DNS Forwarder + Manually set DNS not resolving



  • Hi Folks,

    Second ever post - so go easy!

    I am running 2.1.1 snapshot:

    2.1.1-PRERELEASE (i386)
    built on Wed Mar 12 06:06:26 EDT 2014
    FreeBSD 8.3-RELEASE-p14

    in a dual WAN single LAN configuration.

    I have enabled the DNS forwarder but do NOT allow DNS override (System>General)

    I am using four DNS servers, all set to Gateway "None" (default gateway in my mind and what I have read):

    DynDNS: 216.146.35.35, 216.146.36.36
    Norton: 199.85.126.30, 199.85.127.30

    I have set DHCP to 192.168.100 - 192.168.1.245 (primarily for visitors)

    I use static IP mapping for everything.

    There are two aliases I have created, one for me and my stuff, the other for my child.  I force my child's alias over WAN1 and my alias over WAN2.

    All of my child's devices work perfectly and DNS name resolution is spot on.  They pick up their DNS server via DHCP as the IP of my pfSense box: 192.168.1.1

    Herein lies the problem.  If I set my Windows7 clients to:

    <obtain an="" ip="" address="" automatically="">and
    <obtain dns="" server="" address="" automatically="">…...everything is fine and browsing is restricted [as expected] by DynDNS (InternetGuide) or Norton DNS.

    If I manually set the DNS servers on the Windows7 clients to OpenDNS:

    <use the="" following="" dns="" server="" addresses:="">208.67.222.222
    208.67.220.220

    NSLOOKUP returns: 67.215.65.132 for everything!

    I've tried everything (for around the last 48hrs) but cannot get manually configured DNS to resolve.  I've tried NAT, rules, NAT+rules, you name it, I've tried it.  reboots, restarts of dhcpd and dnsmasq, reboots of PCs, I've now got a script on each PC that does the following:

    ipconfig/release
    ipconfig /flushdns
    nbtstat -R
    ipconfig /renew
    nslookup www.google.co.uk

    as I've sick to the back teeth of typing the commands in relentlessly.

    Attached is a screenshot of my rules (don't judge me - only been fiddling with this since 6th March  :D )

    Please help before I harm myself!
    ![Screenshot 2014-03-13 20.09.05.png](/public/imported_attachments/1/Screenshot 2014-03-13 20.09.05.png)
    ![Screenshot 2014-03-13 20.09.05.png_thumb](/public/imported_attachments/1/Screenshot 2014-03-13 20.09.05.png_thumb)</use></obtain></obtain>



  • DNS service runs on port 53 for TCP an UDP, if you do nslookup on the pfsense, does it return any results?

    If yes, you need to open TCP/UDP port 53 on the LAN interface.



  • Your rules on LAN look OK - the pass all at the end should let anything through, including your DNS to OpenDNS servers. For some reason, OpenDNS is returning you its "block page" address all the time. Do you have an account with OpenDNS that might know the IP you are coming from and be setup to "block all"?
    Try using 8.8.8.8 and 8.8.4.4 (Google DNS) just to see if it works. Then you will know there is something special about OpenDNS.



  • Thanks both of you for your responses.

    The plot thickens:

    If I set the two DNS servers manually on the Win7 clients (as per my first post) and use:

    NSLOOKUP www.google.co.uk - this returns 67.215.65.132 (OpenDNS block page - thanks Phil) but NSLOOKUP appends my DNS suffix for the local domain to the query (I think this is "out-of-the-box" Windows behaviour)

    C:>nslookup www.google.co.uk
    Server:  resolver1.opendns.com
    Address:  208.67.222.222

    Non-authoritative answer:
    Name:    www.google.co.uk**.localdomain**
    Address:  67.215.65.132

    NSLOOKUP www.google.co.uk**.**<–---note the "dot" on the end - which resolves to a list of addresses.

