No way to force a lease renewal?
-
I am running 2.1.
I had the opendns and google DNS addresses listed for my dns servers. Strangely, on a Windows computer (on the WLAN) when I went to hodgdon.com I got a block message from opendns. Not sure why opendns would block such a site.
I guess the dns forwarder caches the query, taking the first one it gets from the configured dns servers? But it is strange, because that means the address of the opendns blocked page should be cached for hodgdon.com; but my Linux computer (on the LAN) does pull in the correct hodgdon page. Who knows, maybe it is working off it own internal cache. It is Lubuntu…
Anyway I got fed up with opendns and took it off my list of dns servers, replacing it with the google servers. But apparently, until the lease expires on the Windows computer, it is still going to see the cached result. I'm just wondering how to clear the cache or make the lease expire manually or both, so I can finally see hodgdon.com on my Windows computer.
-
To flush the dns cache on Windows, open a command prompt in admin mode.
Type: ifconfig /flushdns
Hit enter.
That's it. -
From a security standpoint you really shouldn't be pushing public DNS servers to your clients anyway. Take this opportunity to switch your clients to use pfSense for DNS, have it forward to Google's DNS, and then block all outgoing DNS traffic that doesn't originate from pfSense.
-
That's what I thought I was doing, by enabling the DNS forwarder. The wiki states:
"If the DNS forwarder is enabled, the internal interface IP for pfSense will be handed out to DHCP clients for a DNS server."
https://doc.pfsense.org/index.php/DNS_ForwarderIf there is anything else I have to do in explicit firewall rules, to prevent passing through DNS traffic, let me know. I am wondering what happens if a Windows client has an explicit DNS server assigned. Will that traffic automatically be blocked so that the client only has access to DNS via pfsense? Or do I need explicit rules in the firewall?
On that other thing, I was asking about clearing the pfsense DNS cache, sorry I didn't make that clear. However I found that on the wiki too:
https://doc.pfsense.org/index.php/DNS_ForwarderI was looking in Services>DNS Forwarder for this, but it was in Status>Services.
Anyway, I am still wondering about the original question, although it is academic at this point. Is it possible to kill a DHCP lease prior to its scheduled ending, forcing the client to do a renewal? IIRC I could do that with my old router.
-
That's what I thought I was doing, by enabling the DNS forwarder. The wiki states:
"If the DNS forwarder is enabled, the internal interface IP for pfSense will be handed out to DHCP clients for a DNS server."
Only true if you did not explicitly configure DNS servers to handout in the DHCP server page.
If there is anything else I have to do in explicit firewall rules, to prevent passing through DNS traffic, let me know. I am wondering what happens if a Windows client has an explicit DNS server assigned. Will that traffic automatically be blocked so that the client only has access to DNS via pfsense? Or do I need explicit rules in the firewall?
No, not by default. You need to explicitly add a block rule to deny outgoing DNS requests.
i.e. Deny TCP/ UDP, Source LAN subnet Any Port, Destination ANY Not LAN Address Port 53. -
Thanks.
There is a note at the end of the Services>DNS Forwarder page. It might be a good idea to add to that note, this information (that the DNS forwarder does not automatically block client requests to outside DNS servers, and that rules for this must be added to the firewall).
-
Thanks.
There is a note at the end of the Services>DNS Forwarder page. It might be a good idea to add to that note, this information (that the DNS forwarder does not automatically block client requests to outside DNS servers, and that rules for this must be added to the firewall).
One doesn't really have anything to do with the other. Just because you are using the DNS forwarder doesn't necessarily mean that you don't also have a good reason for allowing some machines to use external DNS.
For example, I use two Windows machines for DNS at work because I use Active Directory. Those two machines use 4.2.2.1 and 4.2.2.2 as their forwarders. DHCP, however, hands out not only my two DNS servers, but also the LAN CARP address of my pfSense systems. Windows processes DNS servers sequentially, so in the event my two DNS servers are down, I still have external resolution so that I can troubleshoot (read: look stuff up on Google).
-
" but also the LAN CARP address of my pfSense systems."
Yeah that is NOT a good idea at all.. If your AD DNS is down you have some other issues now don't you.. You could manually change your client to use other dns if you have to be searching the internet for a solution.
While sure your client should query the primary dns you hand out, there are many reasons why it might start asking others on its list, blip in the network, first one doesn't answer fast enough for the client.. Once that client gets hold that it can get answers from other on list - it likes to query that one.. So now unless it switches back you won't resolve your internal stuff correctly, if it does query outside for any reason - its most likely going to be sending out your AD stuff wants to find.. Do your really need to be asking public dns for your AD names? Security concern if you ask me.
While sure you need to have alternative methods of name resolution in case of network issues - IMHO setting AD clients to anything but AD DNS is not good practice.
-
" but also the LAN CARP address of my pfSense systems."
Yeah that is NOT a good idea at all.. If your AD DNS is down you have some other issues now don't you.. You could manually change your client to use other dns if you have to be searching the internet for a solution.
There's more to what I do than I wrote. There's no risk of not having internal resolution, even if a query bounces to pfsense while the AD controllers are up because there are domain overrides that send queries for the internal domains back to the AD controllers.
-
^ ah, ok as long as the clients can not actually query dns that is not your AD dns – sure that would work.
Not sure I really see the point of all that trouble of setting that up, when it would just be easier to point to your AD and be done with it. If your AD dns is down, your going to have more to worry about than if a user can access reddit ;)
But yeah that is one way to skin the cat..
-
Just noticed this thread got some more replies.
One doesn't really have anything to do with the other. Just because you are using the DNS forwarder doesn't necessarily mean that you don't also have a good reason for allowing some machines to use external DNS.
I made the assumption it did because pfsense does a lot of things automatically; many rules are implicit. A warning such as I suggest is just a warning; it wouldn't harm people who did not make the assumption, and it would help those who did (not to mention, those who have to straighten the latter out…)
