DNS forwarder - WLAN on its own Subnet - CPU 100%



  • I have a strange problem..

    I am using a domain name what resolved to a public IP from outside, on my LAN it resolves to a local IP.

    My setup looks like this:

    PFSENSE BOX IP: 10.10.1.254

    GENERAL SETUP
    –------- --------
    hostname: fw
    domain: example.com

    INTERFACES

    WAN ISP-IP
    LAN 10.10.1.254/24
    WLAN 10.10.2.254/24

    DNS SERVER


    208.67.222.222
    208.67.220.220

    [OFF] Allow DNS server list to be overridden by DHCP/PPP on WAN
    [OFF] Do not use the DNS Forwarder as a DNS server for the firewall

    DHCP SERVER
    –--- ----------
    [OFF] WAN
    [ON] LAN 10.10.1.125 - 10.10.1.250
    [ON] WLAN 10.10.2.125 - 10.10.2.250

    DNS FORWARDER
    –--- --------------
    [ON] Enable DNS forwarder
    [ON] Register DHCP leases in DNS forwarder

    Host Overrides
    example.com  10.10.1.100

    Domain Overrides
    example.com  10.10.1.254

    If I connect to my network via a network cable, everything runs fine.

    If I connect to my network via wireless, my cpu hits 100%

    If I turn off DNS Forwarding the cpu goes back to normal?

    If I bridge LAN & WLAN, the cpu is normal.

    I don't want to bridge LAN & WLAN, I want to keep them separate with appropriate firewall rules.

    Why is DNS Forwarding / dnsmasq hitting 100% when I connect to my network via wireless?
    Something to do with the wireless subnet causing dnsmasq to create some kind of DNS loop maxing out the CPU?



  • Imagine something on your wireless network looks up www.example.com. Your DNS forwarding configuration says anything on domain example.com DNS forwarder doesn't know about should go to 10.10.1.254 which is the LAN interface. I don't know the intricacies of DNS forwarder but it seems to me that you have likely created an infinite loop: DNS forwarder should ask itself to resolve domain example.com. but that is unlikely to terminate EXCEPT for names fw.example.com and example.com.



  • The netmask in the following items seems bizarre:
    @wizbit:

    INTERFACES
    –------------
    WAN ISP-IP
    LAN 10.10.1.254/0
    WLAN 10.10.2.254/0



  • @wallabybob:

    The netmask in the following items seems bizarre:
    @wizbit:

    INTERFACES
    –------------
    WAN ISP-IP
    LAN 10.10.1.254/0
    WLAN 10.10.2.254/0

    That was a typo!! Changed now.



  • @wallabybob:

    Imagine something on your wireless network looks up www.example.com. Your DNS forwarding configuration says anything on domain example.com DNS forwarder doesn't know about should go to 10.10.1.254 which is the LAN interface. I don't know the intricacies of DNS forwarder but it seems to me that you have likely created an infinite loop: DNS forwarder should ask itself to resolve domain example.com. but that is unlikely to terminate EXCEPT for names fw.example.com and example.com.

    If i connect to my network via LAN (network cable) to 10.10.1.254/24, DNS Forwarder seems to be running OK, CPU usage is normal. The problem only occurs when i connect to my network via Wireless what uses the 10.10.2.254/24 network. My state table fills up and my CPU goes 100%, if i turn off DNS Forwarder / dnsmasq, the CPU goes back to normal.



  • PROBLEM SOLVED!!!

    My state table had LOTS of this:

    tcp 10.10.2.30:53227 -> 10.10.1.100:631 FIN_WAIT_2:FIN_WAIT_2

    CUPS was sending LOTS of requests,  I added the 10.10.2. network to CUPS on my
    server and now everything is back to normal!  :)


Locked