DNS forwarder odd behaviour for client machine



  • Here's what I have:

    [DNS server] –-- (re0) ---- [pfSense] –-- (re1) ---- [client]

    The pfSense uses the DNS server for DNS, and DNS forwarding is enabled.  If I query an A record from pfSense, it can get the result, however, this is what happens when I query an A record from the client machine:

    re0:
    16:03:20.034966 86:80:9a:4a:76:2c > 5c:5e:ab:8c:da:86, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 43451, offset 0, flags [none], proto UDP (17), length 67, bad cksum 0 (->ee7)!)
        [[color=blue]pfSense IP].52435 > [[color=blue]DNS IP].53: [udp sum ok] 12933+ A? my.domain.com. (39)
    16:03:20.036806 5c:5e:ab:8c:da:86 > 86:80:9a:4a:76:2c, ethertype IPv4 (0x0800), length 97: (tos 0x0, ttl 64, id 59448, offset 0, flags [none], proto UDP (17), length 83)
        [[color=blue]DNS IP].53 > [[color=blue]pfSense IP].52435: [udp sum ok] 12933- q: A? my.domain.com. 1/0/0 my.domain.com. A 10.9.160.6 (55)

    re1:
    16:00:47.038160 16:41:b3:f2:30:b8 > 42:69:9e:44:2c:d2, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 25271, offset 0, flags [none], proto UDP (17), length 67)
        [[color=blue]client IP].48174 > [[color=blue]pfSense IP].53: [udp sum ok] 65321+ A? my.domain.com. (39)
    16:00:47.040565 42:69:9e:44:2c:d2 > 16:41:b3:f2:30:b8, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 24515, offset 0, flags [none], proto UDP (17), length 67, bad cksum 0 (->c18)!)
        [[color=blue]pfSense IP].53 > [[color=blue]client IP].48174: [udp sum ok] 65321 q: A? my.domain.com. 0/0/0 (39)

    In other words…the client is querying pfSense, pfSense is querying the DNS server, the DNS server is returning the DNS record to pfSense, and pfSense is giving an answer, minus the DNS record, to the client machine.

    This seems quite odd to me; can anyone help explain what might be happening?  The client is using 1:1 NAT if that's relevant, I don't think I have any other strange configuration!  (Just virtual IPs and firewall rules.)  I'm using version 2.0-RC3.  I'm not sure if the bad checksums have anything to do with it?

    Thanks in advance


Locked