Weirdester [sorry] DNS issue, appending local domain to querries inconsistently



  • I keep getting my local domain name as suffix on some DNS queries-killing about half my browser attempts, and also nslookup, as far as I can tell it is random, one PC will get abc.com and the next won't, then they might reverse this, all PCs affected, even linux, but not to the same degree.  Pfsense returns proper answers if asked the right question, but looking at cap data I can see the www.freebsd.localdomain, freebsd.org is one of the more consistently error prone, but again, it changes inconsistently.  It took me quite a while to get to here, where I see what the problem is, after fruitlessly chasing all kinds of blocking issues, but I still don't know how to fix.  It screws up about half of all browser links, like I get all youtube pages just fine, but more than half of the videos themselves error out.  I've tried doing resets of windows ip stuff:  'netsh interface ipv4 & 6 reset', I've cycled through numerous settings in the NIC ipv4 advanced DNS properties-Append primary and connection specific DNS suffixes, with and without checking the 'append parent suffixes…', with a custom '.'  and 'com' for entry there.  I've turned netbios off.  Almost everything I do seems to make it better, briefly, then it goes insane again, as I am getting closer to myself.  It seems like it's a windows/or OS problem, but it all started a the same time and effects all machines so somehow I think pfsense has something to do with it.

    Pfsense has not ever done this before, I've used it for awhile, now with a OPT1/DMZ, but everything was normal until after installing pfblocker.  I first tried this host file from msmvps that seems popular with windows, but the format wasn't right, so I went with some iblock lists.  I have no idea if that has any causal link, just that the problem started then.  The pfsense setup is almost as set up by the setup wizard, no significant changes other than pfblocker.  I had a wildcard dynamic DNS entry, and saw the above sticky, so I implemented that, and briefly it seemed to work, but then no, so I have of course tried with wildcard removed, with pfblocker removed, futile futile.

    Once tried ip-adress.com, another one that messes up a lot, and the browser went right to it with no problem after days of never being able to find, but at that moment nslookup failed and it had worked.  Usually nslookup will fail if the browser fails, but not always.  One machine will be doing fine and then be able to find almost nothing, while at the same time, the other PC that couldn't find anything will suddenly be working.  This random behavior is getting me po'ed.  Sticking an external  DNS server entry in the windows NIC configuration seems to cure the problem, but I want it going off pfsense.  Even the DNS lookup in pfsense webconfigurator has gotten squirelly once or twice I think.  With wireshark, I can see a correct DNS query go out, and return the proper www.freebsd.org IP, but the browser still times out, hitting 'try again' or reload, or hitting the link again, still errors out, but there is no additional DNS querry?????.  Is it getting cached improperl in window?  I don't know how to check that.  So even it sends a proper query, the browser can error out, and my confusion level is in a  competition with my sanity level as to which peak-limits first.

    As mentioned, I have a dyndns-dnsexit.com,  which is configured in pfsense and working, PCs are win7-64 and win8-64, and a couple of linux PCs.  I've twiddled about every DNS option in pfsense configurator, all to no avail.  I realize I am in the 'out of my paygrade' zone, but this is how I learn.  If anyone can point me in some direction I'd really appreciate it, I don't even know what to try to look at anymore.  Thanks for any info and sorry for the excessive verbiage, I could go for pages more trying to hit all the details.


  • Rebel Alliance Developer Netgate

    Have a read of this thread:
    http://forum.pfsense.org/index.php/topic,53203.0.html

    Also, Windows does cache DNS and sometimes badly. Use "ipconfig /flushdns" as admin to clear it, and be sure to close/reopen a browser to make sure the browser didn't cache the response too.



  • Thanks for the reply, I tried the DNS flushing and it didn't work, and the linked post is about hostoverides which I am not using and I can't find anything there that seems to help, maybe I am too obtuse.  With an external DNS as first goto in windows, everything works fine, but if the pfsense lan address is used, I get the anomalous behavior.

    I installed firefox on one PC-was using palemoon, and it could not find freebsd.org as its first link tried, and it can load youtube pages but many videos error out.  And, over on the DMZ, in a linux system, trying to browse to www.freebsd.org gives me my home webserver, also on that machine, but an nslookup without a period at the end gives the expected IP-8.8.178.110.  Trying that in the browser, http://8.8.178.110, and it immediately switches to 'www.freebsd.org' in the address bar and gives me my home server again???????

    I've tried with and without the rebinding attack protection, I've searched for anything causing these pages to be blocked and that isn't happening, and shouldn't with the default rules.  I've flushed the DNS cache in windows numerous times on different machines, no change.  Doing a DNS lookup on pfsense webconfigurator gives back 'wfe0.ysv.freebsd.org.', plugging that into the box, less the period on the end, and I get the 8.8.178.110 that is its IP address, is that normal?  Many of the DNS queries I looked at with wireshark had such returns, I think they are the nameservers of the sites getting queried.  Also, the 127.0.0.1 entry in the DNS diagnostic in pfsense webconfigurator is giving no response, which it had been returning responses earlier, I don't know what I did to make that happen, but when pfsense is first installed, it usually didn't give an answer, but then it just started up after ??????????.

    There is probably some switch somewhere I've very stupidly set but I sure can't find out what is going wrong.  Why are only certain IPs not working, some pages don't render right because only part of the contents come from url's that are getting screwed up To sum it up succinctly, aaaaarrrrrggggghhhhhhh.  I am utterly flummoxed, nonplussed and feeling thoroughly minused.


  • Rebel Alliance Global Moderator

    Ok for starters where does pfsense get its dns, if your asking it?  Your isp?  open, googledns what?

    Its not behind another router and asking is it?

    Second, windows can cache dns and so does your browser.  I know how to turn it off in firefox, but would have to look up how to do it in others if possible.  Turn off in ff, about:config network.dnsCacheExpiration set to 0

    Lets just get some pure clean facts so we know what your getting in your queries for starters.

    Fire up your fav analyzer - I like wireshark because it runs on windows, linux, etc.  very easy to use.  Fire it up first thing before you go trying to get anywhere.  Then using your browser trying to go somewhere and we will see exactly what you asked for, and exactly what you go back.

    You can run tcpdump, diag capture on your wan interface as the same time and we can see if pfsense went and asked for what, and from who and what got sent back, etc..

    So you mention this www.freebsd.org a couple of times.  lets use that for my example test since you want to get there and are having issues.

    I don't believe I have been there since i have started my machine or my browser so I fire up wireshark on my box, and running capture on pfsense.

    So looks like pfblocker is blocking that to me!!  So in my wiresharks you can see I send out asking for www.freebsd.org and get back the

    And here is what I see happen.

    In the one capture you see my browser send out query and get back the correct cname and IP..  And you see in other capture that pfsense as designed send it to every dns configured, both my isp at ipv4 and ipv6 dns.  I have blocked out my ips in both sniffs for privacy concerns.

    Now I had the same issue site would not load, but clearly its getting back the right IP.  I even queried the owning servers after looked them up via whois

    Name Server:NS1.ISC-SNS.NET
    Name Server:NS2.ISC-SNS.COM
    Name Server:NS3.ISC-SNS.INFO

    dig @NS1.ISC-SNS.NET www.freebsd.org +short
    wfe0.ysv.freebsd.org.
    8.8.178.110

    All come back with that same cname and IP.. but seems you must be using same lists as I am using from iblock with pfblocker, notice the firewall rules using pfblock aliases and popup screenshot that 8.8.178.0/24 is blocked!

    Which is in one of the lists I put in my spyware list – wtf they have against freebsd.org?  I don't think that freebsd is serving up any spyware.  And if you lookup that network AS10310 Yahoo-prod Yahoo, Inc. production AS, I doubt its serving up spyware -- so someone made a mistake on their list I think.

    So it seems you have a blocking problem as you first thought and not a dns issue.

    edit:  So disable the rules that were using the lists from iblock with pfblocker - and shazam freebsd.org pops right up in the browser.. see added image












  • Thank you for johnpoz for all that effort.

    pfsense is connected directly to a timewarner cablemodem

    My DNSs:
    127.0.0.1
    70.85.0.141
    129.115.102.150
    67.214.64.27
    199.192.200.41

    I tried the DNScache setting in browser and it did not help, I didn't think it would because a new firefox install exhibited this anomalous behavior on its first URL attemp, which was www.freebsd.org.

    Early on, I did have freebsd getting blocked, that was an early confounding/confusing element in the really overcrowded mix of issues, it is blocked in the iblockads list, with 'Maven Networks:8.8.178.0-8.8.178.255' listing, don't know anything about that, just deleted that line.  Since I can browse to that site on the PCs I set 8.8.8.8 as preferred DNS, and can browse there on some of the PCs with pfsense as primary some of the time also, it definitely isn't getting blocked.  ALL systems using pfsense as first DNS all exhibit anomalies, they are inconsistent and intermittent.

