Simple Local Ping Question - DNS Resolver issue
-
This is a home network, /24, pretty simple. I have a few new personal boxes, macbook & Ubuntu box. That said, neither can ping local hostnames, either short or fully qualified of systems on my network such as my NAS etc. My Windows systems can ping my NAS, perhaps they are falling back to netbios or something.
This leads me to believe I configured something wrong. Overall my goal is to have external dns requests sent to Cloudflare (1.1.1.1) but I would like PFsense to answer requests for my local domain (home.xyz.com).
I also assume that hostnames would show up in the DNS Resolver status page, but I see nothing. They do appear in dhcp status though.
-
@ngr2001 You'd want to enable DNS Registration for DHCP leases if you want pfSense to resolve them. Note if you are using ISC DHCP then each lease renewal restarts Unbound.
25.11.1 is out, as noted in your last screenshot. (the number looks funny but that's what it is)
-
I already have that checked though. In addition I have the host I am trying to ping entered into the "Host Overrides" section as seen in the previous post.
Should I switch to Kea DHCP, i'd rather not though, didnt like it the last time I tried it. This feels like I am missing something simple in DNS.
Still no luck.
-
said in Simple Local Ping Question - DNS Resolver issue:
I already have that checked though. In addition I have the host I am trying to ping entered into the "Host Overrides" section as seen in the previous post.
Should I switch to Kea DHCP, i'd rather not though, didnt like it the last time I tried it. This feels like I am missing something simple in DNS.
Still no luck.
This is also interesting, lookup works from firewall, again does not work from my macbook or ubuntu box, both are DHCP.
-
@ngr2001 your search domain doesn't look correct for your actual fqdn.
vs just trying to ping xdisk, ping the fqdn.
This looks too short.
For your whole fqdn there you posted with the middle of it hidden
-
Maybe this is a MAC specific issue, check this out
I do not use (.local) but AI said to try it.
So pinged my nas as "ping xdisk.local" and it worked. I try to ping it by its actual FQDN "ping xdisk.home.xyz.com" and it fails.
However this same trick does not seem to be working for other hosts that I am trying to ping.
Makes 0 sense.
-
@ngr2001 .local is a mdns query - that would be the host itself answering with its IP from the mdns query that all device on the network would see.
if you setup in host override for some fqdn to point to an IP.. either your not asking for the correct fqdn, not asking unbound running on pfsense, or you setup the host override in the wrong dns (unbound or forwarder) on pfsense.
Do a simple directed query to pfsense IP for the fqdn, do you get an answer?
example
$ nslookup Default Server: pi.hole Address: 192.168.3.10 > server 192.168.9.253 Default Server: sg4860.home.arpa Address: 192.168.9.253 > nas.home.arpa Server: sg4860.home.arpa Address: 192.168.9.253 Name: nas.home.arpa Address: 192.168.9.10 > -
I greyed it out for privacy.
My PF domain value is set to "home.redacted.com". I am trying to ping a host named xdisk as "xdisk.home.redacted.com"
Just may be hard to tell with the blurring I used for the screenshot, but I 100% assure you that I am pinging the correct the FQDN.
-
Ok that makes perfect sense, my mac and my nas must support mdns out of the box, I have mdns disabled on my windows and linux boxes which explains why this trick is not working there.
-
@ngr2001 said in Simple Local Ping Question - DNS Resolver issue:
but I 100% assure you that I am pinging the correct the FQDN.
do a directed query like my edit example I put in above.
-
I have IPV6 enabled and working on my home network and I allow my clients to pull a IPV6 address from the ISP. I think that may be causing the issue. It seems like my Macbook is defaulting to IPV6 for dns queries.
Not sure what to do about that.
-
@ngr2001 is that IP its asking pfsense IPv6 IP that unbound is listening on?
Odd that the ns you are pointing to can not even resolve its own name via the ptr.. vs showing the IP, there for server it should show the name of the NS your asking on that IP..
Notice in my example 3.10 comes back as pi.hole, and 9.253 comes back as my pfsense box name..
When the ns your talking to does not even resolve its own name - then yeah something is not right..
Whoevever your asking there doesn't have a clue about its own name, nor the fqdn your asking about - ie the NX answer.
