Import host override list into forwarder
-
Entered
server:
local-data: "click01.aditic.net A 10.10.10.1"into Unbound Dns Advanced Settings and works like a champ. Helps when put in the proper GUI location. ;)
Thanks again guys for your help and patience.
-
Well that's a peach. After all this effort to get a local ip / hostname relationship established in Unbound it appears neither nTopNG or Bandwidthd use Unbound to resolve the locals, both still show IP's. I have nTopNG set to "Decode DNS responses and resolve all numeric IP's". So at least nTopNG should be displaying hostnames. I ping by hostname and it resolves.
-
Does anyone have private IP host overrides in Unbound to know if NtopNG and/or Bandwidthd, within PfSense ver 2.2, will DNS resolve the privates?
-
Interestingly, when I packet capture with the "reverse dns lookup" box checked the results for private IP's is x.x.x.x.sae-urn, again numbers with an odd hostname. So doesn't look like PfSense is using host overrides in Unbound either. Is this because Unbound is a package in pre ver 2.2?
-
And what do you have pfsense set to use for resolving? Does it look to itself where you put the over rides in?
-
The General dns server has a Lan Ip entry with gw set to none. I'm using the Unbound resolver with network interfaces set to Localhost and Lan. And in Unbound Advanced I have entries, example;
local-data: "host.domain A ip address"
local-data: "host.domain A ip address"I expected by also choosing localhost along with Lan that internal services could access the resolver via localhost, doesn't appear too. The names are resolving in an outboard syslog server fine just not internally.
-
In general dns you have pfsense lan IP?
So I don't have any setup in general dns. In dhcp servers I don't have anything listed - so it hands out the IP of the interface your dhcp server is running on to clients for dns.
If on pfsense I just do a simple drill command it comes back with root hints and shows its using localhost to resolve
;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 15:12:48 2015If I query using drill on cmd line of pfsense for a local host name I have in over rides it resolves just fine.
[2.2-RELEASE][root@pfSense.local.lan]/root: drill i5-w7.local.lan
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50574
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; i5-w7.local.lan. IN A;; ANSWER SECTION:
i5-w7.local.lan. 3600 IN A 192.168.1.100;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 15:15:38 2015
;; MSG SIZE rcvd: 49[2.2-RELEASE][root@pfSense.local.lan]/root: drill -x 192.168.1.100
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 14132
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 100.1.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:
100.1.168.192.in-addr.arpa. 3600 IN PTR i5-w7.local.lan.;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 15:16:34 2015
;; MSG SIZE rcvd: 73When you use the advanced section, I am not sure it creats the PTR? If you put them in the over ride its doing it as you can see from the above test. But you say it works from machine that asks pfsense resolver for the host or IP. So seems to me its just psfsense is not looking to itself.
-
Yes, as I commented, I do have the Lan IP in general, dns. Is this no longer required now that Unbound is integrated from a package as the dns resolver? I have a couple hundred entries so I prefer not to use the GUI override, would be time consuming. I ran the drill command and it resolved from the Lan IP but would not reverse lookup when using localhost. I have no Dns addy's in Dhcp Server Lan. With your setup can you resolve from a Lan client to PfSense Lan IP? I'm running an external syslog server on the Lan subnet and it resolves ok and is pointed to the Lan Ip.
So the settings should be;
General Dns = no entry
Dhcp Server Dns = no entry
Dns Resolver, Network Interfaces = localhost + Lan or just localhost?2.2-RELEASE][admin@pfsense.host]/root: drill Davidson.host ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 6902 ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:
;; Davidson.host. IN A;; ANSWER SECTION:
Davidson.host. 3600 IN A 192.168.150.152;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 192.168.2.1
;; WHEN: Fri Feb 20 14:17:26 2015
;; MSG SIZE rcvd: 48
[2.2-RELEASE][admin@pfsense.host]/root: drill -x 192.168.150.152 ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 56723 ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:
;; 152.150.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Feb 20 14:17:38 2015
;; MSG SIZE rcvd: 105 -
I took the General, Dns entry out and left all else the same. The drill command is now reporting the Server is 127.0.0.1. Resolver is working fine. Still don't know why drill -x IpAddy doesn't produce a reverse lookup, no answer. Btw, how can you get DHCP Static IP's into the DNS Resolver? Do they have to be duplicated in the resolver's advanced settings?
