DNS resolver working for pfSense but not on LAN

NickJH

I am trying to prep pfSense on my LAN so I can insert it as my router with minimum downtime so I have a bit of a messy networking setup.

At the moment pfSense is using the Resolver and, from ssh, can resolve upstream DNS. However it gives ServFail messages to LAN connected devices. I have done a tcpdump on the pfSense internal and external interfaces:

Internal:

0:16:07.461347 IP 172.17.2.116.58654 > 172.17.2.254.53: 64030+ A? www.msftconnecttest.com. (41)
10:16:07.461422 IP 172.17.2.116.61404 > 172.17.2.254.53: 72+ A? www.msftconnecttest.com. (41)
10:16:07.483491 IP 172.17.2.125.60409 > 172.17.2.254.53: 2+ A? ntp.homehub.btopenworld.com. (45)
10:16:07.483702 IP 172.17.2.254.53 > 172.17.2.125.60409: 2 ServFail 0/0/0 (45)
10:16:07.484193 IP 172.17.2.125.53360 > 172.17.2.254.53: 3+ A? time.windows.com. (34)
10:16:07.484397 IP 172.17.2.254.53 > 172.17.2.125.53360: 3 ServFail 0/0/0 (34)
10:16:07.495641 IP 172.17.2.116.58654 > 172.17.2.254.53: 64030+ A? www.msftconnecttest.com. (41)
10:16:07.495690 IP 172.17.2.116.61404 > 172.17.2.254.53: 72+ A? www.msftconnecttest.com. (41)
10:16:07.518034 IP 172.17.2.254.53 > 172.17.2.116.61404: 72 ServFail 0/0/0 (41)
10:16:07.518037 IP 172.17.2.254.53 > 172.17.2.116.58654: 64030 ServFail 0/0/0 (41)
10:16:07.518051 IP 172.17.2.254.53 > 172.17.2.116.61404: 72 ServFail 0/0/0 (41)
10:16:07.518053 IP 172.17.2.254.53 > 172.17.2.116.58654: 64030 ServFail 0/0/0 (41)

External:

10:16:07.462084 IP 172.17.4.231.57286 > 192.36.148.17.53: 48335+ [1au] A? www.msftconnecttest.com. (52)
10:16:07.462104 IP 192.112.36.4.53 > 172.17.4.231.43143: 6611 0/0/0 (21)
10:16:07.462202 IP 172.17.4.231.55442 > 193.0.14.129.53: 50434+ [1au] A? www.msftconnecttest.com. (52)
10:16:07.512560 IP 172.17.4.231.27436 > 192.36.148.17.53: 2167+ [1au] A? www.msftconnecttest.com. (52)
10:16:07.514487 IP 172.17.4.231.8517 > 193.0.14.129.53: 43843+ [1au] A? www.msftconnecttest.com. (52)
10:16:07.517759 IP 192.36.148.17.53 > 172.17.4.231.57286: 48335 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
10:16:07.517776 IP 193.0.14.129.53 > 172.17.4.231.8517: 43843 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
10:16:07.517779 IP 192.36.148.17.53 > 172.17.4.231.27436: 2167 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
10:16:07.517781 IP 193.0.14.129.53 > 172.17.4.231.55442: 50434 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)

If I try pinging somewhere from a LAN PC I get:

C:\Users\nick>ping google.com
Ping request could not find host google.com. Please check the name and try again.

So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.

In the resolver, Network Interfaces is set to ALL and Outgoing Network Interfaces to WAN. I have also tried enabling DNS Query Forwarding with upstream servers of 1.1.1.1 and 1.0.0.1 but it made no difference.

The (horrible) networking set up is:

Internet
     |
Router A (for main LAN)
     | 172.17.2.0/24
Router B
     | 172.17.4.0/24
pfSense
     | 172.17.2.0/24
Test LAN

Note that because I am trying to load pfSense with fixed leases, it needs the same LAN subnet as the main LAN so I have to insert Router B between the main LAN and test LAN to avoid pfSense having the same subnet on its LAN and WAN.

Is there something obvious I am missing?

Gertjan

@NickJH said in DNS resolver working for pfSense but not on LAN:

C:\Users\nick>ping google.com
Ping request could not find host google.com. Please check the name and try again.

Just to be sure :

ipconfig /all

what is the assigned DNS server to this PC ?

@NickJH said in DNS resolver working for pfSense but not on LAN:

So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.

Strange.
But reasons exist. One of them is : DNSSEC. if the time of the pfSense is incorrect, and the requested domain name has DNSSEC info, then validation fails and the answer will be 'fail'.

Not a mess.
What is known as "Internet" in your "networking setup" as a huge chain of even more routers.
Btw : two chained local networks using "172.17.2.0/24" ? I've never seen that before. Better be safe then sorry : don't do that, whatever your motives are.

NickJH

@Gertjan said in DNS resolver working for pfSense but not on LAN:

@NickJH said in DNS resolver working for pfSense but not on LAN:

C:\Users\nick>ping google.com
Ping request could not find host google.com. Please check the name and try again.

