DNS Forwarder not resolving when host is not a registered DHCP Client with lease



  • I have a simple issue and Im not sure it can be fixed. Perhaps its a feature?

    After upgrading from a box running PF sense 1.x, my hosts that have IP addresses manually assigned to them are ignored by the dns forwarder.

    My LAN interface of my router is 10.34.41.254, all dhcp clients get that IP address as thier DNS server, then the router forwards the request to google servers. That works as advertised, however if I manually assign an address outside the DHCP Pool, DNS forwarder does not repsond to the HOST, thus no DNS.

    Any fix for that?


  • Rebel Alliance Global Moderator

    So what is your lan rules setup to allow access.. Are you limiting the source IPs

    What is your lan rules?



  • @wadmutter:

    however if I manually assign an address outside the DHCP Pool, DNS forwarder does not repsond to the HOST, thus no DNS

    How far outside the DHCP pool? What network mask? If the manually configured system thinks the DNS server (you made no mention of configuring it) is not on the same network as the manually configured system then the manually configured system will need to go through the default gateway (you made no mention of manually configuring default gateway) which needs to be on the same network as the manually configured system.

    What is reported on a manually configured system if you ping the DNS server?



  • Jonpoz: LAN firewall rules allow any to any. Set for wide open, no limiting of the source IP's from the same network what so ever.



  • wallabybob: The DHCP scope is a class C network with a 24 bit mask. The manually assigned addresses are with in that network, simply not in the DHCP range. IE 10.34.41.11 - 10.34.41.149/24 is the range. 10.34.41.165/24 is the manually assigned address. When I assign the routers interface as the DNS server, it does not respond, yet i can ping it.



  • @wadmutter:

    When I assign the routers interface as the DNS server, it does not respond, yet i can ping it.

    What do you do to make that assignment?

    On what sort of system did you make that assignment (Windows? Linux? etc)

    Does that system need to be rebooted for the assignment to take effect?

    What does a DNS debugging tool such as dig or nslookup report as the IP address of the DNS?


  • Rebel Alliance Global Moderator

    What your saying makes no sense if you don't have rule on lan interface to block access.  I have plenty of boxes outside my dhcp scope.  So example my lan network is 192.168.1.0/24, pfsense lan interface is on 192.168.1.253

    dhcp scope is 192.168.1.210 to .219

    So for example my linux box at 192.168.1.7 can query pfsense for dns.

    
     dig i5-w7.local.lan
    
    ; <<>> DiG 9.8.1-P1 <<>> i5-w7.local.lan
    
    ;; QUESTION SECTION:
    ;i5-w7.local.lan.               IN      A
    
    ;; ANSWER SECTION:
    i5-w7.local.lan.        1       IN      A       192.168.1.100
    
    ;; Query time: 2 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Fri Sep 21 11:11:19 2012
    
    

    And here is windows box on .100 also outside the scope

    
    C:\Windows\System32>nslookup
    Default Server:  pfsense.local.lan
    Address:  192.168.1.253
    
    > www.google.com
    Server:  pfsense.local.lan
    Address:  192.168.1.253
    
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2607:f8b0:400f:801::1012
              74.125.225.177
              74.125.225.179
              74.125.225.178
              74.125.225.180
              74.125.225.176
    
    

    So I would verify that you did not typo the dns server?  Do you have more than 1 dns server listed on the clients on your lan?

    I have more boxes outside my scope than inside to be honest, and have no issues - are these boxes on a different interface/vlan connected to pfsense, so different firewall rules than lan?  Is there anything between them and the pfsense lan interface, another firewall, local firewalls on the clients?

    Are you running say unbound, where you could of set ACLs on which IPs can query it?


Locked