DNS Resolver Returning Unknown IP

johnsoga · Aug 15, 2023, 1:34 AM

Short Summary:
When trying to resolve the domain "pfsense.lan" an unassigned IP is returned.

<host_linux>$ nslookup pfsense.lan
Server:		192.168.1.1
Address:	192.168.1.1#53

Name:	pfsense.lan
Address: 192.168.10.1

<host_macos>$ nslookup pfsense.lan
Server:		192.168.30.1
Address:	192.168.30.1#53

Name:	pfsense.lan
Address: 192.168.10.1

Longer Summary/Troubleshooting:
As I have played around with VLANs and further segregating my home network I'm sure I have likely at some point in time had an VLAN where the interface assigned had the IP "192.168.10.1", but currently no such assignment exists. I've check on the DNS resolver and there is no mapping there either for this domain/IP. I checked the cache using the below command with no luck either:

unbound-control -c /var/unbound/unbound.conf dump_cache

At this point I've no idea where this mapping is coming from and I've no idea how to clear it either. I've restarted the netgate device twice and so I don't think it's a cache issue, but that is a very big assumption on my part. Any thoughts?

planedrop · Aug 15, 2023, 9:39 PM

I guess my first question would be, what is your upstream DNS provider?

Unlikely but any chance this is coming from another device on your network? Maybe another pfSense box that this one is behind?

SteveITS · Aug 16, 2023, 9:03 PM

@johnsoga Just a guess, is 192.168.10.1 in your config file if you download a backup?

johnsoga · Aug 16, 2023, 9:03 PM

@SteveITS so clearly I'm just blind

Equally confirmed in the backup xml file

<lan>
	<if>igc0</if>
	<descr><![CDATA[LAN1]]></descr>
	<spoofmac></spoofmac>
	<ipaddr>192.168.10.1</ipaddr>
	<subnet>24</subnet>
</lan>

What is unclear to me though is that this interface isn't enabled and even further what is the logic behind choosing to resolve the routers hostname "pfsense.lan" to LAN1, why not the any other interface especially if they are at least enabled. It would make more sense if I had actually defined a DNS entry but this seems almost randomly picked

SteveITS · Aug 16, 2023, 9:15 PM

@johnsoga It's not quite random, looks like that used to be your LAN, given the <lan> tag? Might be considered a bug that it's pulling that, but otherwise, not sure which interface it should use. I'd guess pfSense is just assuming the LAN interface is always active.

Ideally "whatever interface I'm using" is probably the best, since often other networks can't connect to the LAN IP anyway, but I doubt it can do that. I would think Unbound could have A records for all interfaces but then DNS probably wouldn't know which to use and would normally send all of the IPs. pfSense stores/uses the driver interface name (igc0), the internal interface (lan), and the description (LAN1).

IOW pfSense wants to default itself to something so it picks LAN instead of WAN, assuming that's enabled for everyone, and you just happened to have disabled LAN.

In theory you could edit your config file to swap <lan> and <opt1> or whatever. You just have to update it throughout the file since the opt1 name will be used in various sections like DHCP and firewall rules.

johnsoga · Aug 16, 2023, 9:29 PM

@SteveITS said in DNS Resolver Returning Unknown IP:

@johnsoga It's not quite random, looks like that used to be your LAN, given the <lan> tag? Might be considered a bug that it's pulling that, but otherwise, not sure which interface it should use. I'd guess pfSense is just assuming the LAN interface is always active.

Well I definitely won't pretend that even if this had been documented somewhere as the default behavior that I would have found it so I'll humbly accept that this is actually documented and I just have to look for it. I'll take a look, but on the off chance its not how would one go about opening a bug against documentation?

Ideally "whatever interface I'm using" is probably the best, since often other networks can't connect to the LAN IP anyway, but I doubt it can do that. I would think Unbound could have A records for all interfaces but then DNS probably wouldn't know which to use and would normally send all of the IPs. pfSense stores/uses the driver interface name (igc0), the internal interface (lan), and the description (LAN1).

Seems that pfsense is already bypassing the normal DNS functionality in some way as this record is not store in the Resolver or Forwarder configurations, at least not in the GUI. So I would assume potentially trivial to add functionality such that it resolves that IP for pfsense based on the interface it receives the request on. Potentially a feature request?

IOW pfSense wants to default itself to something so it picks LAN instead of WAN, assuming that's enabled for everyone, and you just happened to have disabled LAN.

I guess this would be another feature request. Allow the user to check a box for which interface will be used as the default "LAN" to resolve the IP for the pfsense host. Having to edit the config file seems a less than ideal way to handle it

Appreciate your help on this

SteveITS · Aug 16, 2023, 9:54 PM

@johnsoga IF it's a documentation issue there's a Give Feedback link at the top of every page.

redmine.pfsense.org is where bug reports or feature requests go.

@johnsoga said in DNS Resolver Returning Unknown IP:

Having to edit the config file seems a less than ideal way to handle it

I get your point, but (again, assuming) I'd think most people would start with WAN and LAN, then add more NICs, and not just disable LAN and start using other interfaces instead. The other way would be to move one of your other interfaces/networks to igc0/lan...but not by reassigning opt1, by setting the subnet and moving the patch cable.

It would also be confusing to document and explain <lan> is not "LAN."

I just ran into the renaming because we combined two small routers with one with more interfaces, and I realized opt1 was imported as the Hurricane Electric interface, so OPT1 was opt2 internally, OPT2 was opt3, etc., and I could see that being confusing years from now. So I made HE opt10.