell me this a bug, vs. intended behavior.

      I have two firewalls, with pfsync running. Primary successfully duplicates to secondary. Meaning when I activate the forwarder on master, the secondary activates as well. This means there are technically two DNS forwarders listening, each on its own IP. So far so good.

      When I query the DNS record for the primary firewall's hostname using the primary firewall's IP, I get two records: one corresponding to my LAN interface's IP address, and one for my management network's IP address. The management IP address is explicitly defined in DNS Forwarder's host overrides because that is the IP address A record I want returned. For ex:

      dig @10.22.0.2 fw1.mydomain.local
answer1 --> A 10.22.0.2
answer2 --> A 10.22.8.2

      one is my explicitly assigned management IP address in the resolver's host overrides, and the other is simply the LAN IP.

      When I query the DNS record for the primary firewall using the SECONDARY firewall's IP, I get one record: the one for my management network which I have put in host overrides but NOT the LAN IP. For ex:

      dig @10.22.0.3 fw1.mydomain.local
answer --> 10.22.0.2

      The reverse is also true: if I query the secondary for the secondary's hostname which I have overridden, I also get two records, one for my override and one for the LAN IP. Querying the primary's record from the secondary results in ONE record, just my override.

      I do not have a DHCP server running on LAN and do not have any active DHCP leases, so this isn't because of addresses inserted into the Forwarder due to DHCP.

      My only forwarding upstream DNS entry at the moment in 8.8.8.8 (Google's public DNS) - so there is no way there are any records for my internal firewalls there.

      I also do not have any DNS servers defined in General Setup - I'm just using 127.0.0.1 to point to the local DNS forwarder, and then it forwards up to 8.8.8.8. I'm using host overrides to resolve some internal hosts. I have done this for /years/ with pfSense with no issues at all.

      I thought the way this is supposed to work is that only explicitly defined host overrides should be resolved, other than of course, things in the upstream DNS server. Why is the LAN IP address being returned?

      One interesting tidbit: saving the DNS Forwarder settings inserts a LAN IP hostname record into /etc/hosts automatically. Only for the LAN IP address. The only other entries in /etc/hosts are for my explicit overrides in the DNS Forwarder settings. I am sure about this because I emptied out /etc/hosts while the Forwarder was off and then turned the Forwarder on again, and after this, the LAN record was put in above the explicit overrides for my management network.

      So does anyone know why an extra A record for the LAN IP is being returned??

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.