Several problems with split DNS



  • I have 2.1 running inside ESXi 5.5 as the point of entry for a home system. Pretty basic WAN, LAN setup. Some wifi APs are on the LAN side. One is a plain bridge, the other performs NAT. Untrusted devices (e.g. "internet of things") are on the NAT wifi.

    I have a split DNS entry for the primary domain (example.com). It points at the LAN address where the server is.

    I have two symptoms:

    • From a Mac on the LAN, I sometimes see the WAN address for the server instead of the LAN address. This can happen inside a single application, such as Screen Sharing (the built-in VNC viewer). Once the WAN address is cached, it's broken for a while, which is spouse-incompatible since outgoing email appears broken for smartphones on the wifi. I think I see this behavior on any network on the LAN side (ethernet, bridged wifi, NAT wifi).

    • From a Mac on the LAN, my reverse firewall (Little Snitch) often tells me of netbiosd wanting to talk back out to somebody. It presents the WAN address. It also shows the name of the server as <string of="" random="" lowercase="" letters="">.example.com. AFAICT, these ports are completely blocked by the firewall. I run no Windows boxes inside the house, but a few devices offer SMB/CIFS services. Additionally, my ISP (Comcast Business) blocks these ports by default on their end, and I've seen such results from nmap.

    Since my skills with BIND are far from lethal, I turn to the masters for teaching….</string>



  • Just so it is clear to me, you are using pfSense as the primary DNS server and are using DNS forwarder to send requests to an internal resource running bind? This is where the split DNS is running? Are you using DHCP, if so, you can send out that DNS servers address? Are you using pfSense as a secondary DNS without the domain forwarder?



  • @podilarius:

    Just so it is clear to me, you are using pfSense as the primary DNS server and are using DNS forwarder to send requests to an internal resource running bind? This is where the split DNS is running? Are you using DHCP, if so, you can send out that DNS servers address? Are you using pfSense as a secondary DNS without the domain forwarder?

    I am using the DNS Forwarder, out of the box. DNS queries are otherwise passed through to the ISP.


  • LAYER 8 Global Moderator

    "* From a Mac on the LAN, I sometimes see the WAN address for the server instead of the LAN address."

    But all your using is pfsense..  I have to assume your client is using something other than pfsense..  If your clients have more than 1 dns server configured - you can never be sure which one they are going to query, etc.

    If the dns forwarder in pfsense has a record for www.domain.tld to point to 192.168.1.50 – then that would be what he would respond with when asked for www.domain.tld. So if your saying clients sometimes get your public IP for www.domain.tld -- I would have to say your clients are set to use something other than pfsense as dns.

    This is the most likely answer.



  • @johnpoz:

    "* From a Mac on the LAN, I sometimes see the WAN address for the server instead of the LAN address."

    But all your using is pfsense..  I have to assume your client is using something other than pfsense..  If your clients have more than 1 dns server configured - you can never be sure which one they are going to query, etc.

    If the dns forwarder in pfsense has a record for www.domain.tld to point to 192.168.1.50 – then that would be what he would respond with when asked for www.domain.tld. So if your saying clients sometimes get your public IP for www.domain.tld -- I would have to say your clients are set to use something other than pfsense as dns.

    This is the most likely answer.

    The client is me. I have no DNS server running anywhere on my network. Just dnsmasq on pfSense.

    I've checked all available networks on the Mac and in all cases the DNS is set only to the pfSense address. I've also double-checked the AP with NAT and it only ever sets the pfSense server for DNS when it does DHCP.

    As in the other thread on split DNS, "host example.com" returns the proper split address, but "ping example.com" uses the WAN address.


  • LAYER 8 Global Moderator

    well host would be a dns query, ping would use your cache or host file.. Did you flush your machines dns cache or do you have something in its host file.

    So lets see this query showing the public IP?