Its possible for something like to happen when the server your talking do doesn't own the reverse zone, or who does doesn't have a ptr setup. 2601 would be some gui address - so that name server could be outside pfsense.. pfsense should set the ptr for its own addresses, etc.
-
The IPV6 DNS value looks to be a public IP from my ISP. I am using RA, but not sure why the client DNS value is not PF itself or cloudflare at min.
-
@ngr2001 is that c3c5 ipv6 you have there pfsense IP??
Those look greyed out, like what it would default too if you mirrored the dhcpv6 settings.
-
The PF LAN NIC IPV6 Value matches the clients IPV6 DNS Server Value.
However the PF Lan nic is set to "Track Interface" and clients are using "Router Advertisement" Thus the IPV6 address of my PF Lan NIC is a publicly accessible IP from my understanding. Im not as good with IPv6, my understanding is that RA is preferred and there is no real concept of NAT. So it seems like what then IPV6 address is used for a query it can only resolve public resources, nothing internal.
-
@ngr2001 said in Simple Local Ping Question - DNS Resolver issue:
nothing internal.
no idea what your talking about.. If unbound is listening on ipv6 and you can talk to it, it would resolve the same thing unbound on ipv4 can..
Here I enabled Ipv6 - I normally have it off because I have zero use for it..
Im not as good with IPv6
Here is what I would suggest then, turn it off.. Unless you are in learning mode and are working on your ipv6 skills. Or you actually have a use case that requires you to have IPv6.. You would make your life way simpler just turn it off. That is what I do, and I have been playing and using IPv6 for like 15 years.. I have it available to test or play with and can enable it with a click.. But day to day its just off, because I have zero use for.. There is not one resource anywhere on that planet that I would want to use that is only available via IPv6.. So why would I have it on?? It just makes my network that more complex to admin.
Our resident ipv6 cheerleader doesn't like when I say that - but he has yet to point out even one resource that is only available on the internet that I would want/need to talk to.. Not 1.. Not talking some user in 3rd world country running some website on IPv6 because he is behind a cgnat and his isp only gives him ipv6 or something..
If you are not up to speed on ipv6, and your not in hey lets learn how this thing works mode - which can be a steep hill to climb.. Just turn it off.. And if you are in hey lets play with ipv6, then enable it on a couple of devices to learn with..
All that being said if you have unbound running and firewall rule to allow it, and you query it for an IPv6 local resource you have setup in host override then it should work.. but do a directed query so you are sure who you are talking to and what your asking for.. Here I just created a ipv6 address for my nas.home.arpa
again - if nslookup fails to even resolve the name of the ns your using, this screams something is not fully kosher.
I prefer dig when looking to troubleshoot anything with dns, its cleaner to see exactly what is going on. It doesn't do search suffix, etc. etc.. its just a way more well rounded dns client tool.
-
I follow what you are saying and tend to agree on the IPV6 Point. I would say that I am kind of in an IPV6 learning mode. I was able to get it working at least. My main reason for wanting IPV6 is that I have read IPV6 has slightly less overhead and latency which would make gaming and video conferencing perhaps just a little faster then the next guy who may only be on IPV4, assuming the 3rd party source supported both V4 & V6.
My confusion on IPV6 is regarding what the ISP supports and how they require your end to be configured vs what is ideal. IPV4 makes perfect sense to me. My PF lan nic has an internal IP, clients use that as their gateway and DNS.
On the flip side, My PF LAN nic pulls its IPv6 value from the ISP, I am not statically assigning it. There is also no IPV6 dhcp server configured on my local side. Everything is handed down from the ISP (track address & RA), my clients get a working IPV6 address and they can access IPV6 exclusive test content just fine.
My confusion steps in because some clients have different behavior. Even different builds of Windows 11 seem to act differently in regards to if they attempt DNS over V4 or V6 first, its a crap shoot. Macos Tahoe seems to always prefer V6. Thus my nslookups show that the current IPV6 value of my PF LAN nic is being used to query domains. What I was trying to say is, my PF LAN NIC IPV6 value is a live public ipv6 address from comcast, thus I am scratching my head on how PF handles any local requests. Will it just know based on my home domain that I am trying to ping something local, or is just forwarding my request on off to ext DNS thus not finding my local host on a ping test.
