Pfsense 2.0 - DNS Forwarder not running queries for internal IPs?

DHCP and DNS
Log in to reply
  • Z

    Hey guys,
    I think this may be a bug but it may be intentional hence why i want to ask here.

    My network setup is that we have a RFC 1918 subnet for our LAN that goes into PFsense. We then have a public subnet on another interface which our ISP routes to PFsense's WAN interface. PFsense has its DNS servers in the General Setup tab to query our Domain Controller in the public subnet.

    What I have noticed is that whenever a client in the LAN subnet queries the PFsense DNS Forwarder for a record which has a LAN Ip address it fails but anything with a public IP works. E.g.

    C:\Users\jonathan>nslookup domaincontroller.pbs.local
    Server:  oceanus.pbs.local
    Address:  10.2.253.1

    Non-authoritative answer:
    Name:    apollo.pbs.local
    Address:  60.234.28.164

    But run a similar thing for a private address and it doesn't work yet pfsense can ping that address fine:

    C:\Users\jonathan>nslookup computer13.pbs.local
    Server:  oceanus.pbs.local
    Address:  10.2.253.1

    *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available
    for computer13.pbs.local

    PFSENSE Ping:

    PING computer13.pbs.local (10.2.253.231) from 10.2.253.1: 56 data bytes
    64 bytes from 10.2.253.231: icmp_seq=0 ttl=128 time=0.236 ms
    64 bytes from 10.2.253.231: icmp_seq=1 ttl=128 time=0.273 ms
    64 bytes from 10.2.253.231: icmp_seq=2 ttl=128 time=0.234 ms

    –- computer13.pbs.local ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 0.234/0.248/0.273/0.018 ms

    Is this a bug or should DNS forwarder not pass on RFC 1918 addresses to clients?

    0
  • jimp
    Rebel Alliance Developer Netgate

    I believe that is the DNS rebinding protection kicking in, the DNS forwarder doesn't like to return private IPs for queries from upstream servers since that is a possible attack vector.

    I know you can disable the GUI's DNS rebinding protection from under System > Advanced on the Admin tab, but I don't remember if that same setting also deactivates the rebinding protection in dnsmasq.

    2
  • O

    Thanks, I had the same problem and unchecking DNS Rebind Check fixed it. It only surfaced though after we implemented a squid proxy and forced all traffic through it (using a wpad.dat file). I suppose that before the DNS-requests never reached the PFsense box, but were sent directly to the domain controller?

    0

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy