DNS Forwarder on one of two Subnet in an multilan scenario is not working

g_savini

Sorry my english. There is an strange behavior with DNS Forwarder in an scenario with two LAN and 2 WAN. I googled the problem with no answer.
The subnetwork on LAN1 interface can surf internet and can resolve DNS queries without problems, but clients on second LAN2 can't. I believe  the problem is the DNS Forwarder.

From LAN2 client i can ping to the google DNS host "8.8.8.8" but if i try to do an nslookup to www.google.com the answer an ip address of my Access Point.

My hardware are confgured just like that:

PfSense 2.1.5 amd64.

LAN Interfase:
Realtek PCI 10/100 Ethernet NIC
IP: 192.168.0.3/24
Conected to switch

WIFI Interfase:
Realtek PCI 10/100 Ethernet NIC
IP: 192.168.2.1/24
Connected directly to an Access Point Tp-Link TL-WN901nd (ip: 192.168.2.2) (doubt here, may be the cause the problem?)

WAN1 and WAN2:
PPOE clients
Dynamic IP

DHCP Server on WIFI Interface
Range: 192.168.2.100 - 192.168.2.200
Domain Name: syscomputacion.com.ar

No statics entries.

DHCP Server on LAN interfase.
Range: 192.168.0.100 - 192.168.0.200
Domain Name: None or syscomputacion.com.ar
No statics entries.

Firewall rules on WIFI interfase:

| Action | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
| block | * | Reserved/not assigned by IANA | * | * | * | * | * | * | Block bogon networks |
| Pass | IPV4 UDP | WIFI net | 53(DNS) | 192.168.2.1 | 53(DNS) | * | none | | WIFI -> DNS |
| Pass | IPv4* | WIFI net | * | * | * | MultiWan | none | | WIFI -> Internet |

The following tests was made on a Windows 7 client on WIFI subnet connected via wireless:

IP Address on Client (Assigned by DHCP): 192.168.2.100
Domain Sufix: syscomputacion.com.ar
Netmask 255.255.255.0
DHCP Server: 192.168.2.1
DNS Server: 192.168.2.1

Ping Test:

Ping 192.168.0.3 (pfsense) ok.
Ping 8.8.8.8 (google DNS), ok.
Ping 192.168.2.1 (Pfsense) ok.

nslookup www.google.com

• server: 1.2.168.192.in-addr.arpa
• Address: 192.168.2.1
  Non Authoritative Answer:
• Name: www.google.com.syscomputacion.com.ar (???????) If i remove Domain Name from DHCP server in WIFI Interface syscomputacion.com.ar is not appended after google.com, i don't know why this happens.
• Address: 192.168.2.2 (the ip of Access Point). WHY why?

I also tried modify the rule on port 53 to point 192.168.0.3 with no result.
Viewing the firewall log i don't found  queries on port 53 blocked.

Can anybody help me?.
Thanks.

Derelict

That is your nslookup appending your configured domain name to its query.  nslookup is stupid.

If you don't want that to happen, append a trailing period to your domain name:

nslookup www.google.com.

Derelict

And do yourself a favor and make your pass rules for DNS UDP and TCP for port 53, not just UDP.

g_savini

Thanks, i solved the problem.
No DNS Forwarder problem o firewall rules mistake. It was an Access point TL-WA901ND V3 bug. I connected WIFI interfase and AP both to the same switch, then connect the client to the wired lan, all worked fine with the original configuration. So i discovered that the problem was an Access point bug.

Googled some issues with this AP and DNS and found this

"I got the DNS issue fixed only if I run the AP as DHCP Client. With a static IP (and yes still without default Gateway) any DNS request replies with the static IP address of the AP."

So i changed  the fixed IP on the AP to a Dynamic IP and all worked fine on the wireless clients.