    This install is the 3rd try, the first two lasted a few days and I couldn't get certain things right in them, so this is third, neither had this issue, and this install was working for a few days before I tried to install blocker using the host file from http://winhelp2002.mvps.org/hosts.htm, designed to block sites using the hosts file in windows, it is a long list of sites all directed to 127.0.0.1 in order to block them. pfblocker didn't seem able to parse the file since it wasn't blocking the sites, so I went with some of the iblock lists.  I keep bringing this up because of the timing, the problem started after I tried that hosts file in pfblocker, which had been removed and substituted with the iblock lists, and I've turned blocker off, and none of this stopped this behavior.

    So, the PC I'm on right now and 8.8.8.8 set for DNS, so it was working fine, I just set it back to 10.0.0.1-the lan address for pfsense.  From a windows command line I got this[173.174.xx.xx is my external IP]:

    C:\Windows\System32>nslookup www.freebsd.org
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1
    
    Non-authoritative answer:
    Name:    www.freebsd.org.MYDOMAIN.org
    Address:  173.174.xx.xx
    
    C:\Windows\System32>dig www.freebsd.org
    
    ; <<>> DiG 9.9.2 <<>> www.freebsd.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17195
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.freebsd.org.               IN      A
    
    ;; AUTHORITY SECTION:
    .                       518400  IN      NS      J.ROOT-SERVERS.NET.
    .                       518400  IN      NS      K.ROOT-SERVERS.NET.
    .                       518400  IN      NS      L.ROOT-SERVERS.NET.
    .                       518400  IN      NS      M.ROOT-SERVERS.NET.
    .                       518400  IN      NS      A.ROOT-SERVERS.NET.
    .                       518400  IN      NS      B.ROOT-SERVERS.NET.
    .                       518400  IN      NS      C.ROOT-SERVERS.NET.
    .                       518400  IN      NS      D.ROOT-SERVERS.NET.
    .                       518400  IN      NS      E.ROOT-SERVERS.NET.
    .                       518400  IN      NS      F.ROOT-SERVERS.NET.
    .                       518400  IN      NS      G.ROOT-SERVERS.NET.
    .                       518400  IN      NS      H.ROOT-SERVERS.NET.
    .                       518400  IN      NS      I.ROOT-SERVERS.NET.
    
    ;; Query time: 435 msec
    ;; SERVER: 10.0.0.1#53(10.0.0.1)
    ;; WHEN: Sat Jan 12 17:47:01 2013
    ;; MSG SIZE  rcvd: 255
    
    C:\Windows\System32>nslookup www.freebsd.org.
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1
    
    Name:    www.freebsd.org
    Served by:
    - L.ROOT-SERVERS.NET
    - M.ROOT-SERVERS.NET
    - A.ROOT-SERVERS.NET
    - B.ROOT-SERVERS.NET
    - C.ROOT-SERVERS.NET
    - D.ROOT-SERVERS.NET
    - E.ROOT-SERVERS.NET
    - F.ROOT-SERVERS.NET
    - G.ROOT-SERVERS.NET
    - H.ROOT-SERVERS.NET
    C:\Windows\System32>ipconfig /flushdns
    
    Windows IP Configuration
    
    Successfully flushed the DNS Resolver Cache.
    C:\Windows\System32>nslookup www.freebsd.org
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1
    
    Non-authoritative answer:
    Name:    www.freebsd.org.MYDOMAIN.org
    Address:  173.174.xx.xx
    

    Notice the flushing DNS and the period at the end of the nslookup when it seems to behave normally, and the anomalous when their is no period.   And the browser shows  "Pale Moon can't find the server at www.freebsd.org."

    I just did another flush and this time freebsd.org comes up in the browser!!!!   arrrggghhh^googol,
    But, trying another high-failure rate www.ip-adress.com, and that fails.  Looking at the wireshark captured data, the DNS queries for the successful and the failed www.freebsd.org are the same:
    www.freebsd.org: type A, class IN

    This is flushing DNS and what the command line sees:

    C:\Windows\System32>ipconfig /flushdns
    
    Windows IP Configuration
    
    Successfully flushed the DNS Resolver Cache.
    
    C:\Windows\System32>nslookup www.ip-adress.com
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1
    
    Non-authoritative answer:
    Name:    www.ip-adress.com.MYDOMAIN.org
    Address:  173.174.xx.xx
    
    C:\Windows\System32>nslookup www.ip-adress.com.
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1
    
    Non-authoritative answer:
    Name:    www.ip-adress.com
    Address:  64.34.169.244
    

    The search for ip-adress.com without the period is the same as for freebsd, but with the period it is looking for AAAA records (ipv6)

    This behavior seems perverse, it changed while I writing this post, the browser has:
    network.dnsCacheExpiration;0
    I flushed the DNS before both the successful and unsuccessful freebsd attempt.  NOW, I reset-to checked-the 'append parent suffixes of the primary DNS suffix' in the advanced dns config settings for the NIC/connection, I did this because I hadn't seen any queries with the mydomain appended as I had seen before, this is within 10 minutes of the above 'not-working' to 'working'  on freebsd, and now it again couldn't get to freebsd, AND it could find ip-adress, another random sitcheroo.  Of note, when I tried freebsd addresses, there was NO query to pfsense!!!!!??????!!!!!.

    I want to go home, [but [i]leave the toys].  There is some kind of caching/time-to-live/DNS resolving interaction going on with this intermittent thingie is the only thing I can remotely figure, and it is some setting somewhere that got mis-set somehow, but it has to be in pfsense since everyone started going crazy at the same time [or is this mistaken somehow?].  The lack of response on a DNS query in the webconfigurator for 127.0.0.1 when it had been working earlier, could that mean something significant?  Could this be a NIC hardware issue, the symptoms don't seem like that is likely???  Why do all youtube pages load but many to most of the videos don't?  I've been on the verge of just re-doing the install, it isn't that big of a deal, but I really wanted to figure this out.  So I will wait a couple of days, see if anyone sees where I've po'ed the network gods, and if not, reinstall.

    To all who've bothered to look through all this, thanks!



    Infos:

    
    C:\Windows\System32>ipconfig /all
    
    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : sandy
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : MYDOMAIN.org
    
    Ethernet adapter wired_gigabit:
    
       Connection-specific DNS Suffix  . : MYDOMAIN.org
       Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller #2
       Physical Address. . . . . . . . . : 6C-62-6D-40-A4-7B
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::xxxxx17(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.0.0.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Lease Obtained. . . . . . . . . . : Saturday, January 12, 2013 5:19:28 PM
       Lease Expires . . . . . . . . . . : Saturday, January 12, 2013 8:46:15 PM
       Default Gateway . . . . . . . . . : 10.0.0.1
       DHCP Server . . . . . . . . . . . : 10.0.0.1
       DHCPv6 IAID . . . . . . . . . . . : 409756269
       DHCPv6 Client DUID. . . . . . . . : I swear occifer I only had a couple
       DNS Servers . . . . . . . . . . . : 10.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled
    
    C:\Windows\System32>netsh interface ip show config
    Configuration for interface "wired_gigabit"
        DHCP enabled:                         Yes
        IP Address:                           10.0.0.10
        Subnet Prefix:                        10.0.0.0/24 (mask 255.255.255.0)
        Default Gateway:                      10.0.0.1
        Gateway Metric:                       0
        InterfaceMetric:                      10
        DNS servers configured through DHCP:  10.0.0.1
        Register with which suffix:           Primary only
        WINS servers configured through DHCP: None
    
    root% ifconfig
    fwe0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            options=8 <vlan_mtu>ether 02:11:d8:3b:81:71
            ch 1 dma -1
    fwip0: flags=8802 <broadcast,simplex,multicast>metric 0 mtu 1500
            lladdr 0.11.d8.0.1.3b.81.71.a.2.ff.fe.0.0.0.0
    re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:14:d1:15:45:33
            inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
            inet6 fe80::214:d1ff:fe15:4533%re0 prefixlen 64 scopeid 0x3
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    re1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=389b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic>ether 00:21:2f:2f:a5:92
            inet 10.0.5.1 netmask 0xffffff00 broadcast 10.0.5.255
            inet6 xxxxxre1 prefixlen 64 scopeid 0x4
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active
    nfe0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
            options=80008 <vlan_mtu,linkstate>ether 00:1a:92:df:2a:14
            inet6 fe80::xxxxx%nfe0 prefixlen 64 scopeid 0x5
            inet 173.174.xx.xx netmask 0xffffe000 broadcast 255.255.255.255
            nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    pflog0: flags=100 <promisc>metric 0 mtu 33664
    pfsync0: flags=0<> metric 0 mtu 1460
            syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
    enc0: flags=0<> metric 0 mtu 1536
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
            options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x9
            nd6 options=3<performnud,accept_rtadv></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud,accept_rtadv></vlan_mtu,linkstate></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_ucast,wol_mcast,wol_magic></up,broadcast,running,simplex,multicast></broadcast,simplex,multicast></vlan_mtu></broadcast,simplex,multicast>
    

    cable modem–---pfsense-----lan-------------switch-----PCs, wifi router, shrine to network gods
                                      |
                                      |
                                      |---OPT1/DMZ------router----PCs

