DNS forwarder is refusing queries
-
I've been having some troubles getting my setup to work properly ever since i started working with pfSense. I have set it up as a filtering bridge with the LAN bridged to WAN. I have enabled the DNS forwarder because i have a webserver on the LAN network. However, the DNS forwarder is refusing my queries. These are the diagnostics i can show you so far:
Configuration of my local machine on the network. 192.168.1.2 is the LAN address of the pfSense box. 192.168.1.1 is the server:
This shows that DNS queries are refused by the forwarder:
The same problems seem to happen locally on the pfSense box too. It can't find updates at all and searching for and downloading packages fails too:
This is how I set up what DNS servers the pfSense box uses:
192.168.1.254 is the LAN address of my modem. Unfortunately it won't allow me to put it in bridge mode, but thats something for me and my ISP ;)
Here it shows how local addresses are resolved to the webserver.
And finally I am not blocking outgoing DNS requests with any firewall rule:
So as far as I can tell everything should be set correctly. I'm only asking here because after weeks of tinkering I can't get it to work at all. Any help would be welcome ;)
-
And can you query those forwarder servers directly?
Take pfsense out of the picture, just query those servers
; <<>> DiG 9.8.1 <<>> @194.134.5.55 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9339I can not query those servers either, are those your ISP dns??
I show them as
dns.wanadoo.nl
dns.euro.netAre those the name servers your suppose to be using? If you can not query them from your client directly then its not an issue with pfsense.
with nslookup you change servers via server command, example
C:\Windows\System32>nslookup Default Server: pfsense.local.lan Address: 192.168.1.253 > server dns.euro.net Default Server: dns.euro.net Address: 194.134.5.5 > www.google.com Server: dns.euro.net Address: 194.134.5.5 *** dns.euro.net can't find www.google.com: Query refused > server 8.8.8.8 Default Server: [8.8.8.8] Address: 8.8.8.8 > www.google.com Server: [8.8.8.8] Address: 8.8.8.8 Non-authoritative answer: Name: www.l.google.com Addresses: 74.125.225.48 74.125.225.52 74.125.225.50 74.125.225.49 74.125.225.51 Aliases: www.google.com -
Yes I can query them directly, they are my ISP's DNS servers. Following your guidelines I tried querying them directly through nslookup. Result:
C:\Users\wouter>nslookup Default Server: pfsense.pm12.nl Address: 192.168.1.2 > www.google.com Server: pfsense.pm12.nl Address: 192.168.1.2 *** pfsense.pm12.nl can't find www.google.com: Query refused > server 194.134.5.55 Default Server: [194.134.5.55] Address: 194.134.5.55 > www.google.com Server: [194.134.5.55] Address: 194.134.5.55 Non-authoritative answer: Name: www.google.com.PM12.NL Address: 81.71.91.10 > server 8.8.8.8 Default Server: google-public-dns-a.google.com Address: 8.8.8.8 > www.google.com Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: Name: www.google.com.PM12.NL Address: 81.71.91.10 > -
You go something clearly wrong there, and no does not seem like your doing queries to those servers – look at your answers
www.google.nl
Server: dns.wanadoo.nl
Address: 194.134.5.55Non-authoritative answer:
Name: www.google.nl.PM12.NL
Address: 81.71.91.10www.google.nl
Server: google-public-dns-a.google.com
Address: 8.8.8.8Non-authoritative answer:
Name: www.google.nl.PM12.NL
Address: 81.71.91.10Sorry but those are not the right answer for www.google.nl ;)
These are the right answers
Non-authoritative answer:
Name: www.l.google.com
Addresses: 74.125.225.50
74.125.225.49
74.125.225.52
74.125.225.48
74.125.225.51
Aliases: www.google.nl
www.google.comput a dot on the end, looks like your adding some sort of search suffix?
so like www.google.nl. <–-- see the trailing period.
Why do you have that over ride domain pm12.nl?? Which I looks like you must have a wild card setup for? Cuz it sure should not respond with anything with www.google.nl.pm12.nl as a query.
-
My best guess is it has to do with the DNS suffix? No idea where I've set that up though. Let me investigate a bit more.
C:\Users\wouter>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : WOUTER-PC Primary Dns Suffix . . . . . . . : PM12.NL Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : PM12.NL -
It appears that your wan and lan are on the same subnet.
-
Added to that:
Your PC says: the gateway is 192.168.1.254
pfSense says that the WAN adress is 192.168.1.64
This is not good at all.As chpalmer said (implies): the WAN interface is probably using DHCP to obtain a "WAN" IP.
And it gets 192.168.1.64, which is a non routing local IP from the modem's LAN side.Best thing to do (best first):
Put your modem in PPPOE (bridge) mode.
Inform pfSense about the login parameters. pfSense will see a real Internet IP.
OR:
Change the modem's LAN IP range for 192.168.2.x - give it 192.168.2.1, AND do not block NOT "Block private networks" (Interface => WAN, bottom part of the page)
OR:
Change the LAN IP settings on pfSEnse. -
It appears that your wan and lan are on the same subnet.
True, I have them bridged.
Added to that:
Your PC says: the gateway is 192.168.1.254
pfSense says that the WAN adress is 192.168.1.64
This is not good at all.Ok I might be understanding something fundamentally wrong here. Isn't the gateway supposed to be the modem's LAN address?
As chpalmer said (implies): the WAN interface is probably using DHCP to obtain a "WAN" IP.
And it gets 192.168.1.64, which is a non routing local IP from the modem's LAN side.No, this is statically assigned.
Best thing to do (best first):
Put your modem in PPPOE (bridge) mode.
Inform pfSense about the login parameters. pfSense will see a real Internet IP.Unfortunately impossible. ISP does not allow this.
Change the modem's LAN IP range for 192.168.2.x - give it 192.168.2.1, AND do not block NOT "Block private networks" (Interface => WAN, bottom part of the page)
"Block private networks" is off, not blocking.
My preference is to keep the pf box in bridged mode to avoid double NAT situations.
-
Your box does not appear to be truly in bridge mode. What does your outbound NAT page look like?
-
I must admit I never really touched those settings…
