• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[RESOLVED] DNS forward fails to resolve a specific name

Scheduled Pinned Locked Moved DHCP and DNS
6 Posts 3 Posters 8.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • K
    keylevel
    last edited by Jan 25, 2012, 8:23 AM Jan 24, 2012, 2:52 PM

    Using 2.0-RELEASE:

    I've got the DNS forwarder enabled and the general tab has two DNS servers configured (those provided by the hosting company DNS).

    The Diagnostics/DNS Lookup page shows that general name resolution works, but it fails for ftp.somedomain.com.

    If I set 'Do not use the DNS Forwarder as a DNS server for the firewall' then 'DNS Lookup' for the same name works using the first DNS server configured on the general tab.

    My server uses the pFSense as its DNS. 'nslookup ftp.somedomain.com' always fails, regardless of the 'Do not use the DNS Forwarder as a DNS server for the firewall' setting. The server can resolve any other name I try. Running the same nslookup command with the DNS specified in the general tab resolves as expected. It does not resolve if I specify the pfSense LAN interface as the DNS.

    Why does 'ftp.somedomain.com' fail to resolve through the DNS forwarder ?

    Chris

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Jan 24, 2012, 8:13 PM

      if you would give us the actual domain used, we might be able to help.  Or atleast try and duplicate your issue.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • K
        keylevel
        last edited by Jan 24, 2012, 8:37 PM

        I should have added to my original post that the name is not (and will not be) resolvable on the public internet. It's provided by the hosting company to allow the server to access an ftp server that's only accessible externally through a VPN.

        The first DNS server defined within the general tab resolves the name, but only if it is queried explicitly (i.e. not using the DNS forwarding service).

        Chris

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by Jan 24, 2012, 9:12 PM Jan 24, 2012, 9:02 PM

          Ah, well that makes more sense.

          I don't run the forwarder service, I run unbound and have it do its own lookups (no forwarders involved)

          But if I recall correctly you could verify with a sniff when you ask the forwarder for say host.domainX.tld it will forward that requests to all servers listed, and use the first one that responds.  So I could see where you could have a problem if only one of your configured dns forwarders has records your looking for.  And the wrong one responds first.

          In such a case you would have to make sure that only that specific nameserver is queried for that domain with a domain over ride setting or something.  I know how you do it in unbound

          with a
          forward-zone:; name:domainX.com; forward-host: ns.nameserverfordomainx.com.net;

          I don't think any forwarder will run through a listing of forwarders for one that answers with a specific record.  If you have private domains that only specific dns is authoritative for you need to create specific forwards for those domains to forward to those specific name servers.

          edit: I think this is what you need in the bottom of the dns forwarder section

          domainoverrides.jpg
          domainoverrides.jpg_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by Jan 25, 2012, 2:07 AM

            Probably because it resolves to a private IP and the DNS rebinding protection prevents that. You can either add a domain override for that particular domain, or disable DNS rebinding protection under System>Advanced.

            1 Reply Last reply Reply Quote 0
            • K
              keylevel
              last edited by Jan 25, 2012, 8:23 AM

              Thanks guys, that's solved it.

              DNS was never my strong point, but it's nice to learn something new  :)

              Chris

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received