Just to be sure :

ipconfig /all

what is the assigned DNS server to this PC ?

Wireless LAN adapter WiFi:

   Connection-specific DNS Suffix  . : howitts.co.uk
   Description . . . . . . . . . . . : Realtek RTL8821CE 802.11ac PCIe Adapter
   Physical Address. . . . . . . . . : 00-E9-3A-3D-87-FF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ce93:ae3e:9468:4450%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.17.2.116(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 16 April 2024 10:59:38
   Lease Expires . . . . . . . . . . : 16 April 2024 12:59:38
   Default Gateway . . . . . . . . . : 172.17.2.254
   DHCP Server . . . . . . . . . . . : 172.17.2.254
   DHCPv6 IAID . . . . . . . . . . . : 117500218
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-0C-41-D9-00-E9-3A-3D-87-FF
   DNS Servers . . . . . . . . . . . : 172.17.2.254
   Primary WINS Server . . . . . . . : 172.17.2.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

And pfSense:

ifconfig
bge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
        ether fc:15:b4:7a:ff:aa
        inet 172.17.4.231 netmask 0xffffff00 broadcast 172.17.4.255
        inet 62.30.63.91 netmask 0xffffffff broadcast 62.30.63.91
        inet 62.30.63.94 netmask 0xffffffff broadcast 62.30.63.94
        inet6 fe80::fe15:b4ff:fe7a:ffaa%bge0 prefixlen 64 scopeid 0x1
        media: Ethernet autoselect (1000baseT <full-duplex,master>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
bge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN
        options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
        ether fc:15:b4:7a:ff:ab
        inet 172.17.2.254 netmask 0xffffff00 broadcast 172.17.2.255
        inet6 fe80::fe15:b4ff:fe7a:ffab%bge1 prefixlen 64 scopeid 0x2
        inet6 fe80::1:1%bge1 prefixlen 64 scopeid 0x2
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

@NickJH said in DNS resolver working for pfSense but not on LAN:

So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.

Strange.
But reasons exist. One of them is : DNSSEC. if the time of the pfSense is incorrect, and the requested domain name has DNSSEC info, then validation fails and the answer will be 'fail'.

Date is spot on:

[2.7.2-RELEASE][root@pfSense.howitts.co.uk]/root: date
Tue Apr 16 14:09:38 BST 2024

Not a mess.
What is known as "Internet" in your "networking setup" as a huge chain of even more routers.
Btw : two chained local networks using "172.17.2.0/24" ? I've never seen that before. Better be safe then sorry : don't do that, whatever your motives are.

[edit]
My comment at the end disappeared. I have to use the same network on the pfSense LAN as I am loading static leases and they fail validation if they do not belong to the LAN subnet.

I have disabled DNSSEC in pfSense and DNS now works from the PC. That seems wrong. How can I get it going?
[/edit]

Gertjan

@NickJH

If you have 10 minutes :

1. Save/backup your pfSense config.
2. Console option : 4 Reset to factory default.
3. When it boots, and interfaces needs to be assigned, go bare minimum mode : assign a DHCP mode WAN, and set up the LAN with the "out of the box", world's most tested 192.168.1.1/24, network.
4. Connect to your 'Router A'.

Now you have a "it works" situation - no exceptions, no doubts, 100 % guaranteed.

From this known to be working setup, you start applying your own settings.
As soon as things stop to work : undo your last setup - as this one needs more thoughts, and you'll be good.

I know, sound all pretty silly. It's known that the road to success is always easy when you know it upfront.

NickJH

I feel bad about this one. I've had a sudden dawning that there is an upstream fancy DNS filter (adam:ONE) and pfSense was being filtered in such a way as to break DNSSEC to the pfSense clients. I am not sure why it worked to pfSense, but that is irrelevant. The purpose of this box is to replace the upstream filter so I am happy it is working.

Gertjan

@NickJH

Ok, good : progress

Btw : pfSense LAN clients 'normally' don't do any DNSSEC checking.

Read this short write up, as it looks pretty accurate IMHO.

Your pfSense network clients are / should forwarder to a Resolver. That resolver can be : the pfSense unbound resolver, or any other resolver, like ... dono ... 8.8.8.8 ?
Unbound can do DNSSEC checking for you.

DNSSEC checking is validating that the top to bottom relation is valid : example : https://dnsviz.net/d/test-domaine.fr/dnssec/

NickJH

@Gertjan I was just trying to build a router before putting it into operation, but trying to pre-load it to minimise downtime so I had a horrible setup. pfSense is going to be directly connected to my cable modem. It will use the DNS Resolver (unless I get fed up with it) and the LAN clients will use pfSense as their upstream forwarder.

My new N100 toy arrived today, so I have just loaded it up and plan to get it into operation tomorrow when there is no one at home.

SteveITS

@NickJH DNSSEC should be disabled if forwarding. See blue note here:
https://quad9dns.github.io/documentation/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/