Completely confused by DNS failure (dnsmasq)
-
That is the problem. It doesn't work and I have no idea why. It correctly gets a response back from the Firewall when querying external DNS.
I can't use a recursive resolver unless I replicate all the hosts that are in the Firewall for my split DNS. That would be a pain. For that reason I switched to a forwarder temporarily.
Alternatively, can I bulk load hosts into pfSense?
I am now just trying to switch the resolver to forwarding as you suggest.
-
@NickJH said in Completely confused by DNS failure (dnsmasq):
response packets at the pfSense WAN interface.
But what response - what should it respond with for sia2.howitts.co.uk?
I don't see A response.. A response would look like this.
192.168.9.100.49907 > 192.168.9.253.53: 64979+ [1au] A? nas.home.arpa. (54) 192.168.9.253.53 > 192.168.9.100.49907: 64979* 1/0/1 nas.home.arpa. A 192.168.9.10 (58)This is not a valid response
15:59:39.895289 IP 192.168.1.1.53 > 192.168.1.4.63611: 2* 0/0/0 (36) -
@NickJH The "Enable Forwarding Mode" forwards anything that isn't a host or domain override.
@NickJH said in Completely confused by DNS failure (dnsmasq):
can I bulk load hosts into pfSense?
I don't think so but you can put it in the config file and then restore just the DNS Resolver config.
@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "
-
@SteveITS said in Completely confused by DNS failure (dnsmasq):
@johnpoz "The [upstream] firewall itself has host file entries for machines like Sia2 "
It didn't send them, unless you edited the response.
edit: oh I see you did some more posts... Pretty sure sure dnsmasq also does rebind protection.. When you forward a rfc1918 response is not going to be returned to the client.. Unless you have turned off rebind or have setup a domain to be private and allowed to return rfc1918
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html
-
@johnpoz said in Completely confused by DNS failure (dnsmasq):
When you forward a rfc1918 response is not going to be returned to the client
Ah yes there it is.
-
Yes, it could be rebind protection as I expect it to return a private IP (172.17.2.51). It is late here so I'll have a look in the morning.
-
I can confirm it was rebind protection causing it. I have disabled it and am using the the DNS Resolver successfully in forwarder mode. Thanks.
-
@NickJH dig you disable it globally? I would suggest just setting your domain your forwarding for and want rfc1918 vs turning it completely off.
-
@johnpoz Yes I did it globally. I don't know how to do it by domain only, but it does not matter as pfSense is on my LAN for testing/learning. When I deploy it properly, I'll be turning it back on. It is just that it was interfering with my testing.
-
@NickJH for reference it’s on that doc page:
“To exclude a domain from DNS rebinding protection, use the Custom Options box in the DNS resolver settings. Enter one domain per line in the following format, preceded by the server: line.
server:
private-domain: "example.com"
private-domain: "dnsbl.example"
“I just forget about this “feature” because it’s rarely needed, but we had to discover/use it ourselves 10 years ago.
-
@NickJH how to do that was right in the link I posted..
For both unbound and dnsmasq
I take it you didn't read past the "This behavior is controlled by the DNS Rebind Check option under System > Advanced, Admin Access tab." part ;)
-
@johnpoz All I needed was a quick and dirty fix because it is not going to be the production set up. I did the fix late yesterday but it was about 10pm and if the quick and dirty was going to fix it, it was good enough for me. I only tested it this morning.
-
-
@cb831 There's a "Give Feedback" link at the top of each doc page. It probably got renamed at some point.
-
@SteveITS yeah I would highly doubt there has been much work on the forwarder (dnsmasq) in quite some time to be honest. I am surprised that anyone would still be using it to be honest.. I mean it can do some things unbound can't like forward to multiple NS as the same time, etc.
But if you can't figure out that the custom options box is what they were talking about - not sure what to tell you ;)
Now if there was 2 boxes, one labeled advanced, and the other custom - and putting it in advanced didn't work because they called out the wrong box - yeah that could be problematic.. But there is only one possible place such commands could be put into that gui form.
