Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TinyDNS(dnscache) access across subnets

    Scheduled Pinned Locked Moved DHCP and DNS
    1 Posts 1 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      taylorjonl
      last edited by

      First off I am working on 2.0 RC1 with the dns-server(TinyDNS) package.

      My end goal is to setup a pfSense router/gateway that supports communication with a windows domain controller.  As a starting point I am trying to get a simple pfSense test setup where I have multiple subnets.

      PUBLIC=172.16.0.0
      PRIVATE=172.20.0.0
      SECURE=172.30.0.0

      My test environment is running under VMware with each subnet on a different virtual NIC which is connected to a different host network for each.  My test client is a simple debian installation with a single NIC.  For testing I reassign the NIC to the host network I want to test.

      I setup the DHCP server to set the clients DNS to 172.30.0.1.

      So I have disabled the built in DNS forwarder and setup TinyDNS to use the recursive caching resolver(dnscache).  dnscache is setup to listen on the SECURE interface.  I then setup two firewall rules, one allowing SECURE to ANY and then one allowing PRIVATE to SECURE only for 172.30.0.1 and port 53.  I set both these rules to log so I could see them in action.

      Now, if I do a dig from the shell on the router I get an answer.  If I then connect my test client to the SECURE network, I can also do a dig and get an answer.  If I then move the client to the PRIVATE network and do a dig I get:

      root@debian:~# cat /etc/resolv.conf
      domain localdomain
      search localdomain
      nameserver 172.30.0.1
      root@debian:~# dig www.google.com
      
      ; <<>> DiG 9.7.2-P3 <<>> www.google.com
      ;; global options: +cmd
      ;; connection timed out; no servers could be reached
      root@debian:~#
      
      

      When I check the firewall log I get this:

      @80 pass in log quick on le6 inet proto udp from 172.20.0.0/16 to 172.30.0.1 port = domain keep state label "USER_RULE: Default allow PRIVATE to SECURE nameserver "
      

      So the firewall is allowing the traffic but it seems the dnscache instance isn't responding to it.  My only thought is that dnscache can't respond to traffic that is routed from the firewall only traffic that comes directly?

      Any help is appreciated, I have spent a couple days trying to get this working.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.