To be honest IPV6 seems to go down all the time and requires constant reboots etc. to get working again. So I have just about had it with IPV6 in general.
Does any of this make sense on how I am explaining my own confusion. Further, the NAS device that I am trying to ping does NOT have an IPV6 address. Its an old device that only supports IPV4. So if my Macbook attempts to query / ping it, would an IPV6 DNS server be able to handle that request, i.e. is it smart enough to fall back to IPV4 before it gives up and just fails. i..e am i expecting something to work that just was never designed to ? Thus newer devices on my network like this Macbook have both an IPV4 address and IPV6 address and some of my older devices may only have IPV4. Testing the scenerio IPV4 to IPV4 everything seems to be working 100%, so this is clearly an IPV6 issue.
-
@ngr2001 said in Simple Local Ping Question - DNS Resolver issue:
My main reason for wanting IPV6 is that I have read IPV6 has slightly less overhead and latency
propaganda - show that... Ping something via its IPv4 address on the internet and then on its ipv6 address.. Its possible sure that the ipv4 path is different than a ipv4 path.. Could be even a different server serving up ipv6 vs ipv4, etc..
But its not like your going to see 10ms vs 100, etc. Or 100mbps vs 10mbps.. Sure their could be some slight difference.. Yes the default mtu in ipv6 is suppose to be 1280 vs the old school 576.. Doesn't mean it uses say 1500 vs 1280.. There are some test sites you can try to test your ipv6 mtu.. But that would only be to that site and not every IPv6 site on the planet. IPv6 uses PMTUD to find the mtu, its quite possible that gets hosed and you actually end up with a lower mtu then if you used just IPv4..
As to games - that could be one driving force pushing towards IPv6 adoption - and have yet to see it in real world.. Games are still using ipv4.. For starters you have a chicken vs egg sort of problem.. Not everyone has IPv6.. Shoot my isp doesn't have it, they have nothing on public record or announcement saying they are going to do it any time soon. I use an HE tunnel to get my ipv6. Another is people that even understand it, shoot I have seen so many crappy isp ipv6 deployments not even funny.
I would love to see some sniff of your game actually using ipv6 to be honest.. It could be a real game changer for people hosting games, etc.. If they actually would go anywhere with it.
As to client doing things differently - yup more than likely that could be the case.. Most clients would prefer IPv6 if they have it.. And quite often that can work without any issues for users.
You should always be able to adjust that with prefix policies in windows, with linux you would adjust the precedence in your gai.conf.. Would assume mac would be the same as linux if not exactly the same.
Problem would be iot sort of devices, shoot some oses don't even support dhcpv6 - pretty sure most android stuff only likes slaac, etc.
As to your dns problem - again do directed queries for specific resources.. Does not matter if via ipv4 or ipv6 talking to the name server. Doesn't matter if you ask for A (ipv4) AAAA (ipv6 record) over ipv4 or ipv6.. the name server doesn't care.
When you got NX for your xdisk - maybe you don't have AAAA record for xdisk and that is what your client asked for so yeah you got nx. Normally clients that are dual stacked (ipv4 and ipv6) should for sure ask for both A and AAAA..
To validate unbound on pfsense is working correctly.. You need to do directed queries with specific fqdn of what your looking for.. so you know for sure what that unbound is working correctly and has the records you want to resolve in it. I find it unlikely that some device that got its ipv6 via slaac is going to resolve without a specific host override - also not sure if even via dhcpv6 gets registered even if you have that checked off..
then throw in your mac - that prob defaults and loves to use mdns.. Which sure if everything on flat network was mac or answered mdns, that could be fine.. But when you start segmenting the network - that discovery method falls on its face..
-
What magic button is best and easiest to simply disable IPV6 in PF :), keeping everything else left behind so that like you said, I can just turn it on and off for testing.
-
@ngr2001 simple just turn off RA and dhcpv6 - now not possible for your clients to get an IPv6 address, even though pfsense still has one on its interface via tracking.
edit: I got side tracked with real work ;)
You could then just manually setup specific clients to use whatever your tracked lan network is. Only problem is if that changes all the time. I think there is a setting you can do in pfsense dhcp that grabs the prefix to not release, etc. So you way more likely to not see your prefix change.
