DNS forwarding issue (override an entire domain)



  • Hi all

    First my setup:

    • Both pfsense Boxes are gateways and "DNS Servers" using built in dsnmasq
    • No further firewalls or routers are involved
    • OpenVPN site 2 site tunnel
    • Tunnel works fine
    –------------------------------                                        -------------------------------
    | pfsense1.asdf.com            |           ------------------           | pfsense2.subdomain.asdf.com |
    | IP: 10.0.0.1                 | <-------> | OpenVPN Tunnel | <-------> | IP: 10.0.10.1               |
    | OpenVPN Server               |           ------------------           | OpenVPN Client              |
    | Tunnel Network  10.0.6.0/29  |                                        | Tunnel Network: empty       |
    | Local Network:  10.0.0.0/24  |                                        | Remote Network: 10.0.0.0/24 |
    | Remote Network: 10.0.10.0/24 |                                        -------------------------------
    --------------------------------
    

    Issue:
    If I enable DNS Forwarding (override entire domain) on both sites my CPU Usage is very High (80%).
    I think its because of a dns loop. See http://forum.pfsense.org/index.php?topic=33031.0

    –------- DNS Forwaring Setup on pfsense1.asdf.com ---------
    | Domain: subdomain.asdf.com                               |
    | IP: 10.0.10.1                                            |
    ------------------------------------------------------------
    
    --------- DNS Forwaring Setup on pfsense2.subdomain.asdf.com ---------
    | Domain: asdf.com                                                   |
    | IP: 10.0.0.1                                                       |
    ----------------------------------------------------------------------
    

    I have disabled DNS Forwarding on pfsense1.asdf.com for domain subdomain.asdf.com to solve the High CPU Usage problem.
    But now I can't ping from network 10.0.0.1/24 to network 10.0.10.0/24 using dns names. It works only using IP addresses.
    Question:
    How can I solve this problem to resolve client names from both sites.

    Thank you very much for your help (and sorry for my english)
    mki



  • @mki:

    Issue:
    If I enable DNS Forwarding (override entire domain) on both sites my CPU Usage is very High (80%).
    I think its because of a dns loop.

    It looks to me that you have a DNS loop. BUT did you check what was using so much CPU?

    @mki:

    I have disabled DNS Forwarding on pfsense1.asdf.com for domain subdomain.asdf.com to solve the High CPU Usage problem.

    Did you verify the CPU usage dropped significantly?

    @mki:

    Question:
    How can I solve this problem to resolve client names from both sites.

    The dnsmasq man page (http://www.freebsd.org/cgi/man.cgi?query=dnsmasq&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE+and+Ports&arch=default&format=html) suggests dnsmasq can be configured to resolve subdomains through different servers than parent domains and certain domains can be set to be resolved locally only (Also  permitted  is  a  -S  flag which gives a domain but no IP address; this tells dnsmasq that a domain is local  and  it  may answer  queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers.  local is a synonym  for  server  to  make configuration files clearer in this case.) Unfortunately it looks to me that the standard GUI doesn't allow this "resolve locally only" option. If it did I suspect the loop could be broken by configuring pfsense2.subdomain.asdf.com to resolve subdomain.asdf.com locally only.

    Depending on the complexity of your configuration you might be able to use static DHCP on pfSense2.subdomain.asdf.com and static DNS host override entries on pfsense1.asdf.com

    Maybe the GUI interface to one of the other supported DNS servers might allow local only resolution on a domain.

    If you are feeling adventurous (or have a good knowledge of php) you could look at changing pfSense file /etc/inc/services.inc to treat (say) the loopback address 127.0.0.1 as "resolve locally only" and leave out the servers IP address when generating the command line for dnsmasq (or maybe it would be a simple edit to /usr/local/www/services_dnsmasq_domainoverride_edit.php to allow IP address OR null for the IP address on the domain override page.



  • Hi wallabybob

    Thanks for the quick, all-out reply.

    It looks to me that you have a DNS loop. BUT did you check what was using so much CPU?

    Have a look at this two screenshots. Its dnsmasq.
    Attached files: pfsense1.png, pfsense2.png

    Did you verify the CPU usage dropped significantly?