    C:>nslookup www.google.co.uk.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222

    Non-authoritative answer:
    Name:    www.google.co.uk
    Addresses:  2607:f8b0:400b:80a::1017
              62.24.154.94
              62.24.154.108
              62.24.154.88
              62.24.154.99
              62.24.154.104
              62.24.154.113
              62.24.154.114
              62.24.154.89
              62.24.154.109
              62.24.154.98
              62.24.154.118
              62.24.154.93
              62.24.154.119
              62.24.154.84
              62.24.154.103
              62.24.154.123

    ipleak.net shows OpenDNS

    If I set DNS resolution to automatic on the Win7 clients and set the two DNS servers to OpenDNS using the two boxes in the static mapping for each host within the DHCP config and run my script to release/renew, the DNS server is given as 192.168.1.1:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
      Physical Address. . . . . . . . . : 6C-3B-E5-24-EF-11
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::d508:2623:97e6:8247%10(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : 14 March 2014 09:48:15
      Lease Expires . . . . . . . . . . : 14 March 2014 11:48:15
      Default Gateway . . . . . . . . . : fe80::1:1%10
                                          192.168.1.1
      DHCP Server . . . . . . . . . . . : 192.168.1.1
      DHCPv6 IAID . . . . . . . . . . . : 241974245
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-15-40-FC-6C-3B-E5-24-EF-11
      DNS Servers . . . . . . . . . . . : 192.168.1.1
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.localdomain:

    Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.21%11(Preferred)
      Default Gateway . . . . . . . . . :
      DNS Servers . . . . . . . . . . . : 192.168.1.1
      NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    If I try NSLOOKUP www.google.co.uk or www.google.co.uk. <–dot  I get Query Refused:

    C:>nslookup www.google.co.uk
    Server:  pfsense.localdomain
    Address:  192.168.1.1

    *** pfsense.localdomain can't find www.google.co.uk: Query refused

    C:>nslookup www.google.co.uk.
    Server:  pfsense.localdomain
    Address:  192.168.1.1

    *** pfsense.localdomain can't find www.google.co.uk.: Query refused

    Internet appears down ipleak.net doesn't load, neither does any other website

    If I then perform an IPCONFIG /RENEW, the DNS servers change to 208.67.222.22 and 208.67.220.220:

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
      Physical Address. . . . . . . . . : 6C-3B-E5-24-EF-11
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::d508:2623:97e6:8247%10(Preferred)
      IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Lease Obtained. . . . . . . . . . : 14 March 2014 09:48:15
      Lease Expires . . . . . . . . . . : 14 March 2014 11:58:46
      Default Gateway . . . . . . . . . : fe80::1:1%10
                                          192.168.1.1
      DHCP Server . . . . . . . . . . . : 192.168.1.1
      DHCPv6 IAID . . . . . . . . . . . : 241974245
      DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-15-40-FC-6C-3B-E5-24-EF-11
      DNS Servers . . . . . . . . . . . : 208.67.222.222
                                          208.67.220.220
      NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.localdomain:

    Connection-specific DNS Suffix  . : localdomain
      Description . . . . . . . . . . . : Microsoft ISATAP Adapter
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes
      Link-local IPv6 Address . . . . . : fe80::5efe:192.168.1.21%11(Preferred)
      Default Gateway . . . . . . . . . :
      DNS Servers . . . . . . . . . . . : 208.67.222.222
                                          208.67.220.220
      NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

    Media State . . . . . . . . . . . : Media disconnected
      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
      Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
      DHCP Enabled. . . . . . . . . . . : No
      Autoconfiguration Enabled . . . . : Yes

    I get the same DNS results as if I'd set the DNS servers manually on the Win7 Clients:

    C:>nslookup www.google.co.uk
    Server:  resolver1.opendns.com
    Address:  208.67.222.222

    Non-authoritative answer:
    Name:    www.google.co.uk.localdomain
    Address:  67.215.65.132

    C:>nslookup www.google.co.uk.
    Server:  resolver1.opendns.com
    Address:  208.67.222.222

    Non-authoritative answer:
    Name:    www.google.co.uk
    Addresses:  2607:f8b0:400f:801::101f
              62.24.154.109
              62.24.154.93
              62.24.154.104
              62.24.154.108
              62.24.154.114
              62.24.154.113
              62.24.154.99
              62.24.154.98
              62.24.154.88
              62.24.154.89
              62.24.154.84
              62.24.154.119
              62.24.154.94
              62.24.154.118
              62.24.154.123
              62.24.154.103

    ipleak.net shows OpenDNS

    After performing this IPCONFIG /RENEW, a period of time will pass (haven't stop-watched it) and my Win7 client DNS server reverts back to 192.168.1.1 and name resolution is broken again (appears like internet is down)

    Is it an IPv6 problem?

    To answer jswj's question, DNS resolution via the GUI works perfectly.  Screenshot attached.