    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ nfe0 }"
    LAN = "{ re0 }"
    OPT1 = "{ re1 }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #Snort tables
    table <snort2c>table <virusprot># User Aliases 
    table <mylans>{   10.0.0.0/24  10.0.5.0/24 } 
    mylans = "<mylans>"
    table <pfblockeriblockads>persist file "/var/db/aliastables/pfBlockeriblockads.txt"
    pfBlockeriblockads = "<pfblockeriblockads>"
    table <pfblockeriblockspywaregz>persist file "/var/db/aliastables/pfBlockeriblockspywaregz.txt"
    pfBlockeriblockspywaregz = "<pfblockeriblockspywaregz>"
    table <pfblockeriblockwebexploittxt>persist file "/var/db/aliastables/pfBlockeriblockwebexploittxt.txt"
    pfBlockeriblockwebexploittxt = "<pfblockeriblockwebexploittxt>"
    table <pfblockertopspammers>persist file "/var/db/aliastables/pfBlockerTopSpammers.txt"
    pfBlockerTopSpammers = "<pfblockertopspammers>"
    table <tsubs>{   10.0.0.20  10.0.0.21  10.0.0.22 } 
    tsubs = "<tsubs>"
    
    # Gateways
    GWWAN = " route-to ( nfe0 173.174.xx.xx ) "
    
    set loginterface re0
    set optimization normal
    set limit states 786000
    set limit src-nodes 786000
    
    set skip on pfsync0
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    
    # Subnets to NAT 
    tonatsubnets	= "{ 10.0.0.0/24 10.0.5.0/24 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 173.174.xx.xx/32 port 500  
    nat on $WAN  from $tonatsubnets to any -> 173.174.xx.xx/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <negate_networks>{ 173.174.xx.0/19 10.0.0.0/24 10.0.5.0/24 }
    # NAT Inbound Redirects
    rdr on nfe0 proto tcp from any to 173.174.xx.xx port 80 -> 10.0.5.2
    # Reflection redirects
    rdr on { re0 re1 } proto tcp from any to 173.174.xx.xx port 80 tag PFREFLECT -> 127.0.0.1 port 19000
    
    rdr on nfe0 proto tcp from any to 173.174.xx.0/19 port xx -> 10.0.0.1
    # Reflection redirects
    rdr on { re0 re1 } proto tcp from any to 173.174.xx.0/19 port xx tag PFREFLECT -> 127.0.0.1 port 19001
    
    rdr on nfe0 proto tcp from any to 173.174.xx.0/19 port xxxx -> 10.0.0.1
    # Reflection redirects
    rdr on { re0 re1 } proto tcp from any to 173.174.xx.0/19 port xxxx tag PFREFLECT -> 127.0.0.1 port 19002
    
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"
    
    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0
    
    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all
    
    # Snort package
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port xx label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port xxxx label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    block in log quick on $WAN from <bogons>to any label "block bogon networks from WAN"
    antispoof for nfe0
    # block anything from private networks on interfaces with the option set
    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block in log quick on $WAN from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
    # allow our DHCP client out to the WAN
    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof for re0
    # allow access to DHCP server on LAN
    pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $LAN proto udp from any port = 68 to 10.0.0.1 port = 67 label "allow access to DHCP server"
    pass out quick on $LAN proto udp from 10.0.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
    antispoof for re1
    # allow access to DHCP server on OPT1
    pass in quick on $OPT1 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $OPT1 proto udp from any port = 68 to 10.0.5.1 port = 67 label "allow access to DHCP server"
    pass out quick on $OPT1 proto udp from 10.0.5.1 port = 67 to any port = 68 label "allow access to DHCP server"
    
    # loopback
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( nfe0 173.174.xx.xx ) from 173.174.xx.xx to !173.174.xx.0/19 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on re0 proto tcp from any to (re0) port { xxxx 443  xx } keep state label "anti-lockout rule"
    # NAT Reflection rules
    pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    block  in log  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  from   $pfBlockerTopSpammers to any  label "USER_RULE: pfBlockerTopSpammers auto rule"
    block  in log  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  from   $pfBlockeriblockads to any  label "USER_RULE: pfBlockeriblockads auto rule"
    block  in log  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  from   $pfBlockeriblockspywaregz to any  label "USER_RULE: pfBlockeriblockspywaregz auto rule"
    block  in log  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  from   $pfBlockeriblockwebexploittxt to any  label "USER_RULE: pfBlockeriblockwebexploittxt auto rule"
    pass  in log  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  proto tcp  from any to   10.0.5.2 port 80  flags S/SA keep state  label "USER_RULE: NAT Port forward for web server"
    pass   in  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  proto tcp  from any to   10.0.0.1 port xx   label "USER_RULE: NAT ssh redirect for wan"
    pass   in  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  proto tcp  from any to   10.0.0.1 port xxxx   label "USER_RULE: NAT ssh redirect for wan"
    pass  in log  quick  on $WAN reply-to ( nfe0 173.174.xx.xx )  proto tcp  from   8.8.178.110 to   $mylans flags S/SA keep state  label "USER_RULE: copied formEasy Rule: Passed from Firewall Log View"
    block return  in log  quick  on $LAN  from any to   $pfBlockerTopSpammers  label "USER_RULE: pfBlockerTopSpammers auto rule"
    block return  in log  quick  on $LAN  from any to   $pfBlockeriblockads  label "USER_RULE: pfBlockeriblockads auto rule"
    block return  in log  quick  on $LAN  from any to   $pfBlockeriblockspywaregz  label "USER_RULE: pfBlockeriblockspywaregz auto rule"
    block return  in log  quick  on $LAN  from any to   $pfBlockeriblockwebexploittxt  label "USER_RULE: pfBlockeriblockwebexploittxt auto rule"
    pass  in  quick  on $LAN  from 10.0.0.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
    pass  in log  quick  on $LAN  proto tcp  from   $mylans to   8.8.178.110 port 80  flags S/SA keep state  label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    pass  in  quick  on $LAN  proto tcp  from   10.0.0.10 to   8.8.178.110 port 80  flags S/SA keep state  label "USER_RULE: Easy Rule: Passed from Firewall Log View"
    block return  in log  quick  on $OPT1  from any to   $pfBlockerTopSpammers  label "USER_RULE: pfBlockerTopSpammers auto rule"
    block return  in log  quick  on $OPT1  from any to   $pfBlockeriblockads  label "USER_RULE: pfBlockeriblockads auto rule"
    block return  in log  quick  on $OPT1  from any to   $pfBlockeriblockspywaregz  label "USER_RULE: pfBlockeriblockspywaregz auto rule"
    block return  in log  quick  on $OPT1  from any to   $pfBlockeriblockwebexploittxt  label "USER_RULE: pfBlockeriblockwebexploittxt auto rule"
    pass  in log  quick  on $OPT1  from 10.0.5.1/24 to !10.0.0.0/24 keep state  label "USER_RULE: MY UNDefault allow DMZ to any NOT_lan-rule"
    
    # VPN Rules
    anchor "tftp-proxy/*"
    # uPnPd
    anchor "miniupnpd"</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></tsubs></tsubs></pfblockertopspammers></pfblockertopspammers></pfblockeriblockwebexploittxt></pfblockeriblockwebexploittxt></pfblockeriblockspywaregz></pfblockeriblockspywaregz></pfblockeriblockads></pfblockeriblockads></mylans></mylans></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
    

  • Rebel Alliance Global Moderator

    Ok I don't have time right at this minute to read all through that info - but this jumps out at me

    " I just set it back to 10.0.0.1-the lan address for pfsense.  From a windows command line I got this[173.174.xx.xx is my external IP]:"

    C:\Windows\System32>nslookup www.freebsd.org
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1

    Non-authoritative answer:
    Name:    www.freebsd.org.MYDOMAIN.org
    Address:  173.174.xx.xx

    What is this MYDOMAIN.org thing??  Are you changing that, or is really mydomain.org?  Since its all CAPS what are you changing this out for?

    And do you see how I did a sniff, where is your sniff.  I want to see exactly what your doing a query for and to where?

