DNS Forwarder not resolving when host is not a registered DHCP Client with lease
-
I have a simple issue and Im not sure it can be fixed. Perhaps its a feature?
After upgrading from a box running PF sense 1.x, my hosts that have IP addresses manually assigned to them are ignored by the dns forwarder.
My LAN interface of my router is 10.34.41.254, all dhcp clients get that IP address as thier DNS server, then the router forwards the request to google servers. That works as advertised, however if I manually assign an address outside the DHCP Pool, DNS forwarder does not repsond to the HOST, thus no DNS.
Any fix for that?
-
So what is your lan rules setup to allow access.. Are you limiting the source IPs
What is your lan rules?
-
however if I manually assign an address outside the DHCP Pool, DNS forwarder does not repsond to the HOST, thus no DNS
How far outside the DHCP pool? What network mask? If the manually configured system thinks the DNS server (you made no mention of configuring it) is not on the same network as the manually configured system then the manually configured system will need to go through the default gateway (you made no mention of manually configuring default gateway) which needs to be on the same network as the manually configured system.
What is reported on a manually configured system if you ping the DNS server?
-
Jonpoz: LAN firewall rules allow any to any. Set for wide open, no limiting of the source IP's from the same network what so ever.
-
wallabybob: The DHCP scope is a class C network with a 24 bit mask. The manually assigned addresses are with in that network, simply not in the DHCP range. IE 10.34.41.11 - 10.34.41.149/24 is the range. 10.34.41.165/24 is the manually assigned address. When I assign the routers interface as the DNS server, it does not respond, yet i can ping it.
-
When I assign the routers interface as the DNS server, it does not respond, yet i can ping it.
What do you do to make that assignment?
On what sort of system did you make that assignment (Windows? Linux? etc)
Does that system need to be rebooted for the assignment to take effect?
What does a DNS debugging tool such as dig or nslookup report as the IP address of the DNS?
-
What your saying makes no sense if you don't have rule on lan interface to block access. I have plenty of boxes outside my dhcp scope. So example my lan network is 192.168.1.0/24, pfsense lan interface is on 192.168.1.253
dhcp scope is 192.168.1.210 to .219
So for example my linux box at 192.168.1.7 can query pfsense for dns.
dig i5-w7.local.lan ; <<>> DiG 9.8.1-P1 <<>> i5-w7.local.lan ;; QUESTION SECTION: ;i5-w7.local.lan. IN A ;; ANSWER SECTION: i5-w7.local.lan. 1 IN A 192.168.1.100 ;; Query time: 2 msec ;; SERVER: 192.168.1.253#53(192.168.1.253) ;; WHEN: Fri Sep 21 11:11:19 2012And here is windows box on .100 also outside the scope
C:\Windows\System32>nslookup Default Server: pfsense.local.lan Address: 192.168.1.253 > www.google.com Server: pfsense.local.lan Address: 192.168.1.253 Non-authoritative answer: Name: www.google.com Addresses: 2607:f8b0:400f:801::1012 74.125.225.177 74.125.225.179 74.125.225.178 74.125.225.180 74.125.225.176So I would verify that you did not typo the dns server? Do you have more than 1 dns server listed on the clients on your lan?
I have more boxes outside my scope than inside to be honest, and have no issues - are these boxes on a different interface/vlan connected to pfsense, so different firewall rules than lan? Is there anything between them and the pfsense lan interface, another firewall, local firewalls on the clients?
Are you running say unbound, where you could of set ACLs on which IPs can query it?