DNS help! ***SOLVED***



  • I'm new to pfsense and I'm trying to set this up as a router, firewall, dns, dhcp, and internal web server.  My question lies with DNS.  I currently have 1 wan interface.  Its ip is dynamic set by isp.  I do not want to use the isp dns servers, so in the general setup I specified OpenDns servers.  From there, I'm not sure what to set.  I want pfsense to use opendns, not assign the dns servers via dhcp (dns = pfsense box), and me able to specify hostnames and their ips, such as this internal web server.  I don't want to have to know the ip address.  Is there a way to do this, am I going about this incorrectly?  When I visit the OpenDns website, it says I'm not using OpenDns.  So I guess what dns servers am I using?  Let me know!



  • If I understand your question right, your server is using OpenDNS; you want your clients to use OpenDNS also?  If they are in DHCP then them provide that info when they get an IP as default dns server.

    Or, better yet; setup a caching DNS server on your box and set them to that.  Query local instead of going out to the internet each time.



  • Alright, and how do I set that up?



  • On the pfSense box itself configure it to use the OpenDNS servers and not be overridden by the DHCP leases given out by your ISP.  Turn on the DNS forwarder on pfSense and ensure all your LAN clients use pfSense as their DNS server.  Use overrides on the DNS forwarder if you need pfSense to hand out LAN IP addresses for internal systems.



  • that's how I had it setup originally.  When I do that, I get no internet.  I just did it again to verify, same thing.  For some reason I have to assign the open dns ips to the dhcp clients, which isn't what I want to do.  Thoughts?  If i do a ping (example.com), it never resolves.



  • Do I need a firewall rule to allow dns requests to go out and in?



  • Suggestion: On pfSense console (or ssh session) try```

    dig www.google.com

    ping -c 2 www.google.com

    
    You should see something like this:
    # dig www.google.com
    
    ; <<>> DiG 9.4.3-P2 <<>> www.google.com
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11823
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.google.com. IN A
    
    ;; ANSWER SECTION:
    www.google.com. 604419 IN CNAME www.l.google.com.
    www.l.google.com. 298 IN A 66.102.7.99
    www.l.google.com. 298 IN A 66.102.7.104
    
    ;; Query time: 225 msec
    ;; SERVER: 208.67.222.222#53(208.67.222.222)
    ;; WHEN: Mon Aug 16 18:19:21 2010
    ;; MSG SIZE  rcvd: 84
    
    # ping -c 2 www.google.com
    PING www.l.google.com (66.102.7.104): 56 data bytes
    64 bytes from 66.102.7.104: icmp_seq=0 ttl=54 time=255.125 ms
    64 bytes from 66.102.7.104: icmp_seq=1 ttl=54 time=266.673 ms
    
    –- www.l.google.com ping statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 255.125/260.899/266.673/5.774 ms
    #
    
    If you don't see something like what I provided above you probably have the name server in pfSense configured incorrectly.
    
    If that much is correct, you should check name service communication from the clients. The DHCP clients should be using the pfSense box as the name server and the other pfSense settings should be as described earlier in this thread. The default firewall rules don't block name server access so firewall rules shouldn't be contributing to your problem unless you have messed with the firewall rules.
    
    What version of pfSense are you using?


  • In general setup, I have the domain set to local, the dns servers set to (208.67.222.222, 208.67.220.220).  The allow override check box is NOT checked.  Under DNS forwarder, I have enabled the forwarder, but left the 2 other boxes unchecked and have specified no overrides.  I do not see what you do when I perform dig www.google.com.  Here is what I see:

    ;;Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id 9638
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.google.com.            IN      A
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.0.1#53(192.168.0.1)
    ;; WHEN: Mon Aug 16 03:46:02 2010
    ;; MSG SIZE rcvd: 32
    

    Am I seeing that I was refused a dns response?

    I am using version 1.2.3 btw.  Sorry I didn't specify that sooner!



  • Where did you do this?

    The DNS query apparently went to 192.168.0.1. What is that system? Why did the request go there?



  • I did this on the pfsense box.  That is the address for the pfsense box.  I have no idea why it went there.



  • @tubaguy50035:

    I did this on the pfsense box.  That is the address for the pfsense box.  I have no idea why it went there.

    But what address of the pfSense box? Your pfSense box should have at least two distinct IP addresses: one on the WAN and one on the LAN interface. Please provide the output of the pfSense shell command:

     # ifconfig -a
    

    Its not clear you have a valid configuration.



  • That is the lan interface's ip.  The wan is set dynamically by the isp to 209.something something.

    
    x10: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
         options=9 <rxcsum,vlan_mtu>ether 00:50:da:2c:57:a5
         inet6 fe80::250:daff:fe2c:57a5%x10 prefixlen 64 scopeid 0x1
         inet 206.127.183.149 netmask 0xffffffc0 broadcast 206.127.183.191
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
    xl1: flags-8802 <broadcast,simplex,multicast>metric 0 mtu 1500
         option=9 <rxcsum,vlan_mtu>ether 00:01:02:29:a4:c1
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active  (This is my optional interface for future use.  It is currently disabled in the web gui)
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
         options=8 <vlan_mtu>ehter 00:0c:f1:7c:99:a2
         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
         inet6 fe80::20c:f1ff:fe7c:99a2%fxp0 prefixlen 64 scopeid 0x3
         media: Ethernet autoselect (100baseTX <full-duplex>)
         status: active
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
         inet 127.0.0.1 netmask 0xff000000
         inet6 ::1 prefixlen 128
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
    enc0: flags=0<> metric 0 mtu 1536
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
         pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    pflog0: flags=100 <promisc>metric 0 mtu 33204</promisc></up,running></up,loopback,running,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,vlan_mtu></broadcast,simplex,multicast></full-duplex></rxcsum,vlan_mtu></up,broadcast,running,simplex,multicast>
    


  • IP addresses look OK.

    Somehow you have configured pfSense so that it thinks the IP address of the name server is the IP address of the LAN interface. pfSense should think the IP address of the name server is one of the OpenDNS name server addresses.

    DHCP clients of pfSense should think the IP address of the upstream pfSense interface is the address of the name server.

    I'll be back in about an hour - I need to go for dinner. Maybe you could check everything in pfSense, reboot and see if pfSense gets a better IP of the name server IP address. (Maybe in changing settings you didn't correctly unwind things.)



  • I've reinstalled everything and it seems to be working, but not at the same time.  OpenDns tells me I'm not using OpenDns, a dig on www.google.com yields a bunch of answers, authorities and additional name server ips.  But this came from the server 69.5.139.3…?  A dig on facebook.com yields information from the same server.  Any idea what's going on with this?



  • On my Linux system, # nslookup 69.5.139.3
    says that host is ns1.icsincorporated.com. Going to http://www.icsincorporated.com suggests ICS Incorporated is an ISP. Your ISP? It looks as if you haven't successfully discouraged pfSense from letting your ISP tell you what name server(s) to use.



  • ah yes.  I forgot to uncheck the box that allows dhcp to override the dns servers.  So now I'm getting answers from 208.67.222.222!  Perfect!  Thank you!


Log in to reply