4. TinyDNS(dnscache) access across subnets

TinyDNS(dnscache) access across subnets

  • T

    First off I am working on 2.0 RC1 with the dns-server(TinyDNS) package.

    My end goal is to setup a pfSense router/gateway that supports communication with a windows domain controller.  As a starting point I am trying to get a simple pfSense test setup where I have multiple subnets.

    PUBLIC=172.16.0.0
    PRIVATE=172.20.0.0
    SECURE=172.30.0.0

    My test environment is running under VMware with each subnet on a different virtual NIC which is connected to a different host network for each.  My test client is a simple debian installation with a single NIC.  For testing I reassign the NIC to the host network I want to test.

    I setup the DHCP server to set the clients DNS to 172.30.0.1.

    So I have disabled the built in DNS forwarder and setup TinyDNS to use the recursive caching resolver(dnscache).  dnscache is setup to listen on the SECURE interface.  I then setup two firewall rules, one allowing SECURE to ANY and then one allowing PRIVATE to SECURE only for 172.30.0.1 and port 53.  I set both these rules to log so I could see them in action.

    Now, if I do a dig from the shell on the router I get an answer.  If I then connect my test client to the SECURE network, I can also do a dig and get an answer.  If I then move the client to the PRIVATE network and do a dig I get:

    root@debian:~# cat /etc/resolv.conf
domain localdomain
search localdomain
nameserver 172.30.0.1
root@debian:~# dig www.google.com

; <<>> DiG 9.7.2-P3 <<>> www.google.com
;; global options: +cmd
;; connection timed out; no servers could be reached
root@debian:~#

    When I check the firewall log I get this:

    @80 pass in log quick on le6 inet proto udp from 172.20.0.0/16 to 172.30.0.1 port = domain keep state label "USER_RULE: Default allow PRIVATE to SECURE nameserver "

    So the firewall is allowing the traffic but it seems the dnscache instance isn't responding to it.  My only thought is that dnscache can't respond to traffic that is routed from the firewall only traffic that comes directly?

    Any help is appreciated, I have spent a couple days trying to get this working.

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy