Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.0 - DNS Forwarder not running queries for internal IPs?

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 3 Posters 17.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      Zeon
      last edited by

      Hey guys,
      I think this may be a bug but it may be intentional hence why i want to ask here.

      My network setup is that we have a RFC 1918 subnet for our LAN that goes into PFsense. We then have a public subnet on another interface which our ISP routes to PFsense's WAN interface. PFsense has its DNS servers in the General Setup tab to query our Domain Controller in the public subnet.

      What I have noticed is that whenever a client in the LAN subnet queries the PFsense DNS Forwarder for a record which has a LAN Ip address it fails but anything with a public IP works. E.g.

      C:\Users\jonathan>nslookup domaincontroller.pbs.local
      Server:  oceanus.pbs.local
      Address:  10.2.253.1

      Non-authoritative answer:
      Name:    apollo.pbs.local
      Address:  60.234.28.164

      But run a similar thing for a private address and it doesn't work yet pfsense can ping that address fine:

      C:\Users\jonathan>nslookup computer13.pbs.local
      Server:  oceanus.pbs.local
      Address:  10.2.253.1

      *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available
      for computer13.pbs.local

      PFSENSE Ping:

      PING computer13.pbs.local (10.2.253.231) from 10.2.253.1: 56 data bytes
      64 bytes from 10.2.253.231: icmp_seq=0 ttl=128 time=0.236 ms
      64 bytes from 10.2.253.231: icmp_seq=1 ttl=128 time=0.273 ms
      64 bytes from 10.2.253.231: icmp_seq=2 ttl=128 time=0.234 ms

      –- computer13.pbs.local ping statistics ---
      3 packets transmitted, 3 packets received, 0.0% packet loss
      round-trip min/avg/max/stddev = 0.234/0.248/0.273/0.018 ms

      Is this a bug or should DNS forwarder not pass on RFC 1918 addresses to clients?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I believe that is the DNS rebinding protection kicking in, the DNS forwarder doesn't like to return private IPs for queries from upstream servers since that is a possible attack vector.

        I know you can disable the GUI's DNS rebinding protection from under System > Advanced on the Admin tab, but I don't remember if that same setting also deactivates the rebinding protection in dnsmasq.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 2
        • O
          oebele
          last edited by

          Thanks, I had the same problem and unchecking DNS Rebind Check fixed it. It only surfaced though after we implemented a squid proxy and forced all traffic through it (using a wpad.dat file). I suppose that before the DNS-requests never reached the PFsense box, but were sent directly to the domain controller?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.