Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Reverse Lookup Error

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 4 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      Hi,

      I have a bind9 install covering my internal network; the DNS forwarder on pfSense is configured with a Domain Override for my local domain, pointing pfSense at my bind9 install.

      Forward lookups work fine, however reverse lookups fail from pfSense with (have tried the local DNS lookup commands on the pfSense box itself):

      
      server can't find x.x.x.10.in-addr.arpa.: NXDOMAIN
      
      

      Where the x.x.x is the specific address being searched for.  In my bind9 configuration, the reverse lookup PTR file is attached to zone "10.in-addr.arpa"; nslookup on the bind9 host or any client pointed directly at the bind9 host rather than the DNS forwarder works correctly.

      I have tried adding a Domain Override in the pfSense configuration for "10.in-addr.arpa" but it does not seem to have any affect.

      Any ideas?

      Regards,
      Rob.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Try making an x.x.10.in-addr.arpa file.  I think you need a 10.in-addr.arpa file, with NS records to the x.10.in-addr.arpa zone with ns records to the x.x.10.in-addr.arpa zone.

        Or you have to make the 10.in-addr.arpa zone contain the necessary information.

        @ would be 10.in-addr.arpa so your PTR records would have to be:

        x.x.x ptr host.example.com.

        I've never used 10. so I don't know for sure.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          phil.davis
          last edited by

          Here is an example of domain override entries for reverse lookups in "10" network. I happen to use 10.49.0.0/16 in pieces across a bunch of sites.
          A DNS server at 10.49.0.1 knows about 10.49.0.0/24 reverse entries.
          A DNS server at 10.49.32.1 knows about reverse entries in the remainder of 10.49.0.0/16

          DNS-reverse-lookup.png
          DNS-reverse-lookup.png_thumb

          As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
          If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            Yeah, you need in-addr.arpa override for this. It works even with IPv6 and ip6.arpa, though I recommend using come online tool to generate it, like IPv6 Reverse domain calculator - pretty error prone to do it manually. :D

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              Sorry, but the problem is not configuration of the bind9 PTR file.  That works fine.  The problem is the pfSense DNS Forwarder does not perform the lookup.

              It turns out the reason is I had checked the box marked "Do not forward private reverse lookups"  It appears (although the instructions say otherwise) that the domain override for "10.in-addr.arpa" does not work if this option is switched on.

              To check, I performed the following (all with the forward domain override intact):

              
              Lookup		Reverse Override	DNFPRL		Outcome
              10.1.1.1	NO			NO		Forward lookup only; No record found on reverse
              10.1.1.1	NO			YES		Forward lookup only; No record found on reverse
              10.1.1.1	YES			NO		Successful forward and reverse lookups
              10.1.1.1	YES			YES		Forward lookup only; No record found on reverse
              
              

              As a sanity test, I also tried changing the "10.in-addr.arpa" override to both "1.1.10.in-addr.arpa" and "1.10.in-addr.arpa" instead, and they both worked even with the "Do not forward private reverse lookups" checkbox ticked.

              So it seems the answer is that the rule for allowing domain overrides past the block from the "Do not forward private reverse lookups" checkbox does not apply to the "10.in-addr.arpa" override.

              Don't know if that's a bug or intentional, but for the time being I will leave the checkbox unchecked so that it works.

              Regards,
              Rob.

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                From memory, "Do not forward private reverse lookups" specifically has a list of the RFC1918 addresses that has stuff like:
                10.in-addr.arpa
                168.192.in-addr.arpa
                16.172.in-addr.arpa
                17.172.in-addr.arpa
                …
                31.172.in-addr.arpa

                and if you use the whole of one of those in a domain override, there it overrides, but it is blocked from lookup anyway, so has no effect.
                If you use parts of any of those, then the parts get looked up OK, and the rest is subject to "Do not forward private reverse lookups".
                All a bit annoying, but tricky to sort out underneath.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  I had a look at that code that implements "Do not forward private reverse lookups" and made it smarter.
                  Pull request: https://github.com/pfsense/pfsense/pull/1498
                  With that change, you can check "Do not forward private reverse lookups" and also have a working domain override for some chunk(s) of private IPv4 address space like:

                  10.in-addr.arpa
                  168.192.in-addr.arpa
                  16.172.in-addr.arpa
                  17.172.in-addr.arpa
                  ...
                  31.172.in-addr.arpa
                  

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.