    Those IPs you list don't seem like your ISP dns to me

    dig -x  70.85.0.141 +short
    8d.0.5546.static.theplanet.com.

    dig -x 129.115.102.150 +short
    juliet.it.utsa.edu.

    dig -x 67.214.64.27 +short
    dns1.telwestonline.com

    dig -x 199.192.200.41 +short
    ct41.7wei.com.

    Those are not the dns servers for timewarner - where did you come up with using those?

    And your config still shows the aliases for pfblocker and using the ad list that blocks freebsd.org network.

    Lets see the sniff of your query, I really don't think your local domain is MYDOMAIN.org is it?  And if it is - you do understand that is a public domain!! and I doubt you own it

    Domain Name:MYDOMAIN.ORG
    Created On:23-Aug-1996 04:00:00 UTC
    Last Updated On:13-Aug-2012 13:20:37 UTC
    Registrant ID:moniker1831
    Registrant Name:Vince Di Bernardo
    Registrant Organization:Vince Di Bernardo
    Registrant Street1:18737 Shaws Creek Road

    And a query for what you did a query for would fail

    ; <<>> DiG 9.8.1-P1 <<>> pfsense.mydomain.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59437
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;pfsense.mydomain.org.          IN      A

    ;; Query time: 524 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Sun Jan 13 08:50:19 2013
    ;; MSG SIZE  rcvd: 38

    Not sure why you would hide a local domain??  if you really are uisng mydomain.org - bad IDEA, use something that is not public, mydomain.lan would be fine, etc.

    But this is telling me it was cached at the server for that fqdn with your suffix on the end

    Non-authoritative answer:
    Name:    www.freebsd.org.MYDOMAIN.org
    Address:  173.174.xx.xx

    Not sure what this means..

    nslookup www.freebsd.org.
    Server:  pfsense.MYDOMAIN.org
    Address:  10.0.0.1

    Name:    www.freebsd.org
    Served by:

    But clearly the box does not have a clue about that request.  If it just throws back roots, but since it did not throw back a nxdomain, I would assume its telling you it needs to be forwarded??

    Ad some point did you try and run local dns on pfsense?  unbound?  Or tiny?  And I don't understand why your using those odd ball dns for your forwarders?  Why not your provider?  Or some more well known public dns, 4.3.3.3, 4.2.2.2

    How about using debug on your nslookup, your going to see that windows is going to ask with its suffix attached

    So you got something going on with that suffix your using?  Lets see what is going on exactly,  where is the sniff of the traffic from your client to pfsense, and then what pfsense sends out and gets back.  Or what it answers back because it has that record.




  • I really appreciate you taking so much time trying to help.  I blanked out the particulars of my domain name and external IPs for privacy/paranoia issues, the name itself isn't something that will get by censors.  The DNS servers are ones that score the highest in DNSBench from  http://www.GRC.com, the Gibsdon Research folk [ShieldsUp etc], plus one from my the DNSexit folk that I get  my dynamic DNS workings.  The ad-blocking list I am using is a static text file with the offending blockage removed, I can surf to freebsd.org with no problem, as I detailed above, right in the middle of writing the previous post, my main machine went from its typical not finding freebsd, to finding it, and then not finding it, all in 10 minutes, where the only thing I changed was checking the box on the 'append parent suffixes of the primary DNS suffix' in the advanced dns config settings for the NIC/connection in windows.

    I can't figure out how to copy from wireshark, I get little pieces, but the query for freebsd looks like this:

    www.freebsd.org: type A, class IN

    I'm doing something wrong here, image:  https://skydrive.live.com/redir?resid=CD4A1DE1B932EC1E!96107

    when doing the testing above, when it changed from not working to working to not working, after the initial query, there was not another one, the initial query for ip-adress.com was normal.  I'm sorry this is the best I can do at the moment, I have some things I am running late for right now, and will be gone for most of the rest  of the day, but tonight I will figure out how to suck more data from wireshark, I haven't used it all that much so I got some learnin' to do in that regard.

    Again, thanks, really really thanks, for taking so much time.  Have a good one.


  • Rebel Alliance Global Moderator

    What does get by censors mean?  I am more worried about the tld, for a private domain you use on your lan for your local machines.  I would not suggest you use any sort of valid tld, you run into an issue where it could resolve on the public net.

    using mydomain.lan or .local or .foo etc. would be better options.

    The query for freebsd.or looks like that where - on your lan, or that is what is going out the wan of pfsense when you ask for it?

    For you to get a response with your public IP as the answer, something has to answer with that? It should not be possible for an external dns to respond – so I have to assume pfsense is responding.

    Your pointing to 127.0.0.1 - pfsense itself for dns.  So did you at some point try and run unbound or tiny dns, or some other dns -- did you install bind for example.

    What do you have in your Host Overrides in dns forwarder under services?

    By default windows will add its primary suffix to queries when looking for stuff that does not answer.  So what is domain your using locally?  mydomain.org is a valid domain on the internet - this is not something you should be using as your primary domain on your local boxes.  Unless of course you owned and controlled that domain and wanted to do that??

    Lets fully understand your local domain and hostnames and how they query, and then we can figure out how what your seeing is happening.

    PM me your details of your domain if you don't want it public.  But I don't see how something like curseword.lan would be an issue.  the .tld is part I am curious about.  org, net, com, info, biz, etc.. not good choices for local domains if you ask me.

    More than happy to remote in and take a look with you if you want.  We could use teamviewer to one of your local hosts and then access your pfsense gui and shell with you watching everything that we do, etc.

    Just send me a PM and we can schedule a good time.



  • Okay, this is the best I can do, PC tsub, has pfsense as sole DNS, the details of a DNS query that fails at the browser:

    Query
      Frame: Number = 557, Captured Frame Length = 125, MediaType = WiFi

    • WiFi: [Unencrypted Data] .T….., (I)
        - MetaData:
          Version: 2 (0x2)
          Length: 32 (0x20)
        - OpMode: Unknown operation mode(16)
            StationMode:          (...............................0) Not Station Mode
            APMode:                (..............................0.) Not AP Mode
            ExtensibleStationMode: (.............................0..) Not Extensible Station Mode
            Unused:                (.0000000000000000000000000010...)
            MonitorMode:          (0...............................) Not Monitor Mode
          Flags: 4294967295 (0xFFFFFFFF)
          RemData: Outbound
          TimeStamp: 01/14/2013, 13:21:07.132834 UTC
        - FrameControl: Version 0,Data, Data, .T.....(0x108)
          Version:        (..............00) 0
          Type:          (............10..) Data
          SubType:        (........0000....) Data
          DS:            (......01........) STA to DS via AP
          MoreFrag:      (.....0..........) No
          Retry:          (....0...........) No
          PowerMgt:      (...0............) Active Mode
          MoreData:      (..0.............) No
          ProtectedFrame: (.0..............) No
          Order:          (0...............) Unordered
          Duration: 32768 (0x8000)
          BSSID: 10BF48 D99340
          SA: 844BF5 B1B3A5
          DA: TRENDware International, Inc. 154533
        - SequenceControl: Sequence Number = 0
          FragmentNumber: (............0000) 0
          SequenceNumber: (000000000000....) 0
    • LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
        - DSAP: SNAP(Sub-Network Access Protocol), Individual DSAP
          Address: (1010101.) SNAP(Sub-Network Access Protocol)
          IG:      (.......0) Individual Address
        - SSAP: SNAP(Sub-Network Access Protocol), Command
          Address: (1010101.) SNAP(Sub-Network Access Protocol)
          CR:      (.......0) Command Frame
        - Unnumbered: UI - Unnumbered Information
          MMM:  (000.....) 0
          PF:  (...0....) Poll Bit - No Response Solicited
          MM:  (....00..)
          Type: (......11) Unnumbered(U) Frame
    • Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX CORPORATION
          OrganizationCode: XEROX CORPORATION, 0(0x0000)
          EtherType: Internet IP (IPv4), 2048(0x0800)
    • Ipv4: Src = 10.0.0.21, Dest = 10.0.0.1, Next Protocol = UDP, Packet ID = 18662, Total IP Length = 61
        - Versions: IPv4, Internet Protocol; Header Length = 20
          Version:      (0100....) IPv4, Internet Protocol
          HeaderLength: (....0101) 20 bytes (0x5)
        - DifferentiatedServicesField: DSCP: 0, ECN: 0
          DSCP: (000000..) Differentiated services codepoint 0
          ECT:  (......0.) ECN-Capable Transport not set
          CE:  (.......0) ECN-CE not set
          TotalLength: 61 (0x3D)
          Identification: 18662 (0x48E6)
        - FragmentFlags: 0 (0x0)
          Reserved: (0...............)
          DF:      (.0..............) Fragment if necessary
          MF:      (..0.............) This is the last fragment
          Offset:  (...0000000000000) 0
          TimeToLive: 128 (0x80)
          NextProtocol: UDP, 17(0x11)
          Checksum: 56756 (0xDDB4)
          SourceAddress: 10.0.0.21
          DestinationAddress: 10.0.0.1
    • Udp: SrcPort = 51429, DstPort = DNS(53), Length = 41
          SrcPort: 51429
          DstPort: DNS(53)
          TotalLength: 41 (0x29)
          Checksum: 1076 (0x434)
          UDPPayload: SourcePort = 51429, DestinationPort = 53
    • Dns: QueryId = 0xD7DF, QUERY (Standard query), Query  for www.freebsd.org of type Host Addr on class Internet
          QueryIdentifier: 55263 (0xD7DF)
        - Flags:  Query, Opcode - QUERY (Standard query), RD, Rcode - Success
          QR:                (0...............) Query
          Opcode:            (.0000...........) QUERY (Standard query) 0
          AA:                (.....0..........) Not authoritative
          TC:                (......0.........) Not truncated
          RD:                (.......1........) Recursion desired
          RA:                (........0.......) Recursive query support not available
          Zero:              (.........0......) 0
          AuthenticatedData: (..........0.....) Not AuthenticatedData
          CheckingDisabled:  (...........0....) Not CheckingDisabled
          Rcode:            (............0000) Success 0
          QuestionCount: 1 (0x1)
          AnswerCount: 0 (0x0)
          NameServerCount: 0 (0x0)
          AdditionalCount: 0 (0x0)
        - QRecord: www.freebsd.org of type Host Addr on class Internet
          QuestionName: www.freebsd.org
          QuestionType: A, IPv4 address, 1(0x1)
          QuestionClass: Internet, 1(0x1)