-
Yes you need your resolve to listen on both your lan and localhost - if you want people on the lan to be able to query it.
So this record davidson.host - is it in the forwarders section or advanced?
So I put the record in advanced section and
[2.2-RELEASE][root@pfSense.local.lan]/root: drill testadv.lan
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16194
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; testadv.lan. IN A;; ANSWER SECTION:
testadv.lan. 10800 IN A 1.2.3.4;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Feb 21 05:36:25 2015
;; MSG SIZE rcvd: 45[2.2-RELEASE][root@pfSense.local.lan]/root: drill -x 1.2.3.4
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 42347
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; 4.3.2.1.in-addr.arpa. IN PTR;; ANSWER SECTION:
;; AUTHORITY SECTION:
1.in-addr.arpa. 172797 IN SOA ns1.apnic.net. read-txt-record-of-zone-first-dns-admin.apnic.net. 5114 7200 1800 604800 172800;; ADDITIONAL SECTION:
;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Feb 21 05:37:10 2015
;; MSG SIZE rcvd: 127If I put it in forwarders..
[2.2-RELEASE][root@pfSense.local.lan]/root: drill -x 1.2.3.4
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61473
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 4.3.2.1.in-addr.arpa. IN PTR;; ANSWER SECTION:
4.3.2.1.in-addr.arpa. 3600 IN PTR testadv.lan.;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Feb 21 05:38:21 2015
;; MSG SIZE rcvd: 63
[2.2-RELEASE][root@pfSense.local.lan]/root:If your going to use advanced, and you want PTR then you will have to put them in - they are not auto created like when using the actual over ride gui section.
As to statics – they are in automatically if you check to put them in there.. Do you have a NAME on them? See they don't even have to be fully qualified
-
So this record davidson.host - is it in the forwarders section or advanced?
Record davidson.host is in the advanced section. I don't use the forwarder.
As to statics – they are in automatically if you check to put them in there.. Do you have a NAME on them? See they don't even have to be fully qualified
Check what to put them in? I've entered a hostname in each DHCP Static Mapping entry but no domain name. However, they don't resolve.
I really appreciate all your help on this John. Got nearly everything DNS related working well.
-
my bad not the forwarders section.. The host over rides section..
-
Guess I'll just duplicate each DHCP Static Mapping entry into resolver, advanced if there is no setting to populate the resolver with them automatically. Thanks again.
-
What? Why would you have to to duplicate anything?
If you have a static entry your done. Show me your static entry that does not resolve?
If your using advanced instead of the over rides then there will not be a PTR, unless you do it like I did.
-
Get nothing with drill.
[2.2-RELEASE][admin@pfsense.host]/root: drill Surveillance.host
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 60456
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; Surveillance.host. IN A;; ANSWER SECTION:
;; AUTHORITY SECTION:
. 39672 IN SOA a.host-servers.net. nstld.verisign-grs.com. 2015022200 1800 900 604800 86400;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Feb 22 10:39:57 2015
;; MSG SIZE rcvd: 111
[2.2-RELEASE][admin@pfsense.host]/root: drill Iomega.host
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 49827
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; Iomega.host. IN A;; ANSWER SECTION:
;; AUTHORITY SECTION:
. 39664 IN SOA a.host-servers.net. nstld.verisign-grs.com. 2015022200 1800 900 604800 86400;; ADDITIONAL SECTION:
;; Query time: 44 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Feb 22 10:40:05 2015
;; MSG SIZE rcvd: 105
[2.2-RELEASE][admin@pfsense.host]/root: drill EdgeNas.host
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 60301
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; EdgeNas.host. IN A;; ANSWER SECTION:
;; AUTHORITY SECTION:
. 39654 IN SOA a.host-servers.net. nstld.verisign-grs.com. 2015022200 1800 900 604800 86400;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Feb 22 10:40:15 2015
;; MSG SIZE rcvd: 106
[2.2-RELEASE][admin@pfsense.host]/root:Hit and miss with ping.
