Pfsense 2.0 - DNS Forwarder not running queries for internal IPs?


  • Hey guys,
    I think this may be a bug but it may be intentional hence why i want to ask here.

    My network setup is that we have a RFC 1918 subnet for our LAN that goes into PFsense. We then have a public subnet on another interface which our ISP routes to PFsense's WAN interface. PFsense has its DNS servers in the General Setup tab to query our Domain Controller in the public subnet.

    What I have noticed is that whenever a client in the LAN subnet queries the PFsense DNS Forwarder for a record which has a LAN Ip address it fails but anything with a public IP works. E.g.

    C:\Users\jonathan>nslookup domaincontroller.pbs.local
    Server:  oceanus.pbs.local
    Address:  10.2.253.1

    Non-authoritative answer:
    Name:    apollo.pbs.local
    Address:  60.234.28.164

    But run a similar thing for a private address and it doesn't work yet pfsense can ping that address fine:

    C:\Users\jonathan>nslookup computer13.pbs.local
    Server:  oceanus.pbs.local
    Address:  10.2.253.1

    *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available
    for computer13.pbs.local

    PFSENSE Ping:

    PING computer13.pbs.local (10.2.253.231) from 10.2.253.1: 56 data bytes
    64 bytes from 10.2.253.231: icmp_seq=0 ttl=128 time=0.236 ms
    64 bytes from 10.2.253.231: icmp_seq=1 ttl=128 time=0.273 ms
    64 bytes from 10.2.253.231: icmp_seq=2 ttl=128 time=0.234 ms

    –- computer13.pbs.local ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.234/0.248/0.273/0.018 ms

    Is this a bug or should DNS forwarder not pass on RFC 1918 addresses to clients?

  • Rebel Alliance Developer Netgate

    I believe that is the DNS rebinding protection kicking in, the DNS forwarder doesn't like to return private IPs for queries from upstream servers since that is a possible attack vector.

    I know you can disable the GUI's DNS rebinding protection from under System > Advanced on the Admin tab, but I don't remember if that same setting also deactivates the rebinding protection in dnsmasq.


  • Thanks, I had the same problem and unchecking DNS Rebind Check fixed it. It only surfaced though after we implemented a squid proxy and forced all traffic through it (using a wpad.dat file). I suppose that before the DNS-requests never reached the PFsense box, but were sent directly to the domain controller?