PfSense wont respond to DNS Requests
-
Hello everyone,
I'm in the process of setting up two firewalls to eventually utilise CARP failover (this might be relevant to the recommended setup). I can get full layer 3 connectivity through the firewall but it wont seem to respond to DNS requests.
The DHCP server gives its own LAN address as the DNS server.The DNS forwarder is enabled and is set to work on all interfaces. I have set public DNS in General settings, and the firewall can resolve public names and can ping based on DNS name.
Packet capture shows DNS requests from my LAN PC to the LAN interface, but no response. I have the default any any firewall rules for the LAN interface.
I'm running the 2.1-RELEASE version.
Any help you can give would greatly be appreciated.
-
Well if your not getting a response, would seem to me that dns forwarder is not actually running. Because if it failed to look something it would still respond with nx, etc.
You sure the dns forwarder is running and listening on your lan IP?
check the log, so I cleared mine and then restarted so could show you what normally it would look like
May 15 10:24:35 dnsmasq[51307]: read /etc/hosts - 58 addresses
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 10.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 168.192.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 16.172.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 17.172.in-addr.arpa
<snipped>rfc1918
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 30.172.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 31.172.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: ignoring nameserver 127.0.0.1 - local interface
May 15 10:24:35 dnsmasq[51307]: using nameserver 4.2.2.2#53
May 15 10:24:35 dnsmasq[51307]: using nameserver 129.250.35.250#53
May 15 10:24:35 dnsmasq[51307]: using nameserver 75.75.75.75#53
May 15 10:24:35 dnsmasq[51307]: reading /etc/resolv.conf
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 10.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 168.192.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 16.172.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 17.172.in-addr.arpa
<snipped>a lot of these rcf1918 addresses
May 15 10:24:35 dnsmasq[51307]: using local addresses only for domain 31.172.in-addr.arpa
May 15 10:24:35 dnsmasq[51307]: compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth
May 15 10:24:35 dnsmasq[51307]: started, version 2.68 cachesize 10000
May 15 10:24:34 dnsmasq[89830]: exiting on receipt of SIGTERMDo a simple sockstat to verify listening
[2.1.3-RELEASE][root@pfsense.local.lan]/root(7): sockstat | grep dnsmasq
nobody dnsmasq 51307 3 udp4 *:53 :
nobody dnsmasq 51307 4 tcp4 *:53 :
nobody dnsmasq 51307 5 udp6 *:53 :
nobody dnsmasq 51307 6 tcp6 *:53 :
nobody dnsmasq 51307 9 dgram -> /var/run/log
[2.1.3-RELEASE][root@pfsense.local.lan]/root(8):</snipped></snipped> -
Any chance you forgot to add a rule on that interfact that would actually allow for DNS?
(I may have accidentally just did that yesterday)
-
^ "I have the default any any firewall rules for the LAN interface."
If he has the default any any rule in place it should be fine, unless he put some rule in front of that? Or has setup floating rules that would block it.
-
In my case I was messing with two rules to make it log something, so I made an allow out and a block but I had accidentally set my allow to TCP rather than any.
I did still have the default one, it just wasn't getting triggered by anything because of the block.
