• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Forwarder not resolving when host is not a registered DHCP Client with lease

Scheduled Pinned Locked Moved DHCP and DNS
7 Posts 3 Posters 3.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wadmutter
    last edited by Sep 20, 2012, 12:35 PM

    I have a simple issue and Im not sure it can be fixed. Perhaps its a feature?

    After upgrading from a box running PF sense 1.x, my hosts that have IP addresses manually assigned to them are ignored by the dns forwarder.

    My LAN interface of my router is 10.34.41.254, all dhcp clients get that IP address as thier DNS server, then the router forwards the request to google servers. That works as advertised, however if I manually assign an address outside the DHCP Pool, DNS forwarder does not repsond to the HOST, thus no DNS.

    Any fix for that?

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by Sep 20, 2012, 7:37 PM

      So what is your lan rules setup to allow access.. Are you limiting the source IPs

      What is your lan rules?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      1 Reply Last reply Reply Quote 0
      • W
        wallabybob
        last edited by Sep 21, 2012, 12:22 AM

        @wadmutter:

        however if I manually assign an address outside the DHCP Pool, DNS forwarder does not repsond to the HOST, thus no DNS

        How far outside the DHCP pool? What network mask? If the manually configured system thinks the DNS server (you made no mention of configuring it) is not on the same network as the manually configured system then the manually configured system will need to go through the default gateway (you made no mention of manually configuring default gateway) which needs to be on the same network as the manually configured system.

        What is reported on a manually configured system if you ping the DNS server?

        1 Reply Last reply Reply Quote 0
        • W
          wadmutter
          last edited by Sep 21, 2012, 12:11 PM

          Jonpoz: LAN firewall rules allow any to any. Set for wide open, no limiting of the source IP's from the same network what so ever.

          1 Reply Last reply Reply Quote 0
          • W
            wadmutter
            last edited by Sep 21, 2012, 12:14 PM

            wallabybob: The DHCP scope is a class C network with a 24 bit mask. The manually assigned addresses are with in that network, simply not in the DHCP range. IE 10.34.41.11 - 10.34.41.149/24 is the range. 10.34.41.165/24 is the manually assigned address. When I assign the routers interface as the DNS server, it does not respond, yet i can ping it.

            1 Reply Last reply Reply Quote 0
            • W
              wallabybob
              last edited by Sep 21, 2012, 1:24 PM

              @wadmutter:

              When I assign the routers interface as the DNS server, it does not respond, yet i can ping it.

              What do you do to make that assignment?

              On what sort of system did you make that assignment (Windows? Linux? etc)

              Does that system need to be rebooted for the assignment to take effect?

              What does a DNS debugging tool such as dig or nslookup report as the IP address of the DNS?

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator
                last edited by Sep 21, 2012, 4:16 PM Sep 21, 2012, 4:10 PM

                What your saying makes no sense if you don't have rule on lan interface to block access.  I have plenty of boxes outside my dhcp scope.  So example my lan network is 192.168.1.0/24, pfsense lan interface is on 192.168.1.253

                dhcp scope is 192.168.1.210 to .219

                So for example my linux box at 192.168.1.7 can query pfsense for dns.

                
                 dig i5-w7.local.lan
                
                ; <<>> DiG 9.8.1-P1 <<>> i5-w7.local.lan
                
                ;; QUESTION SECTION:
                ;i5-w7.local.lan.               IN      A
                
                ;; ANSWER SECTION:
                i5-w7.local.lan.        1       IN      A       192.168.1.100
                
                ;; Query time: 2 msec
                ;; SERVER: 192.168.1.253#53(192.168.1.253)
                ;; WHEN: Fri Sep 21 11:11:19 2012
                
                

                And here is windows box on .100 also outside the scope

                
                C:\Windows\System32>nslookup
                Default Server:  pfsense.local.lan
                Address:  192.168.1.253
                
                > www.google.com
                Server:  pfsense.local.lan
                Address:  192.168.1.253
                
                Non-authoritative answer:
                Name:    www.google.com
                Addresses:  2607:f8b0:400f:801::1012
                          74.125.225.177
                          74.125.225.179
                          74.125.225.178
                          74.125.225.180
                          74.125.225.176
                
                

                So I would verify that you did not typo the dns server?  Do you have more than 1 dns server listed on the clients on your lan?

                I have more boxes outside my scope than inside to be honest, and have no issues - are these boxes on a different interface/vlan connected to pfsense, so different firewall rules than lan?  Is there anything between them and the pfsense lan interface, another firewall, local firewalls on the clients?

                Are you running say unbound, where you could of set ACLs on which IPs can query it?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                1 out of 7
                • First post
                  1/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received