    response:
      Frame: Number = 561, Captured Frame Length = 336, MediaType = WiFi

    • WiFi: [Unencrypted Data] F…..P, (I) RSSI = -44 dBm, Rate = Unknown
        - MetaData: RSSI = -44 dBm, Rate = Unknown
          Version: 2 (0x2)
          Length: 32 (0x20)
        - OpMode: Unknown operation mode(16)
            StationMode:          (...............................0) Not Station Mode
            APMode:                (..............................0.) Not AP Mode
            ExtensibleStationMode: (.............................0..) Not Extensible Station Mode
            Unused:                (.0000000000000000000000000010...)
            MonitorMode:          (0...............................) Not Monitor Mode
          Flags: 0 (0x0)
          PhyType: 802.11n
          Channel: Undefined channel with center frequency 2437, Center Frequency: 2437 MHz
          lRSSI: -44 dBm
          Rate: Unknown
          TimeStamp: 01/14/2013, 13:21:07.176325 UTC
        - FrameControl: Version 0,Data, Data, F.....P(0x4208)
          Version:        (..............00) 0
          Type:          (............10..) Data
          SubType:        (........0000....) Data
          DS:            (......10........) DS to STA via AP
          MoreFrag:      (.....0..........) No
          Retry:          (....0...........) No
          PowerMgt:      (...0............) Active Mode
          MoreData:      (..0.............) No
          ProtectedFrame: (.1..............) Yes
          Order:          (0...............) Unordered
          Duration: 44 (0x2C)
          DA: 844BF5 B1B3A5
          BSSID: 10BF48 D99340
          SA: TRENDware International, Inc. 154533
        - SequenceControl: Sequence Number = 3655
          FragmentNumber: (............0000) 0
          SequenceNumber: (111001000111....) 3655
    • LLC: Unnumbered(U) Frame, Command Frame, SSAP = SNAP(Sub-Network Access Protocol), DSAP = SNAP(Sub-Network Access Protocol)
        - DSAP: SNAP(Sub-Network Access Protocol), Individual DSAP
          Address: (1010101.) SNAP(Sub-Network Access Protocol)
          IG:      (.......0) Individual Address
        - SSAP: SNAP(Sub-Network Access Protocol), Command
          Address: (1010101.) SNAP(Sub-Network Access Protocol)
          CR:      (.......0) Command Frame
        - Unnumbered: UI - Unnumbered Information
          MMM:  (000.....) 0
          PF:  (...0....) Poll Bit - No Response Solicited
          MM:  (....00..)
          Type: (......11) Unnumbered(U) Frame
    • Snap: EtherType = Internet IP (IPv4), OrgCode = XEROX CORPORATION
          OrganizationCode: XEROX CORPORATION, 0(0x0000)
          EtherType: Internet IP (IPv4), 2048(0x0800)
    • Ipv4: Src = 10.0.0.1, Dest = 10.0.0.21, Next Protocol = UDP, Packet ID = 45530, Total IP Length = 272
        - Versions: IPv4, Internet Protocol; Header Length = 20
          Version:      (0100....) IPv4, Internet Protocol
          HeaderLength: (....0101) 20 bytes (0x5)
        - DifferentiatedServicesField: DSCP: 0, ECN: 0
          DSCP: (000000..) Differentiated services codepoint 0
          ECT:  (......0.) ECN-Capable Transport not set
          CE:  (.......0) ECN-CE not set
          TotalLength: 272 (0x110)
          Identification: 45530 (0xB1DA)
        - FragmentFlags: 0 (0x0)
          Reserved: (0...............)
          DF:      (.0..............) Fragment if necessary
          MF:      (..0.............) This is the last fragment
          Offset:  (...0000000000000) 0
          TimeToLive: 64 (0x40)
          NextProtocol: UDP, 17(0x11)
          Checksum: 46061 (0xB3ED)
          SourceAddress: 10.0.0.1
          DestinationAddress: 10.0.0.21
    • Udp: SrcPort = DNS(53), DstPort = 51429, Length = 252
          SrcPort: DNS(53)
          DstPort: 51429
          TotalLength: 252 (0xFC)
          Checksum: 61812 (0xF174)
          UDPPayload: SourcePort = 53, DestinationPort = 51429
    • Dns: QueryId = 0xD7DF, QUERY (Standard query), Response - Success
          QueryIdentifier: 55263 (0xD7DF)
        - Flags:  Response, Opcode - QUERY (Standard query), RD, RA, Rcode - Success
          QR:                (1...............) Response
          Opcode:            (.0000...........) QUERY (Standard query) 0
          AA:                (.....0..........) Not authoritative
          TC:                (......0.........) Not truncated
          RD:                (.......1........) Recursion desired
          RA:                (........1.......) Recursive query support available
          Zero:              (.........0......) 0
          AuthenticatedData: (..........0.....) Not AuthenticatedData
          CheckingDisabled:  (...........0....) Not CheckingDisabled
          Rcode:            (............0000) Success 0
          QuestionCount: 1 (0x1)
          AnswerCount: 0 (0x0)
          NameServerCount: 13 (0xD)
          AdditionalCount: 0 (0x0)
        - QRecord: www.freebsd.org of type Host Addr on class Internet
          QuestionName: www.freebsd.org
          QuestionType: A, IPv4 address, 1(0x1)
          QuestionClass: Internet, 1(0x1)
        - AuthorityRecord:  of type NS on class Internet: K.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 20 (0x14)
          AuthoritativeNameServer: K.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: L.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: L.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: M.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: M.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: A.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: A.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: B.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: B.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: C.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: C.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: D.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: D.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: E.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: E.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: F.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: F.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: G.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: G.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: H.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: H.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: I.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: I.ROOT-SERVERS.NET
        - AuthorityRecord:  of type NS on class Internet: J.ROOT-SERVERS.NET
          ResourceName:
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 518400 (0x7E900)
          ResourceDataLength: 4 (0x4)
          AuthoritativeNameServer: J.ROOT-SERVERS.NET

    windows data

    C:\Users\rob>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : tsub
      Primary Dns Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : MYDOMAIN.org

    Wireless LAN adapter Wi-Fi:

    Connection-specific DNS Suffix  . : MYDOMAIN.org
      Description . . . . . . . . . . . : Broadcom 4313GN 802.11b/g/n 1x1 Wi-Fi Adapter
      Physical Address. . . . . . . . . : 84-4B-F5-B1-B3-A5
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::3c04:875a:976e:7cdb%12(Preferred)
      IPv4 Address. . . . . . . . . . . : 10.0.0.21(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Monday, January 14, 2013 6:10:24 AM
      Lease Expires . . . . . . . . . . : Monday, January 14, 2013 9:10:24 AM
      Default Gateway . . . . . . . . . : 10.0.0.1
      DHCP Server . . . . . . . . . . . : 10.0.0.1
      DHCPv6 IAID . . . . . . . . . . . : 260328437
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-4B-72-FC-84-4B-F5-B1-B3-A5
      DNS Servers . . . . . . . . . . . : 10.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    C:\Users\rob>netsh interface ip show config

    Configuration for interface "Wi-Fi"
        DHCP enabled:                        Yes
        IP Address:                          10.0.0.21
        Subnet Prefix:                        10.0.0.0/24 (mask 255.255.255.0)
        Default Gateway:                      10.0.0.1
        Gateway Metric:                      0
        InterfaceMetric:                      25
        DNS servers configured through DHCP:  10.0.0.1
        Register with which suffix:          Primary only
        WINS servers configured through DHCP: None

    Configuration for interface "Loopback Pseudo-Interface 1"
        DHCP enabled:                        No
        IP Address:                          127.0.0.1
        Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)
        InterfaceMetric:                      50
        Statically Configured DNS Servers:    None
        Register with which suffix:          None
        Statically Configured WINS Servers:  None


    Now, PC ivy, has an external DNS server as primary, the browser browses to freebsd.org.  The firrst line is something that started recently, don't know what causes that yet, I have to disable and re-enable the NIC and it connects and works fine, the words are copied from the ever-unhelpful diagnostic from windsows.

