DNS forwarder is refusing queries



  • I've been having some troubles getting my setup to work properly ever since i started working with pfSense. I have set it up as a filtering bridge with the LAN bridged to WAN. I have enabled the DNS forwarder because i have a webserver on the LAN network. However, the DNS forwarder is refusing my queries. These are the diagnostics i can show you so far:

    Configuration of my local machine on the network. 192.168.1.2 is the LAN address of the pfSense box. 192.168.1.1 is the server:

    This shows that DNS queries are refused by the forwarder:

    The same problems seem to happen locally on the pfSense box too. It can't find updates at all and searching for and downloading packages fails too:
    ![](http://www.pm12.nl/~wouter/unable to check for updates.png)

    This is how I set up what DNS servers the pfSense box uses:
    ![](http://www.pm12.nl/~wouter/general setup.png)

    192.168.1.254 is the LAN address of my modem. Unfortunately it won't allow me to put it in bridge mode, but thats something for me and my ISP ;)

    Here it shows how local addresses are resolved to the webserver.
    ![](http://www.pm12.nl/~wouter/dns forwarder.png)

    And finally I am not blocking outgoing DNS requests with any firewall rule:
    ![](http://www.pm12.nl/~wouter/firewall rules.png)

    So as far as I can tell everything should be set correctly. I'm only asking here because after weeks of tinkering I can't get it to work at all. Any help would be welcome ;)


  • LAYER 8 Global Moderator

    And can you query those forwarder servers directly?

    Take pfsense out of the picture, just query those servers

    ; <<>> DiG 9.8.1 <<>> @194.134.5.55 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9339

    I can not query those servers either, are those your ISP dns??

    I show them as
    dns.wanadoo.nl
    dns.euro.net

    Are those the name servers your suppose to be using?  If you can not query them from your client directly then its not an issue with pfsense.

    with nslookup you change servers via server command, example

    
    C:\Windows\System32>nslookup
    Default Server:  pfsense.local.lan
    Address:  192.168.1.253
    
    > server dns.euro.net
    Default Server:  dns.euro.net
    Address:  194.134.5.5
    
    > www.google.com
    Server:  dns.euro.net
    Address:  194.134.5.5
    
    *** dns.euro.net can't find www.google.com: Query refused
    > server 8.8.8.8
    Default Server:  [8.8.8.8]
    Address:  8.8.8.8
    
    > www.google.com
    Server:  [8.8.8.8]
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    www.l.google.com
    Addresses:  74.125.225.48
              74.125.225.52
              74.125.225.50
              74.125.225.49
              74.125.225.51
    Aliases:  www.google.com
    
    


  • Yes I can query them directly, they are my ISP's DNS servers. Following your guidelines I tried querying them directly through nslookup. Result:

    
    C:\Users\wouter>nslookup
    Default Server:  pfsense.pm12.nl
    Address:  192.168.1.2
    
    > www.google.com
    Server:  pfsense.pm12.nl
    Address:  192.168.1.2
    
    *** pfsense.pm12.nl can't find www.google.com: Query refused
    > server 194.134.5.55
    Default Server:  [194.134.5.55]
    Address:  194.134.5.55
    
    > www.google.com
    Server:  [194.134.5.55]
    Address:  194.134.5.55
    
    Non-authoritative answer:
    Name:    www.google.com.PM12.NL
    Address:  81.71.91.10
    
    > server 8.8.8.8
    Default Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    > www.google.com
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    www.google.com.PM12.NL
    Address:  81.71.91.10
    
    >
    
    

  • LAYER 8 Global Moderator

    You go something clearly wrong there, and no does not seem like your doing queries to those servers – look at your answers

    www.google.nl
    Server:  dns.wanadoo.nl
    Address:  194.134.5.55

    Non-authoritative answer:
    Name:    www.google.nl.PM12.NL
    Address:  81.71.91.10

    www.google.nl
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8

    Non-authoritative answer:
    Name:    www.google.nl.PM12.NL
    Address:  81.71.91.10

    Sorry but those are not the right answer for www.google.nl ;)

    These are the right answers

    Non-authoritative answer:
    Name:    www.l.google.com
    Addresses:  74.125.225.50
              74.125.225.49
              74.125.225.52
              74.125.225.48
              74.125.225.51
    Aliases:  www.google.nl
              www.google.com

    put a dot on the end, looks like your adding some sort of search suffix?

    so like www.google.nl. <–-- see the trailing period.

    Why do you have that over ride domain pm12.nl??  Which I looks like you must have a wild card setup for?  Cuz it sure should not respond with anything with www.google.nl.pm12.nl as a query.



  • My best guess is it has to do with the DNS suffix? No idea where I've set that up though. Let me investigate a bit more.

    
    C:\Users\wouter>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : WOUTER-PC
       Primary Dns Suffix  . . . . . . . : PM12.NL
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : PM12.NL
    
    


  • It appears that your wan and lan are on the same subnet.



  • Added to that:
    Your PC says: the gateway is 192.168.1.254
    pfSense says that the WAN adress is 192.168.1.64
    This is not good at all.

    As chpalmer said (implies): the WAN interface is probably using DHCP to obtain a "WAN" IP.
    And it gets 192.168.1.64, which is a non routing local IP from the modem's LAN side.

    Best thing to do (best first):
    Put your modem in PPPOE (bridge) mode.
    Inform pfSense about the login parameters. pfSense will see a real Internet IP.
    OR:
    Change the modem's LAN IP range for 192.168.2.x - give it 192.168.2.1, AND do not block NOT "Block private networks" (Interface => WAN, bottom part of the page)
    OR:
    Change the LAN IP settings on pfSEnse.



  • @chpalmer:

    It appears that your wan and lan are on the same subnet.

    True, I have them bridged.

    @Gertjan:

    Added to that:
    Your PC says: the gateway is 192.168.1.254
    pfSense says that the WAN adress is 192.168.1.64
    This is not good at all.

    Ok I might be understanding something fundamentally wrong here. Isn't the gateway supposed to be the modem's LAN address?

    As chpalmer said (implies): the WAN interface is probably using DHCP to obtain a "WAN" IP.
    And it gets 192.168.1.64, which is a non routing local IP from the modem's LAN side.

    No, this is statically assigned.

    Best thing to do (best first):
    Put your modem in PPPOE (bridge) mode.
    Inform pfSense about the login parameters. pfSense will see a real Internet IP.

    Unfortunately impossible. ISP does not allow this.

    Change the modem's LAN IP range for 192.168.2.x - give it 192.168.2.1, AND do not block NOT "Block private networks" (Interface => WAN, bottom part of the page)

    "Block private networks" is off, not blocking.

    My preference is to keep the pf box in bridged mode to avoid double NAT situations.



  • Your box does not appear to be truly in bridge mode.  What does your outbound NAT page look like?



  • I must admit I never really touched those settings…



Log in to reply