DNS settings for Vlan

tigerT

I think a simple question....

Have pfsense configured and operational. I wan to use the internal dns reolver (i think i am).

I have the dns settings left blank under general and left the dns setting under dhcp (192.168.0.1/24) server blank. LAN network is operating properly.

I have a vLan setup and struggling with the proper dns configuration for the vLan dhcp (192.168.20.1/24) server.

If I leave blank, use 192.168.0.1, or 192.168.20.1 I am unable to get dns resolution/web page to work.

If I use 1.1.1.1 for the dns setting for vLan dhcp server, dns reslution works/web pages will work.

I am not wanting to use 1.1.1.1 and would like to have dns request handled by pfsense/dns resolver like the Lan.

What am I missing???

johnpoz

@tigerT well by default if you create a new vlan, say 192.168.20.1 interface in pfsense then unbound would listen on that IP and dhcp would hand it out as dns for the clients.

You sure you have dns set to listen on that new interface, was it set to all? Or had you picked just say lan to listen on. You may need to restart undbound (dns) on pfsense to listen on the new IP.

Also are you dhcp clients using old lease?

Also what firewall rules did you set on the new vlan.. If you have a rule that blocks say rfc1918 before your any rule for internet that would explain why local dns does not work, but external does.

tigerT

@johnpoz

I'm not sure about the listening on that IP... i did check the DNS resolver settings and it has "all" for both network interface and outgoing interface. Not sure if that is the same thing...

After i change the dns settings for the vlan dhcp server, i have been resetting/restarting the dhcp server (the circle arrow at the top of the page). I am also resetting the network interface on the client, remove profile/add new. I do see the dns settings update (reflect new dns) as I change setting restart dncp, remove/add profile.

the vlan has a pass all (any protocol, any source, and any destination).

What would be the correct setting if working correctly under the vlan dncp server? blank, lan ip (192.168.0.1), or vlan ip (192.168.20.1)

johnpoz

@tigerT if its blank it would hand out the IP of the interface its set on.

So from your client if you do a query to this 192.168.20.1 do you get a timeout, refused?

Is your nslookup on yoru client using this 192.168.20.1 IP.. that would tell you if it picked up the IP from dhcp. Or just look at the output of your ipconfig /all if this is a windows machine - it will list what is set for dns.

Use your fav dns tool, dig, host, nslookup and do a directed query

$ nslookup www.google.com
Server:  sg4860.local.lan
Address:  192.168.9.253

Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:4009:80b::2004
          142.250.190.100

See the output shows what dns I am using, and got a cached answer for www.google.com - what does nslookup show for a client on this new vlan of yours?

tigerT

@johnpoz

i restart dhcp server (pfsense) and deleted/add profile for client between each of these look ups.

DNS Setting in pfSense: 1.1.1.1

$ nslookup www.google.com
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: www.google.com
Address: 142.250.217.132
Name: www.google.com
Address: 2607:f8b0:4007:809::2004

DNS Setting in pfSense: left blank, but client received 192.168.20.1

momo@TigerChen:~$ nslookup www.google.com
Server: 192.168.20.1
Address: 192.168.20.1#53

** server can't find www.google.com: REFUSED

DNS Setting in pfSense: 192.168.0.1

momo@TigerChen:~$ nslookup www.google.com
Server: 192.168.0.1
Address: 192.168.0.1#53

** server can't find www.google.com: REFUSED

DNS Setting in pfSense: 192.168.20.1

$ nslookup www.google.com
Server: 192.168.20.1
Address: 192.168.20.1#53

** server can't find www.google.com: REFUSED

johnpoz

@tigerT said in DNS settings for Vlan:

** server can't find www.google.com: REFUSED

refused - this would point to being ACLs in unbound most likely. Did you happen to turn off the automatic ACLs?

By default when you add new neworks, they are auto allowed via ACL.. But if you turn that off like I have then you would have to create/edit acl to allow what you want for your new networks.

I am not a fan of auto rules or auto ACLs which is why I have mine set to off. I like to be specific and set exactly what I want.. Notice mine is snoop, which I do not believe is default.

this also would explain why your not getting back pfsense fqdn like you saw in mine. Because most likely via ACL unbound isn't going to talk to your source IP. So the PTR that is done by the client for the fqdn of the IP set for dns wouldn't work either.

Bob.Dig

@johnpoz said in DNS settings for Vlan:

I am not a fan of auto rules or auto ACLs which is why I have mine set to off.

But we do have firewalls rules for that too. I wouldn't mind an allow everything ACL for the resolver.

johnpoz

@Bob-Dig said in DNS settings for Vlan:

allow everything ACL for the resolver.

Which is pretty much what I have setup ;)

tigerT

@johnpoz

Disable auto added was unchecked. I did check save/uncheck save...

now when i leave vlan dhcp dns setting blank, client received 192.168.20.1 as before. But now it is resolving. Does the below nslookup command look like it is configured properly...

nslookup www.google.com
Server: 192.168.20.1
Address: 192.168.20.1#53

Non-authoritative answer:
Name: www.google.com
Address: 142.250.188.228
Name: www.google.com
Address: 2607:f8b0:4007:80a::2004

johnpoz

@tigerT not sure why nslookup is not resolving the IP? Hmmm - I always set mind up specific for other IPs on pfsense. But maybe it doesn't respond with the main name on a ptr if you don't it up for other vlans?

I would think the check and then uncheck would recreate the ACL with your new vlan in.. Again not a fan of "auto" stuff to be honest. Which is why I specifically set mine..

so for example if I query another IP on pfsense, mine returns the host record I created specific for that IP.

$ nslookup                                 
Default Server:  sg4860.local.lan          
Address:  192.168.9.253                    
                                           
> server 192.168.3.253                     
Default Server:  sg4860.dmz.local.lan      
Address:  192.168.3.253                    
                                           
> server 192.168.2.253                     
Default Server:  sg4860.wlan.local.lan     
Address:  192.168.2.253                    

I would have to remove my host entries for those IPs to see if when talking to say 3.253 if it returns the sg4860.local.lan name.. But yeah looks like your ok now.

tigerT

@johnpoz

WOW. Big thanks and I definitely learned something today!

Any way to change original topic? Something to include ACLs in unbound. Something a little less generic....

johnpoz

@tigerT well I checked what happens when you don't have a specific host override set for one pfsense vlan interfaces..

> server 192.168.3.253
Default Server:  [192.168.3.253]
Address:  192.168.3.253

Which makes sense when you think about it. I prob going to start changing my stuff to reflect new home.arpa domain.

> server 192.168.3.253
Default Server:  sg4860.dmz.home.arpa
Address:  192.168.3.253