    Windows couldn't automatically bind the IP protocol stack to the network adapter.

    ivy has an external primary DNS, this is how a freebsd query went on it:


    query:

    Frame: Number = 244, Captured Frame Length = 75, MediaType = ETHERNET

    • Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-14-D1-15-45-33],SourceAddress:[8C-89-A5-D9-FC-46]
        - DestinationAddress: TRENDware International, Inc. 154533 [00-14-D1-15-45-33]
          Rsv: (000000..)
          UL:  (…...0.) Universally Administered Address
          IG:  (.......0) Individual address (unicast)
        - SourceAddress: 8C89A5 D9FC46 [8C-89-A5-D9-FC-46]
          Rsv: (100011..)
          UL:  (…...0.) Universally Administered Address
          IG:  (.......0) Individual address (unicast)
          EthernetType: Internet IP (IPv4), 2048(0x800)
    • Ipv4: Src = 10.0.0.11, Dest = 70.85.0.141, Next Protocol = UDP, Packet ID = 8548, Total IP Length = 61
        - Versions: IPv4, Internet Protocol; Header Length = 20
          Version:      (0100....) IPv4, Internet Protocol
          HeaderLength: (....0101) 20 bytes (0x5)
        - DifferentiatedServicesField: DSCP: 0, ECN: 0
          DSCP: (000000..) Differentiated services codepoint 0
          ECT:  (......0.) ECN-Capable Transport not set
          CE:  (.......0) ECN-CE not set
          TotalLength: 61 (0x3D)
          Identification: 8548 (0x2164)
        - FragmentFlags: 0 (0x0)
          Reserved: (0...............)
          DF:      (.0..............) Fragment if necessary
          MF:      (..0.............) This is the last fragment
          Offset:  (...0000000000000) 0
          TimeToLive: 128 (0x80)
          NextProtocol: UDP, 17(0x11)
          Checksum: 51295 (0xC85F)
          SourceAddress: 10.0.0.11
          DestinationAddress: 70.85.0.141
    • Udp: SrcPort = 54357, DstPort = DNS(53), Length = 41
          SrcPort: 54357
          DstPort: DNS(53)
          TotalLength: 41 (0x29)
          Checksum: 36772 (0x8FA4)
          UDPPayload: SourcePort = 54357, DestinationPort = 53
    • Dns: QueryId = 0x428, QUERY (Standard query), Query  for www.freebsd.org of type Host Addr on class Internet
          QueryIdentifier: 1064 (0x428)
        - Flags:  Query, Opcode - QUERY (Standard query), RD, Rcode - Success
          QR:                (0...............) Query
          Opcode:            (.0000...........) QUERY (Standard query) 0
          AA:                (.....0..........) Not authoritative
          TC:                (......0.........) Not truncated
          RD:                (.......1........) Recursion desired
          RA:                (........0.......) Recursive query support not available
          Zero:              (.........0......) 0
          AuthenticatedData: (..........0.....) Not AuthenticatedData
          CheckingDisabled:  (...........0....) Not CheckingDisabled
          Rcode:            (............0000) Success 0
          QuestionCount: 1 (0x1)
          AnswerCount: 0 (0x0)
          NameServerCount: 0 (0x0)
          AdditionalCount: 0 (0x0)
        - QRecord: www.freebsd.org of type Host Addr on class Internet
          QuestionName: www.freebsd.org
          QuestionType: A, IPv4 address, 1(0x1)
          QuestionClass: Internet, 1(0x1)

    response:

    Frame: Number = 245, Captured Frame Length = 306, MediaType = ETHERNET

    • Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[8C-89-A5-D9-FC-46],SourceAddress:[00-14-D1-15-45-33]
        - DestinationAddress: 8C89A5 D9FC46 [8C-89-A5-D9-FC-46]
          Rsv: (100011..)
          UL:  (…...0.) Universally Administered Address
          IG:  (.......0) Individual address (unicast)
        - SourceAddress: TRENDware International, Inc. 154533 [00-14-D1-15-45-33]
          Rsv: (000000..)
          UL:  (…...0.) Universally Administered Address
          IG:  (.......0) Individual address (unicast)
          EthernetType: Internet IP (IPv4), 2048(0x800)
    • Ipv4: Src = 70.85.0.141, Dest = 10.0.0.11, Next Protocol = UDP, Packet ID = 13655, Total IP Length = 292
        - Versions: IPv4, Internet Protocol; Header Length = 20
          Version:      (0100....) IPv4, Internet Protocol
          HeaderLength: (....0101) 20 bytes (0x5)
        - DifferentiatedServicesField: DSCP: 0, ECN: 0
          DSCP: (000000..) Differentiated services codepoint 0
          ECT:  (......0.) ECN-Capable Transport not set
          CE:  (.......0) ECN-CE not set
          TotalLength: 292 (0x124)
          Identification: 13655 (0x3557)
        - FragmentFlags: 0 (0x0)
          Reserved: (0...............)
          DF:      (.0..............) Fragment if necessary
          MF:      (..0.............) This is the last fragment
          Offset:  (...0000000000000) 0
          TimeToLive: 54 (0x36)
          NextProtocol: UDP, 17(0x11)
          Checksum: 64901 (0xFD85)
          SourceAddress: 70.85.0.141
          DestinationAddress: 10.0.0.11
    • Udp: SrcPort = DNS(53), DstPort = 54357, Length = 272
          SrcPort: DNS(53)
          DstPort: 54357
          TotalLength: 272 (0x110)
          Checksum: 6076 (0x17BC)
          UDPPayload: SourcePort = 53, DestinationPort = 54357
    • Dns: QueryId = 0x428, QUERY (Standard query), Response - Success, 8.8.178.110, 72.52.71.1
          QueryIdentifier: 1064 (0x428)
        - Flags:  Response, Opcode - QUERY (Standard query), RD, RA, Rcode - Success
          QR:                (1...............) Response
          Opcode:            (.0000...........) QUERY (Standard query) 0
          AA:                (.....0..........) Not authoritative
          TC:                (......0.........) Not truncated
          RD:                (.......1........) Recursion desired
          RA:                (........1.......) Recursive query support available
          Zero:              (.........0......) 0
          AuthenticatedData: (..........0.....) Not AuthenticatedData
          CheckingDisabled:  (...........0....) Not CheckingDisabled
          Rcode:            (............0000) Success 0
          QuestionCount: 1 (0x1)
          AnswerCount: 2 (0x2)
          NameServerCount: 3 (0x3)
          AdditionalCount: 5 (0x5)
        - QRecord: www.freebsd.org of type Host Addr on class Internet
          QuestionName: www.freebsd.org
          QuestionType: A, IPv4 address, 1(0x1)
          QuestionClass: Internet, 1(0x1)
        - ARecord: www.freebsd.org of type CNAME on class Internet: wfe0.ysv.freebsd.org
          ResourceName: www.freebsd.org
          ResourceType: CNAME, Canonical name for an alias, 5(0x5)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 120 (0x78)
          ResourceDataLength: 11 (0xB)
          CName: wfe0.ysv.freebsd.org
        - ARecord: wfe0.ysv.freebsd.org of type Host Addr on class Internet: 8.8.178.110
          ResourceName: wfe0.ysv.freebsd.org
          ResourceType: A, IPv4 address, 1(0x1)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 3600 (0xE10)
          ResourceDataLength: 4 (0x4)
          IPAddress: 8.8.178.110
        - AuthorityRecord: freebsd.org of type NS on class Internet: ns3.isc-sns.info
          ResourceName: freebsd.org
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 3229 (0xC9D)
          ResourceDataLength: 18 (0x12)
          AuthoritativeNameServer: ns3.isc-sns.info
        - AuthorityRecord: freebsd.org of type NS on class Internet: ns1.isc-sns.net
          ResourceName: freebsd.org
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 3229 (0xC9D)
          ResourceDataLength: 17 (0x11)
          AuthoritativeNameServer: ns1.isc-sns.net
        - AuthorityRecord: freebsd.org of type NS on class Internet: ns2.isc-sns.com
          ResourceName: freebsd.org
          ResourceType: NS, Authoritative name server, 2(0x2)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 3229 (0xC9D)
          ResourceDataLength: 17 (0x11)
          AuthoritativeNameServer: ns2.isc-sns.com
        - AdditionalRecord: ns1.isc-sns.net of type Host Addr on class Internet: 72.52.71.1
          ResourceName: ns1.isc-sns.net
          ResourceType: A, IPv4 address, 1(0x1)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 2291 (0x8F3)
          ResourceDataLength: 4 (0x4)
          IPAddress: 72.52.71.1
        - AdditionalRecord: ns1.isc-sns.net of type AAAA on class Internet: 2001:470:1A:0:0:0:0:1
          ResourceName: ns1.isc-sns.net
          ResourceType: AAAA, IPv6 Address, 28(0x1c)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 2291 (0x8F3)
          ResourceDataLength: 16 (0x10)
          IPv6Address: 2001:470:1A:0:0:0:0:1
        - AdditionalRecord: ns2.isc-sns.com of type Host Addr on class Internet: 38.103.2.1
          ResourceName: ns2.isc-sns.com
          ResourceType: A, IPv4 address, 1(0x1)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 559 (0x22F)
          ResourceDataLength: 4 (0x4)
          IPAddress: 38.103.2.1
        - AdditionalRecord: ns3.isc-sns.info of type Host Addr on class Internet: 63.243.194.1
          ResourceName: ns3.isc-sns.info
          ResourceType: A, IPv4 address, 1(0x1)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 559 (0x22F)
          ResourceDataLength: 4 (0x4)
          IPAddress: 63.243.194.1
        - AdditionalRecord: ns3.isc-sns.info of type AAAA on class Internet: 2001:5A0:10:0:0:0:0:1
          ResourceName: ns3.isc-sns.info
          ResourceType: AAAA, IPv6 Address, 28(0x1c)
          ResourceClass: Internet, 1(0x1)
          TimeToLive: 559 (0x22F)
          ResourceDataLength: 16 (0x10)
          IPv6Address: 2001:5A0:10:0:0:0:0:1

