Pfsense 2.0 - DNS Forwarder not running queries for internal IPs?
I think this may be a bug but it may be intentional hence why i want to ask here.
My network setup is that we have a RFC 1918 subnet for our LAN that goes into PFsense. We then have a public subnet on another interface which our ISP routes to PFsense's WAN interface. PFsense has its DNS servers in the General Setup tab to query our Domain Controller in the public subnet.
What I have noticed is that whenever a client in the LAN subnet queries the PFsense DNS Forwarder for a record which has a LAN Ip address it fails but anything with a public IP works. E.g.
But run a similar thing for a private address and it doesn't work yet pfsense can ping that address fine:
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available
PING computer13.pbs.local (10.2.253.231) from 10.2.253.1: 56 data bytes
64 bytes from 10.2.253.231: icmp_seq=0 ttl=128 time=0.236 ms
64 bytes from 10.2.253.231: icmp_seq=1 ttl=128 time=0.273 ms
64 bytes from 10.2.253.231: icmp_seq=2 ttl=128 time=0.234 ms
–- computer13.pbs.local ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.234/0.248/0.273/0.018 ms
Is this a bug or should DNS forwarder not pass on RFC 1918 addresses to clients?
I believe that is the DNS rebinding protection kicking in, the DNS forwarder doesn't like to return private IPs for queries from upstream servers since that is a possible attack vector.
I know you can disable the GUI's DNS rebinding protection from under System > Advanced on the Admin tab, but I don't remember if that same setting also deactivates the rebinding protection in dnsmasq.
Thanks, I had the same problem and unchecking DNS Rebind Check fixed it. It only surfaced though after we implemented a squid proxy and forced all traffic through it (using a wpad.dat file). I suppose that before the DNS-requests never reached the PFsense box, but were sent directly to the domain controller?