    ![Screenshot 2014-03-14 10.31.20.png](/public/imported_attachments/1/Screenshot 2014-03-14 10.31.20.png)
    ![Screenshot 2014-03-14 10.31.20.png_thumb](/public/imported_attachments/1/Screenshot 2014-03-14 10.31.20.png_thumb)



  • On Windows (don't know about *nix exactly) you have to put the root domain "." at the end of any nslookup - otherwise Windows dumbly always appends the domain it knows about. And of course that whole appended thing does not exist, and OpenDNS, instead of returning NXDOMAIN, returns their block/information page IP address. Use the "." at the end with nslookup.
    ping does not suffer the same fate. You should be able to ping using names, without the ".", and get a sensible IP number back and see the ping happening.
    and hopefully normal web browsing works, because that should be doing lookups OK underneath.

    I haven't used the option to give particular DNS server IPs to a static-mapped client. It sounds like some issue when the client then automatically renews its lease, that it goes back to getting the default DNS server. I will try that at home to see if it is a general bug or not.



  • Thanks again Phil - I have downloaded a complete config backup at varying stages so that I can quickly get to where I want to be if I need to crash and burn.

    As part of troubleshooting I've swung back and forth between 2.1.0 stable and 2.1.1 pre-release it is now literally 10 minutes work from a liveCD build in either direction!

    I have just noticed [and rectified] something "dumb"…......When I ditched the Draytek Vigor, I performed a paper-clip-in-the-hole factory reset on both of the Draytek Vigor 120 ADSL modems before connecting via cat5e to the pfSense box.

    That factory reset has the effect of setting the IP address of the modem to 192.168.2.1 (therefore the gateway address to 192.168.2.1 also) and the DHCP range start to 192.168.2.10, limit to 2 IPs.

    As I did it on both, both of the gateway IPs will have been the same.  Doh! I guess this is not ideal.

    I have rectified this and set the second to 192.168.3.1 (dhcp start 192.168.3.10) default gateway 192.168.3.1

    I will proceed with the usual tests this evening and see if anything has changed.

    Can't be good for the routing table.

    Cheers,
    Rowland.



  • Well, initial testing reveals no difference after changing the gateway IP on the second Vigor 120.

    I have been looking at the issue a little more broadly (bringing an old Samsung Galaxy Tab, a newer Samsung Galaxy S2 and a few other odds and sods into the mix) and I have found that if I set the DNS servers to say, the unblock-us DNS servers: 208.122.23.22, 208.122.23.23 against the static mapping entry for each respective device, the DNS servers are honoured.

    In other words, I suspect this is a Windows issue.  So far I've tested Windows XP, Windows server 2008 and Windows7.  All exhibit the same release/renew behaviour.

    I've disabled IPv6 and rebooted to rule it out and done the same checks.  Same results.

    Back to the drawing board.

    Regarding your theory on the DNS renew, it's the other way round.  If I boot a win7 client that has DNS set to OpenDNS in the static mapping, when it first boots and takes it's first lease, it gets the 192.168.1.1 DNS server, but IPLEAK and DynDNS check page (http://setup.dynguide.com/) both reveal that it is defaulting to the System>General DNS list of: DynDNS and Norton.

    If I then issues an IPCONFIG /RENEW DNS changes to 208.67.222.222 and 208.67.220.220 (OpenDNS) and all is fine in the world until a number of minutes later when the DNS server reverts back to 192.168.1.1

    This other post sounds similar to the behaviour I see: https://forum.pfsense.org/index.php?topic=67180.0

    There is always the possibility that I am doing something that was not intended - or that there is a better way of doing what I am trying to achieve, which is Dyn/Norton for my child and OpenDNS for me.

    Cheers,
    Rowland.



  • Kind of resigned to the fact that is either not going to work (and may be fixed in a future release) or not designed to work - in other words I'm trying to make it do something it is not meant to do.

    I think that as far as supplying DNS servers is concerned, the DNS Forwarder and DHCP Static Mapping DNS fields are mutually exclusive with respect to Windows Clients.  It's either one or the other.

    To that end, I've removed all the DNS entries from the static mapping DNS fields for all my Windows hosts and simply assigned manual DNS servers against the network cards of each Windows box using the IPv4 "Use the following DNS server addresses" dialogue.

    Everything non-windows works perfectly.  I'm happy with this as it it reflects the solution I had in place with the old Draytek router.

    Cheers,
    Rowland.


Log in to reply