    this is windows data
    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : ivy
      Primary Dns Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : MYDOMAIN.org

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix  . : MYDOMAIN.org
      Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connection
      Physical Address. . . . . . . . . : 8C-89-A5-D9-FC-46
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::45da:e57:cbd:2f17%17(Preferred)
      IPv4 Address. . . . . . . . . . . : 10.0.0.11(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : Monday, January 14, 2013 8:09:11 AM
      Lease Expires . . . . . . . . . . : Monday, January 14, 2013 10:09:11 AM
      Default Gateway . . . . . . . . . : 10.0.0.1
      DHCP Server . . . . . . . . . . . : 10.0.0.1
      DHCPv6 IAID . . . . . . . . . . . : 210536869
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-51-40-C9-8C-89-A5-D9-FC-46
      DNS Servers . . . . . . . . . . . : 70.85.0.141
                                          10.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter VirtualBox Host-Only Network:

    Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
      Physical Address. . . . . . . . . : 08-00-27-00-CC-5E
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::81ce:a421:e7bd:c1ec%20(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . :
      DHCPv6 IAID . . . . . . . . . . . : 252182567
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-51-40-C9-8C-89-A5-D9-FC-46
      DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                          fec0:0:0:ffff::2%1
                                          fec0:0:0:ffff::3%1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.{64BA4B2A-0261-447E-BB5D-120558063E49}:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter isatap.MYDOMAIN.org:

    Connection-specific DNS Suffix  . : MYDOMAIN.org
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::5efe:10.0.0.11%24(Preferred)
      Default Gateway . . . . . . . . . :
      DNS Servers . . . . . . . . . . . : 70.85.0.141
                                          10.0.0.1
      NetBIOS over Tcpip. . . . . . . . : Disabled

    C:\Windows\system32>netsh interface ip show config

    Configuration for interface "Ethernet"
        DHCP enabled:                        Yes
        IP Address:                          10.0.0.11
        Subnet Prefix:                        10.0.0.0/24 (mask 255.255.255.0)
        Default Gateway:                      10.0.0.1
        Gateway Metric:                      0
        InterfaceMetric:                      10
        Statically Configured DNS Servers:    70.85.0.141
                                              10.0.0.1
        Register with which suffix:          Primary only
        WINS servers configured through DHCP: None

    I don't know how to read this, the responses are different, the IP is in the response from an outside DNS, not in the pfsense response, but i have no idea where to go from here.  I've set something stupid somewhere, but have no idea what and how I did anything any differently than previous installs of pfsense.  thanks for any info


  • Rebel Alliance Global Moderator

    So when you asked pfsense for www.freebsd.org it responded with the root servers.   This is could happen I guess when you ask a server for a recursive lookup for something its not authoritative for and it won't do recursive for you.  Normally it should just be a refused response.

    But I did that query to the NSers you have listed – and guess what


    ; <<>> DiG 9.8.1-P1 <<>> @199.192.200.41 www.freebsd.org
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33888
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;www.freebsd.org.               IN      A

    ;; AUTHORITY SECTION:
    .                       518400  IN      NS      K.ROOT-SERVERS.NET.
    .                       518400  IN      NS      L.ROOT-SERVERS.NET.
    .                       518400  IN      NS      M.ROOT-SERVERS.NET.
    .                       518400  IN      NS      A.ROOT-SERVERS.NET.
    .                       518400  IN      NS      B.ROOT-SERVERS.NET.
    .                       518400  IN      NS      C.ROOT-SERVERS.NET.
    .                       518400  IN      NS      D.ROOT-SERVERS.NET.
    .                       518400  IN      NS      E.ROOT-SERVERS.NET.
    .                       518400  IN      NS      F.ROOT-SERVERS.NET.
    .                       518400  IN      NS      G.ROOT-SERVERS.NET.
    .                       518400  IN      NS      H.ROOT-SERVERS.NET.
    .                       518400  IN      NS      I.ROOT-SERVERS.NET.
    .                       518400  IN      NS      J.ROOT-SERVERS.NET.

    ;; Query time: 20 msec
    ;; SERVER: 199.192.200.41#53(199.192.200.41)

    ;; WHEN: Mon Jan 14 13:20:38 2013
    ;; MSG SIZE  rcvd: 244


    Now notice how fast the response was!!  20 ms – so pfsense by default as you saw in my wireshark trace send the query you ask it to ALL your dns listed.  And the first one that responds wins..  So when you query for www.freebsd.org and this guy at 199.192.200.41 answers first with the root servers and a NOERROR as status - pfsense will just hand that back to you.

    Remove that guy from your list of dns servers and your issues should go away, the other servers seemed to respond correctly from my test.

    edit:  I would only suggest you use good dns, that server might have been listed in your benchmark software, but he does not seem to respond to recursive queries..

    I asked him for www.goggle.com for example - and again he responds with just the roots

    ; <<>> DiG 9.8.1-P1 <<>> @199.192.200.41 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6568
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A

    ;; AUTHORITY SECTION:
    .                       518400  IN      NS      K.ROOT-SERVERS.NET.
    .                       518400  IN      NS      L.ROOT-SERVERS.NET.
    .                       518400  IN      NS      M.ROOT-SERVERS.NET.
    .                       518400  IN      NS      A.ROOT-SERVERS.NET.
    .                       518400  IN      NS      B.ROOT-SERVERS.NET.
    .                       518400  IN      NS      C.ROOT-SERVERS.NET.
    .                       518400  IN      NS      D.ROOT-SERVERS.NET.
    .                       518400  IN      NS      E.ROOT-SERVERS.NET.
    .                       518400  IN      NS      F.ROOT-SERVERS.NET.
    .                       518400  IN      NS      G.ROOT-SERVERS.NET.
    .                       518400  IN      NS      H.ROOT-SERVERS.NET.
    .                       518400  IN      NS      I.ROOT-SERVERS.NET.
    .                       518400  IN      NS      J.ROOT-SERVERS.NET.

    ;; Query time: 20 msec
    ;; SERVER: 199.192.200.41#53(199.192.200.41)
    ;; WHEN: Mon Jan 14 13:28:07 2013
    ;; MSG SIZE  rcvd: 243

    But he sure responds FAST ;)  So he would be a problem child for all your dns stuff to be sure!!  I would think you could be having more issues than your reporting with using him.

    From a PTR query, that sure doesn't look like a legit public NS to me
    ;; ANSWER SECTION:
    41.200.192.199.in-addr.arpa. 86400 IN   PTR     ct41.7wei.com.