    What your saying is vs dnsmasq returning what it has in its records  (pfsense host file) its returning what the forwarder has for it.  I really find that unlikely - but if it is the case it has nothing to do with pfsense and would be the underlaying dnsmasq issue.  I have never ever seen this behavior ever in dnsmasq

    So lets see this happen..  from a dig – query this fqdn, just keep doing the query - show us when it returns the public vs the local IP.

    example

    so I created a record for www.cnn.com to point to 1.2.3.4, clearly that is not the right answer..  So if I query pfsense (dnsmasq) it returns 1.2.3.4, if I query a public dns it returns the public records.  So what your saying is happening is just keep doing the query to pfsense and at some point it returns the public IP vs the local.

    Well do a 100 querys -- how many return local how many return public.. I am betting on 100 out 100 return local and your issue is somewhere on your clients doing query to something else to be honest.

    C:>dig www.cnn.com

    ; <<>> DiG 9.9.5-W1 <<>> www.cnn.com                                         
    ;; global options: +cmd                                                     
    ;; Got answer:                                                               
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31386                   
    ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:                                                         
    ;www.cnn.com.                  IN      A

    ;; ANSWER SECTION:                                                           
    www.cnn.com.            86400  IN      A      1.2.3.4

    ;; Query time: 4 msec                                                       
    ;; SERVER: 192.168.1.253#53(192.168.1.253)                                   
    ;; WHEN: Sat Apr 05 06:32:27 Central Daylight Time 2014                     
    ;; MSG SIZE  rcvd: 45

    C:>dig @4.2.2.2 www.cnn.com

    ; <<>> DiG 9.9.5-W1 <<>> @4.2.2.2 www.cnn.com                               
    ; (1 server found)                                                           
    ;; global options: +cmd                                                     
    ;; Got answer:                                                               
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11444                   
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:                                                       
    ; EDNS: version: 0, flags:; udp: 4096                                       
    ;; QUESTION SECTION:                                                         
    ;www.cnn.com.                  IN      A

    ;; ANSWER SECTION:                                                           
    www.cnn.com.            439    IN      CNAME  www.cnn.com.vgtf.net.       
    www.cnn.com.vgtf.net.  37      IN      CNAME  cnn-56m.gslb.vgtf.net.       
    cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.248.11               
    cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.249.10               
    cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.249.11               
    cnn-56m.gslb.vgtf.net.  253    IN      A      157.166.248.10

    ;; Query time: 43 msec                                                       
    ;; SERVER: 4.2.2.2#53(4.2.2.2)                                               
    ;; WHEN: Sat Apr 05 06:32:36 Central Daylight Time 2014                     
    ;; MSG SIZE  rcvd: 165

    C:>

    edit:  So what I would do as simple test, grap namebench -- run it with simple test for this local record against pfsense and have it query a few times.  So here I queried a 1000 times for tha www.cnn.com that I pointed to 1.2.34

    ubuntu:~$ namebench -i /tmp/test.dns -S -r 4
    namebench 1.3.1 - /tmp/test.dns (automatic) on 2014-04-05 07:56:06.333039
    threads=40/2 queries=250 runs=4 timeout=3.5 health_timeout=3.75 servers=11

    • Reading /tmp/test.dns: /tmp/test.dns (0.0MB)
    • Generating tests from /tmp/test.dns (1 records, selecting 250 automatic)

    in my test.dns file I had only www.cnn.com..  So this reports what your dns server responds with in nice easy to read csv file showing every query and response.

    IP Name Test_Num Record Record_Type Duration TTL Answer_Count Response
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.610994339 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.846075058 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.757144928 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.523017883 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.521110535 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 2.447128296 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.616001129 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 2.111911774 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 1.528978348 86400 1 1.2.3.4
    192.168.1.253 SYS-192.168.1.253 0 www.cnn.com. A 5.592107773 86400 1 1.2.3.4

    So 1000 queries - every single one responded with my local record of 1.2.3.4..  I would love to see a test like this from your showing where it responds with the public vs the host over ride you created.  So lets run it 10k times..  Man that really beat the shit out of dnsmasq -- but every one still 1.2.3.4..  Dude it is way more likely your just doing a query to something else, or have multiple entries maybe, a host file, etc.  then dnsmasq returning public IP when it has a host over ride.


Log in to reply