C:>ping Surveillance
Pinging Surveillance [192.168.2.100] with 32 bytes of data:
Reply from 192.168.2.100: bytes=32 time<1ms TTL=64
Reply from 192.168.2.100: bytes=32 time<1ms TTL=64
Reply from 192.168.2.100: bytes=32 time<1ms TTL=64
Reply from 192.168.2.100: bytes=32 time<1ms TTL=64Ping statistics for 192.168.2.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msC:>ping IomegaNas
Ping request could not find host IomegaNas. Please check the name and try again.C:>ping EdgeNas
Pinging EdgeNas [192.168.2.112] with 32 bytes of data:
Reply from 192.168.2.112: bytes=32 time<1ms TTL=64
Reply from 192.168.2.112: bytes=32 time<1ms TTL=64
Reply from 192.168.2.112: bytes=32 time<1ms TTL=64
Reply from 192.168.2.112: bytes=32 time<1ms TTL=64Ping statistics for 192.168.2.112:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msC:>
Get nothing with the PfSense GUI Ping command either.
-
And where are you putting these .host records? In the advanced section? OR the over rides? This really is just click..
And your not getting nothing back, your getting NX.. As to ping your prob broadcasting for netbios name since your not putting in FQDN.
So see attached. Keep in mind if your using resolver you have to put the over rides in the resolver section, if you put them in the forwarder section not going to work. If your using advanced and you want PTR to work you have to create actual PTR. It is MUCH easier to use over rides vs advanced section. Only use the advanced section if you have to load up a lot of records or doing something fancy like a MX record or cname, etc.
-
Only using the Advanced section because I'm only using the Resolver. I am using the Advanced section because I have over 200 entries.
What I'm discovering is I can drill to any host.domain entry if they're in the DHCP Server Lan static mappings or if they're in the Resolver, Advanced section. The problem is that the syslog server I have running on the Lan subnet, that's pointed to x.x.2.1 (the Lan Gw), resolves all host.domain entries unless they are in the Lan subnet. All addresses in the nine subnets handled by the System Gateways resolve fine.
So I'm trying to figure out why the resolver reveals all host.domain Ip's if drilled I presume via the resolvers address of 127.0.0.1 fine. But via the Lan1 gw x.x.20.x or x.x.30.x. etc. resolves fine but anything x.x.2.x doesn't.
Hope this clarifies the issue.
It's the only remaining resolver problem I haven't been able to figure out.This might be a clue though. My syslog handles the 2.x subnet differently than the 20.x and other subnets. The former is by dhcpd and doesn't resolve. The latter is by dnsmasq and does resolve.
2015-02-22 13:44:44 Local7.Info pfsense Feb 22 13:44:44 dhcpd: DHCPACK to 192.168.2.103(unresolved) (d4:3d:3e:4b:af:5d) via igb2
2015-02-22 13:45:25 Daemon.Info AP7 Feb 22 13:45:25 dnsmasq[1071]: DHCPACK(ath0) 192.168.70.113(J_Brubaker) 00:27:19:5e:ba:61 J_Brubaker -
What??
Make sno sense..
So you have your resolver (unbound) on pfsense listening on all its interfaces.. And they resolve just fine on pfsense localhost (127.0.0.1) and the other interfaces like 20.x and 30.x – and why are you using x here? ARe these not rfc1918?
So you have another box your syslog server that is not resolving a PTR for 192.168.2.103?? Does pfsense resolve this PTR?
-
I finally got this sorted out. In an obscure location the syslog server revealed that DNS lookup is disabled in their basic package, the pro version is needed. Or a separate static host file can be pre-loaded. So for now I reformatted the host file for the syslog server to load and all private IP's are being resolved by both PfSense internally and the external syslog server. Yes, all privates are RFC1918. By 20.x I mean 192.168.20.x.
Whew! Glad this is resolved, pun intended. Been working off and on for weeks trying to get this going. Thanks again John for all your help.