DNS Forwarder on one of two Subnet in an multilan scenario is not working



  • Sorry my english. There is an strange behavior with DNS Forwarder in an scenario with two LAN and 2 WAN. I googled the problem with no answer.
    The subnetwork on LAN1 interface can surf internet and can resolve DNS queries without problems, but clients on second LAN2 can't. I believe  the problem is the DNS Forwarder.

    From LAN2 client i can ping to the google DNS host "8.8.8.8" but if i try to do an nslookup to www.google.com the answer an ip address of my Access Point.

    My hardware are confgured just like that:

    PfSense 2.1.5 amd64.

    LAN Interfase:
    Realtek PCI 10/100 Ethernet NIC
    IP: 192.168.0.3/24
    Conected to switch

    WIFI Interfase:
    Realtek PCI 10/100 Ethernet NIC
    IP: 192.168.2.1/24
    Connected directly to an Access Point Tp-Link TL-WN901nd (ip: 192.168.2.2) (doubt here, may be the cause the problem?)

    WAN1 and WAN2:
    PPOE clients
    Dynamic IP

    DHCP Server on WIFI Interface
    Range: 192.168.2.100 - 192.168.2.200
    Domain Name: syscomputacion.com.ar

    No statics entries.

    DHCP Server on LAN interfase.
    Range: 192.168.0.100 - 192.168.0.200
    Domain Name: None or syscomputacion.com.ar
    No statics entries.

    Firewall rules on WIFI interfase:

    | Action | Proto | Source | Port | Destination | Port | Gateway | Queue | Schedule | Description |
    | block | * | Reserved/not assigned by IANA | * | * | * | * | * | * | Block bogon networks |
    | Pass | IPV4 UDP | WIFI net | 53(DNS) | 192.168.2.1 | 53(DNS) | * | none | | WIFI -> DNS |
    | Pass | IPv4* | WIFI net | * | * | * | MultiWan | none | | WIFI -> Internet |

    The following tests was made on a Windows 7 client on WIFI subnet connected via wireless:

    IP Address on Client (Assigned by DHCP): 192.168.2.100
    Domain Sufix: syscomputacion.com.ar
    Netmask 255.255.255.0
    DHCP Server: 192.168.2.1
    DNS Server: 192.168.2.1

    Ping Test:

    Ping 192.168.0.3 (pfsense) ok.
    Ping 8.8.8.8 (google DNS), ok.
    Ping 192.168.2.1 (Pfsense) ok.

    nslookup www.google.com

    • server: 1.2.168.192.in-addr.arpa
    • Address: 192.168.2.1
      Non Authoritative Answer:
    • Name: www.google.com.syscomputacion.com.ar (???????) If i remove Domain Name from DHCP server in WIFI Interface syscomputacion.com.ar is not appended after google.com, i don't know why this happens.
    • Address: 192.168.2.2 (the ip of Access Point). WHY why?

    I also tried modify the rule on port 53 to point 192.168.0.3 with no result.
    Viewing the firewall log i don't found  queries on port 53 blocked.

    Can anybody help me?.
    Thanks.


  • Netgate

    That is your nslookup appending your configured domain name to its query.  nslookup is stupid.

    If you don't want that to happen, append a trailing period to your domain name:

    nslookup www.google.com.


  • Netgate

    And do yourself a favor and make your pass rules for DNS UDP and TCP for port 53, not just UDP.



  • Thanks, i solved the problem.
    No DNS Forwarder problem o firewall rules mistake. It was an Access point TL-WA901ND V3 bug. I connected WIFI interfase and AP both to the same switch, then connect the client to the wired lan, all worked fine with the original configuration. So i discovered that the problem was an Access point bug.

    Googled some issues with this AP and DNS and found this

    "I got the DNS issue fixed only if I run the AP as DHCP Client. With a static IP (and yes still without default Gateway) any DNS request replies with the static IP address of the AP."

    So i changed  the fixed IP on the AP to a Dynamic IP and all worked fine on the wireless clients.