    I did. Have a look at the screenshot cpuusage.png. I have disabled dns forwarding on one site at saturday. After that CPU Usage is very low.

    The dnsmasq man page (http://www.freebsd.org/cgi/man.cgi?query=dnsmasq&apropos=0&sektion=0&manpath=FreeBSD+8.2-RELEASE+and+Ports&arch=default&format=html) suggests dnsmasq can be configured to resolve subdomains through different servers than parent domains and certain domains can be set to be resolved locally only (Also  permitted  is  a  -S  flag  which gives a domain but no IP address; this tells dnsmasq that a domain is local  and  it  may answer  queries from /etc/hosts or DHCP but should never forward queries on that domain to any upstream servers.  local is a synonym  for  server  to  make configuration files clearer in this case.) Unfortunately it looks to me that the standard GUI doesn't allow this "resolve locally only" option. If it did I suspect the loop could be broken by configuring pfsense2.subdomain.asdf.com to resolve subdomain.asdf.com locally only.

    I'll try this and will give you feedback.

    Depending on the complexity of your configuration you might be able to use static DHCP on pfSense2.subdomain.asdf.com and static DNS host override entries on pfsense1.asdf.com

    I'm not able to do this. To many clients.

    Maybe the GUI interface to one of the other supported DNS servers might allow local only resolution on a domain.

    Good idea.

    Personally I think it should be possible to do this without installing software. I can't be the only one person with this configuration :)

    Thank you
    mki








  • On one of my systems running dnsmasq I added a domain override for foo.bar to 0.0.0.0 thinking dnsmasq might accept 0.0.0.0 as a synonym for "resolve locally only". Some investigation showed dnsmasq was invoked by the command:

    /usr/local/sbin/dnsmasq –local-ttl 1 --all-servers --rebind-localhost-ok --stop-dns-rebind --dns-forward-max=5000 --cache-size=10000 --server=/foo.bar/0.0.0.0 --rebind-domain-ok=/foo.bar/

    but a name server lookup of abc.foo.bar apparently went out to OpenDNS (my configured name servers):

    dig abc.foo.bar

    ; <<>> DiG 9.6.2-P2 <<>> abc.foo.bar
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50784
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;abc.foo.bar. IN A

    ;; ANSWER SECTION:
    abc.foo.bar. 0 IN A 67.215.65.132

    ;; Query time: 210 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Dec 27 08:11:40 2011
    ;; MSG SIZE  rcvd: 45

    nslookup abc.foo.bar

    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: abc.foo.bar
    Address: 67.215.65.132

    nslookup 67.215.65.132

    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    132.65.215.67.in-addr.arpa name = hit-nxdomain.opendns.com.

    Authoritative answers can be found from:

    I killed dnsmasq and started it with a revised command line omitting the server IP address for domain foo.bar and this time a lookup of abc.foo.bar returned "Non existent domain" suggesting it was indeed resolved locally.

    kill 30380

    ps ax | grep dnsmasq

    27935   0  R+     0:00.01 grep dnsmasq

    /usr/local/sbin/dnsmasq –local-ttl 1 --all-servers --rebind-localhost-ok --stop-dns-rebind --dns-forward-max=5000 --cache-size=10000 --server=/foo.bar/ --rebind-domain-ok=/foo.bar/

    dig abc.foo.bar

    ; <<>> DiG 9.6.2-P2 <<>> abc.foo.bar
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23401
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;abc.foo.bar. IN A

    ;; Query time: 4 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Dec 27 08:13:52 2011
    ;; MSG SIZE  rcvd: 29

    So it looks to me that if dnsmasq on pfsense2 can be persuaded to resolve subdomain.asdf.com locally only then your DNS loop should be broken. Are there enough clues here for you to try this?



  • Sorry for answering late..

    I'll setup a new test environment for testing your solution.
    You will hear from me.

    Thanks in advance
    mki



  • An easier way to accomplish "resolve locally only" is to add the dnsmasq custom option

    local=/domain-name/

    in the Advanced section on Services -> DNS Forwarder


Locked