• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver and DNS Forwarder not working as expected.

Scheduled Pinned Locked Moved DHCP and DNS
13 Posts 2 Posters 1.5k Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N Offline
    N8LBV
    last edited by Apr 13, 2024, 3:21 PM

    I've been dealing with or just working around this for quite awhile.
    As the title states "not working as expected"
    In a testing environment we usually bring up PFSense with it's WAN interface either DHCP or static
    on one of our physical LAN (RFC1918) networks.
    And configure PFSense to use on of the local windows DNS.
    The problem we have always run into is that the resolver or forwarder work fine for external Internet names but always refused to work for Internal domain names that are on the local DNS that we point PFSense to.
    It only fails for the clients of the DNS resolver or Forwarder.
    The names resolve fine from PFSense itself (WebUI or command line).
    The work-around has just been to not use it.
    This seems like it should just work and resolve names from the configured DNS on PFSense.
    And somehow it never has.
    It's as if the resolver and forwarder are just ignoring any PFSense DNS settings and trying to do
    everything itself without any help from the configured DNS.
    It's even stranger that the forwarder behaves the same way.
    Is it just me am I missing something basic I should be doing?
    Seems this should just work out of the box.
    Thanks.

    I feel more like I do now.

    S 1 Reply Last reply Apr 13, 2024, 3:36 PM Reply Quote 0
    • S Offline
      SteveITS Rebel Alliance @N8LBV
      last edited by Apr 13, 2024, 3:36 PM

      @N8LBV if it’s returning RFC1918 IPs it’s probably https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html

      Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
      Upvote 👍 helpful posts!

      N 2 Replies Last reply Apr 13, 2024, 4:48 PM Reply Quote 0
      • N Offline
        N8LBV @SteveITS
        last edited by Apr 13, 2024, 4:48 PM

        @SteveITS said in DNS Resolver and DNS Forwarder not working as expected.:

        https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.htm

        Getting a 404 on that one.
        I think this is the place.
        And thanks for the pointer, looking into it!

        https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

        I feel more like I do now.

        S 1 Reply Last reply Apr 13, 2024, 4:55 PM Reply Quote 0
        • S Offline
          SteveITS Rebel Alliance @N8LBV
          last edited by Apr 13, 2024, 4:55 PM

          @N8LBV the last “L” got omitted in your quote :)

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
          Upvote 👍 helpful posts!

          N 1 Reply Last reply Apr 13, 2024, 5:05 PM Reply Quote 0
          • N Offline
            N8LBV @SteveITS
            last edited by Apr 13, 2024, 5:05 PM

            @SteveITS This does not seem to be the issue.
            I tried adding custom options to the resolver.
            I also tried turning off rebind protection globally on the system and The behavior is the same.

            Local DNS zones do not resolve (even when querying for A records that point to external Internet IP addresses.
            But external DNS names resolve fine.

            server:
            private-domain: "externaldomaintest.com"
            private-domain: "externamdomaintest2.com"

            I feel more like I do now.

            1 Reply Last reply Reply Quote 0
            • N Offline
              N8LBV @SteveITS
              last edited by Apr 13, 2024, 5:07 PM

              @SteveITS It appears to be not returning anything it should be returning RFC1918 addresses on most queries but is also not returning anything in the case where the A records point to external Internet IP addresses.
              It's not working with any of my authoritative zones on the DNS.
              But works when it has to go out to the Internet for names.

              I feel more like I do now.

              N 1 Reply Last reply Apr 13, 2024, 5:09 PM Reply Quote 0
              • N Offline
                N8LBV @N8LBV
                last edited by Apr 13, 2024, 5:09 PM

                @N8LBV and repeating myself here: it works fully as expected from PFSense itself WebUI and command line/shell.

                I feel more like I do now.

                S 1 Reply Last reply Apr 13, 2024, 5:17 PM Reply Quote 0
                • S Offline
                  SteveITS Rebel Alliance @N8LBV
                  last edited by Apr 13, 2024, 5:17 PM

                  @N8LBV reread your message…if the issue is say a non public Windows AD domain isn’t resolving, that would be a domain override that points to the internal DNS server.

                  Rebinding is an issue for public DNS lookups.

                  Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                  Upvote 👍 helpful posts!

                  N 1 Reply Last reply Apr 13, 2024, 5:27 PM Reply Quote 0
                  • N Offline
                    N8LBV @SteveITS
                    last edited by Apr 13, 2024, 5:27 PM

                    @SteveITS Sorry guess I am confused.
                    I have everything pointing to the local DNS server.
                    I don't think there is a reason for any kind of domain override where it would point to this DNS for specific domains.
                    It's already pointing to this server for everything so to speak.
                    I don't think PFsense should be treating these lookups any differently than anything else.
                    And it is not behaving like this from the WebUI and local command line and working here as expected.
                    Something is "different" when the DNS resolver or forward has to look these up and that is not working on any zone our server is authoritative for.
                    It's behaving is if the PFSense resolver or forwarder are somehow working internally as a standalone DNS and -NOT- forwarding any requests to the configured nameserver, and going out to the Internet to hit the rootservers.

                    I feel more like I do now.

                    N 1 Reply Last reply Apr 13, 2024, 5:45 PM Reply Quote 0
                    • N Offline
                      N8LBV @N8LBV
                      last edited by Apr 13, 2024, 5:45 PM

                      @N8LBV IN resolver config I turned on forwarding mode and it's working as expected.
                      At this point I don;t know what the difference would be than just running the DNS forwarder service instead.
                      Other than maybe it is a caching DNS in this config.
                      However- putting this in "forwarding mode" implies it is no longer a caching DNS at this point.

                      I feel more like I do now.

                      S 1 Reply Last reply Apr 13, 2024, 6:31 PM Reply Quote 0
                      • S Offline
                        SteveITS Rebel Alliance @N8LBV
                        last edited by Apr 13, 2024, 6:31 PM

                        @N8LBV is it now forwarding to upstream Internal DNS? Or public DNS?

                        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                        Upvote 👍 helpful posts!

                        N 1 Reply Last reply Apr 13, 2024, 11:10 PM Reply Quote 0
                        • N Offline
                          N8LBV @SteveITS
                          last edited by Apr 13, 2024, 11:10 PM

                          @SteveITS Internal upstream DNS.
                          I know this for sure because it's resolving the internal IPs as it should be.
                          I'm still totally confused as stated above on the options and what they actually do and how they are handling talking to the upstream DNS or apprently not in this case.
                          I can get out the packet capture kit if I have to.

                          I feel more like I do now.

                          S 1 Reply Last reply Apr 13, 2024, 11:23 PM Reply Quote 0
                          • S Offline
                            SteveITS Rebel Alliance @N8LBV
                            last edited by Apr 13, 2024, 11:23 PM

                            @N8LBV In the default config DNS Resolver goes straight to the root servers and looks up the hostname (name server for .com, then name server for example.com, then www.example.com). Since the root servers don't know about your internal domain they would presumably return that it doesn't exist.

                            If you enable forwarding then it contacts the configured DNS server(s) only. In your case since that server knows about your internal domain it can answer.

                            I misunderstood this was an internal/second-level (whatever the name) router I think. a Domain Override would apply in a situation like a Windows Server domain and pfSense has "local.lan" pointing to the Windows Server IP for DNS.

                            Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                            When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
                            Upvote 👍 helpful posts!

                            1 Reply Last reply Reply Quote 1
                            13 out of 13
                            • First post
                              13/13
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                              This community forum collects and processes your personal information.
                              consent.not_received