    See where I bolded that he is not doing recursive lookups - he normally should respond with REFUSED vs sending you back roots..  But not sure what that box actually is or who configured it, or what its running for dns, etc.. etc.

    This would also explain why you say it works for awhile and then stops working - if you get a response from one of the other NSers listed with the good info, then pfsense would hand that off to your client.  But if he gets this garbage back of just roots, he would hand that off just as well.  It doesn't know any better - just forwarding what your asking, and then returning what it gets back ;)

    If your not happy with your ISP dns, or any of the other openpublic like google or open or norton, scrubit, etc.  Then I would suggest 4.2.2.2 I have had good luck with it over many many years.  I personally normally just run my own local that queries roots directly, this was working great when unbound was part of the distro..  And was suppose to be included with 2.1 but seems it has gotten put on the back burner.  It will be great day when they fully integrate it into pfsense ;)  And I always have my local copy of bind on my ubuntu box I can query, or I have box out in CA and some in EU I use for dns testing for geographic diversity when they are using geoip, etc.

    Isn't DNS fun!!! ;)



  • THANKS!!  I haven't tested it yet, but it sure sounds like the right answer.  That DNS is one of 4 that DNSexit says I need to use, or at least one of them, there is an implication that the dynamic part won't work right if I don't use their server, but I've rarely used one of theirs, and been okay.  I should have known better since DNSBench almost always failed on all 4of those, I assumed it was no response, which shouldn't matter, I'm not clever enough to realize that what I was getting was basically garbage.  FUN FUN!

    So far so good, got to freebsd, and ip-tools.com, and I just got this, the query without the period always returned the local address and had the local domain appended:

    C:\Windows\system32>nslookup www.freebsd.org
    Server:  pfsense.fuckyouandfuckyourgod.org
    Address:  10.0.0.1

    Non-authoritative answer:
    Name:    wfe0.ysv.freebsd.org
    Addresses:  2001:1900:2254:206a::50:0
              8.8.178.110
    Aliases:  www.freebsd.org

    So thanks again, you must be a shaman in the realms of the internet gods, I shall slaughter a goat to appease any lingering animosity they may hold for me.


  • Rebel Alliance Global Moderator

    "That DNS is one of 4 that DNSexit says I need to use"

    Yes to point your domain to as your NS at your registrar, not to use for recursive lookups.  That one returning roots is ns3.dnsexit.com

    I just tested with your domain, and yes that server does respond as authoritative for your domain, but he does not allow recursive lookups.  If those are the 4 your using…  They have a really bad setup!!

    Authoritative servers normally should NOT allow for recursive -- your just asking to be used in a dos, or have a dos against you.  It would not be very difficult to keep those servers really really busy doing recursive to the point that they could not serve up the zones they are suppose to be authoritative for..  DNS can be used in an amplification type attack, you can send very small amounts of data, and get best more data in return.  small query, large answer/work doing recursive.

    And they claim 100% uptime since 1998?? From what I have seen I would have to say dumb luck ;)

    None of those should be used as your forwarders in your pfsense setup.  They are used when someone is looking up your domain.  Not to be used when looking up freebsd.org or google.com, etc.

    Just do whatever it is you do to keep your dynamic updated, I just looked and pfsense dynamic dns has dnsexit listed to keep updated on a wan IP change, etc..

    As I stated before if you don't like your isp dns, there are other public dns you can use.  googledns should work, if they don't have something close enough to you for your liking try the 4.2.2.2 one or 4.2.2.(1-6) works.

    You could also use ntt servers - they allow public queries 129.250.35.250 or .251 you could use the ones at http://www.public-root.com/ they have 2 in US.  You could use level3 -- they have a large dns setup, use 209.244.0.3 or .4

    Or jut google for public name servers that you can query.  But those you using are NO GOOD for recursive lookups ;)



  • That was the only dnsexit I was using, the rest came from running DNSBench, from  Gibson Research Corp, at https://www.grc.com/default.htm , the site has a great deal of good info and tests, seems like a great resource, but probably too basic for you.  The benchmark will configure itself with a custom list of dns servers to test, and the ones you mention he also has a great deal of praise for.  It's surprising those aren't in my custom list, but I added them and they make a very good showing, so I'm adding the fastest one to the top of my list.  Timewarner really sucks so I'm ignoring them.  This is the first of about 54 servers tested.

    Final benchmark results, sorted by nameserver performance:
    (average cached name retrieval speed, fastest to slowest)

    10.  0.  0.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      –--------------+-------+-------+-------+-------+-------+
      + Cached Name  | 0.000 | 0.000 | 0.000 | 0.000 | 100.0 |
      + Uncached Name | 0.018 | 0.065 | 0.236 | 0.053 | 100.0 |
      + DotCom Lookup | 0.019 | 0.030 | 0.063 | 0.012 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                pfsense.reality-works.org
                    Local Network Nameserver

    67.214. 64. 27 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.010 | 0.013 | 0.023 | 0.002 | 100.0 |
      - Uncached Name | 0.034 | 0.117 | 0.399 | 0.092 | 100.0 |
      - DotCom Lookup | 0.042 | 0.088 | 0.232 | 0.040 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                    dns1.telwestonline.com
                    Corpus Christi Internal

    129.115.102.150 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.012 | 0.015 | 0.019 | 0.001 | 100.0 |
      - Uncached Name | 0.025 | 0.082 | 0.266 | 0.062 | 100.0 |
      - DotCom Lookup | 0.053 | 0.068 | 0.078 | 0.006 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                      juliet.it.utsa.edu
              University of Texas at San Antonio

    69.164.196. 21 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.014 | 0.017 | 0.022 | 0.002 | 100.0 |
      - Uncached Name | 0.016 | 0.074 | 0.226 | 0.051 |  98.0 |
      - DotCom Lookup | 0.016 | 0.029 | 0.148 | 0.022 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                      ryujin.darkdna.net
                            Linode

    4.  2.  2.  4 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.014 | 0.017 | 0.026 | 0.002 | 100.0 |
      - Uncached Name | 0.016 | 0.077 | 0.335 | 0.071 | 100.0 |
      - DotCom Lookup | 0.034 | 0.074 | 0.141 | 0.037 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                    d.resolvers.level3.net
                    Level 3 Communications

    156.154. 71.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.015 | 0.017 | 0.024 | 0.002 | 100.0 |
      - Uncached Name | 0.016 | 0.082 | 0.258 | 0.064 | 100.0 |
      - DotCom Lookup | 0.018 | 0.055 | 0.086 | 0.014 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                      rdns2.ultradns.net
                            NEUSTAR

    216.146. 36. 36 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.016 | 0.018 | 0.023 | 0.001 | 100.0 |
      - Uncached Name | 0.018 | 0.064 | 0.213 | 0.046 |  98.0 |
      - DotCom Lookup | 0.017 | 0.056 | 0.071 | 0.014 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                resolver2.dyndnsinternetguide.com
                    Dynamic Network Services

    4.  2.  2.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name  | 0.014 | 0.018 | 0.030 | 0.003 | 100.0 |
      - Uncached Name | 0.016 | 0.073 | 0.265 | 0.059 | 100.0 |
      - DotCom Lookup | 0.035 | 0.062 | 0.129 | 0.024 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                    a.resolvers.level3.net
                    Level 3 Communications

    Thanks again, I've been using the system extensively and only a couple of stray failures, nothing out of the ordinary!!!!

    Oh, and thanks to all of the guys behind pfsense, it's amazing how simple it all is and so so easy to set up, especially considering the power/versatility.


  • Rebel Alliance Global Moderator

    "so I'm adding the fastest one to the top of my list"

    The order doesn't really matter - you do understand that pfsense queries all the ips listed at the same time, and then uses the one that answers first.  Prob doesn't make a lot of sense to have more than a couple of them.

    Nor is it going to make much different .016 vs .018 or .05 vs .06

    Yeah I know Steve – he likes to make a lot of noise ;)  Don't you recall how the raw sockets of XP was going to end the internet as we knew it?  Or the whole WMF nonsense?  I really wouldn't recommend that site to anyone, be careful of hype he likes to promote.  Sure some basic info is there -- and he can explain things in simple terms, but no I wouldn't recommend that site to be honest.  Do a simple google "What the World Thinks of Steve Gibson"  some fun quotes to be read.



  • Wow, thanks for the heads up, I knew none of that, all I know of the guy before was his site, the utilities there, like ShieldsUp and DNSBench, which I'd seen recommended by somewhere reputable, seemed genuinely useful, and I don't have the technical chops to seriously evaluate much of any of it.  That 'What the world…' page, pretty harsh.  Well, great, now I feel even stupider, especially because empty hype disgusts me no end, and false hype is way worse.  Have a good one.


Locked