[RESOLVED] DNS forward fails to resolve a specific name

  • Using 2.0-RELEASE:

    I've got the DNS forwarder enabled and the general tab has two DNS servers configured (those provided by the hosting company DNS).

    The Diagnostics/DNS Lookup page shows that general name resolution works, but it fails for ftp.somedomain.com.

    If I set 'Do not use the DNS Forwarder as a DNS server for the firewall' then 'DNS Lookup' for the same name works using the first DNS server configured on the general tab.

    My server uses the pFSense as its DNS. 'nslookup ftp.somedomain.com' always fails, regardless of the 'Do not use the DNS Forwarder as a DNS server for the firewall' setting. The server can resolve any other name I try. Running the same nslookup command with the DNS specified in the general tab resolves as expected. It does not resolve if I specify the pfSense LAN interface as the DNS.

    Why does 'ftp.somedomain.com' fail to resolve through the DNS forwarder ?

  • LAYER 8 Global Moderator

    if you would give us the actual domain used, we might be able to help.  Or atleast try and duplicate your issue.

  • I should have added to my original post that the name is not (and will not be) resolvable on the public internet. It's provided by the hosting company to allow the server to access an ftp server that's only accessible externally through a VPN.

    The first DNS server defined within the general tab resolves the name, but only if it is queried explicitly (i.e. not using the DNS forwarding service).

  • LAYER 8 Global Moderator

    Ah, well that makes more sense.

    I don't run the forwarder service, I run unbound and have it do its own lookups (no forwarders involved)

    But if I recall correctly you could verify with a sniff when you ask the forwarder for say host.domainX.tld it will forward that requests to all servers listed, and use the first one that responds.  So I could see where you could have a problem if only one of your configured dns forwarders has records your looking for.  And the wrong one responds first.

    In such a case you would have to make sure that only that specific nameserver is queried for that domain with a domain over ride setting or something.  I know how you do it in unbound

    with a
    forward-zone:; name:domainX.com; forward-host: ns.nameserverfordomainx.com.net;

    I don't think any forwarder will run through a listing of forwarders for one that answers with a specific record.  If you have private domains that only specific dns is authoritative for you need to create specific forwards for those domains to forward to those specific name servers.

    edit: I think this is what you need in the bottom of the dns forwarder section

  • Probably because it resolves to a private IP and the DNS rebinding protection prevents that. You can either add a domain override for that particular domain, or disable DNS rebinding protection under System>Advanced.

  • Thanks guys, that's solved it.

    DNS was never my strong point, but it's nice to learn something new  :)

Log in to reply