TinyDNS(dnscache) access across subnets



  • First off I am working on 2.0 RC1 with the dns-server(TinyDNS) package.

    My end goal is to setup a pfSense router/gateway that supports communication with a windows domain controller.  As a starting point I am trying to get a simple pfSense test setup where I have multiple subnets.

    PUBLIC=172.16.0.0
    PRIVATE=172.20.0.0
    SECURE=172.30.0.0

    My test environment is running under VMware with each subnet on a different virtual NIC which is connected to a different host network for each.  My test client is a simple debian installation with a single NIC.  For testing I reassign the NIC to the host network I want to test.

    I setup the DHCP server to set the clients DNS to 172.30.0.1.

    So I have disabled the built in DNS forwarder and setup TinyDNS to use the recursive caching resolver(dnscache).  dnscache is setup to listen on the SECURE interface.  I then setup two firewall rules, one allowing SECURE to ANY and then one allowing PRIVATE to SECURE only for 172.30.0.1 and port 53.  I set both these rules to log so I could see them in action.

    Now, if I do a dig from the shell on the router I get an answer.  If I then connect my test client to the SECURE network, I can also do a dig and get an answer.  If I then move the client to the PRIVATE network and do a dig I get:

    root@debian:~# cat /etc/resolv.conf
    domain localdomain
    search localdomain
    nameserver 172.30.0.1
    root@debian:~# dig www.google.com
    
    ; <<>> DiG 9.7.2-P3 <<>> www.google.com
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    root@debian:~#
    
    

    When I check the firewall log I get this:

    @80 pass in log quick on le6 inet proto udp from 172.20.0.0/16 to 172.30.0.1 port = domain keep state label "USER_RULE: Default allow PRIVATE to SECURE nameserver "
    

    So the firewall is allowing the traffic but it seems the dnscache instance isn't responding to it.  My only thought is that dnscache can't respond to traffic that is routed from the firewall only traffic that comes directly?

    Any help is appreciated, I have spent a couple days trying to get this working.


Locked