DNS Forwarder - Domain override intermittently stops working


  • Hi there,

    We have many pfsense servers out in the field and it seems as though we have an intermittent issue whereby the Domain ovverride on the DNS forwarder just stops working.
    It is most noticeable as Exchange users lose connection to the exchange server.

    Basically, if you try ping or DNS lookup the mail server on the domain, it identifies the external IP and not the internal domain IP. If you then restart the DNS forwarder (or make a change and then save and change it back), then it immediately starts to work again.

    The Domain override points to the DNS server on that domain and the connection back to that network is via Ipsec Tunnels.

    When I do a DNS lookup when it is working the localhost 127.0.0.1 is the one that replies with the correct IP.

    Any suggestion?

  • LAYER 8 Netgate

    Sounds to me like there are two (or more) DNS servers set on the client computers that are returning different results.


  • But I still get the incorrect DNS when doing a DNS lookup on the pfsense box itself. How can that be DNS server on the client computer?

  • LAYER 8 Netgate

    You need to investigate how to use dig / drill.

    You need to look at the DNS Servers configured on the client and query those name servers to see which one is not giving you the correct results.

    [2.2-RELEASE][root@fw]/root: drill @8.8.8.8 www.google.com
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 28981
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.google.com. IN A

    ;; ANSWER SECTION:
    www.google.com. 75 IN A 70.186.10.21
    www.google.com. 75 IN A 70.186.10.25
    www.google.com. 75 IN A 70.186.10.24
    www.google.com. 75 IN A 70.186.10.20
    www.google.com. 75 IN A 70.186.10.23
    www.google.com. 75 IN A 70.186.10.26
    www.google.com. 75 IN A 70.186.10.27
    www.google.com. 75 IN A 70.186.10.22

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 14 msec
    ;; SERVER: 8.8.8.8
    ;; WHEN: Mon Mar 16 11:45:33 2015
    ;; MSG SIZE  rcvd: 160
    [2.2-RELEASE][root@fw]/root: drill @8.8.4.4 www.google.com
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 45092
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; www.google.com. IN A

    ;; ANSWER SECTION:
    www.google.com. 286 IN A 70.186.10.27
    www.google.com. 286 IN A 70.186.10.22
    www.google.com. 286 IN A 70.186.10.23
    www.google.com. 286 IN A 70.186.10.25
    www.google.com. 286 IN A 70.186.10.20
    www.google.com. 286 IN A 70.186.10.21
    www.google.com. 286 IN A 70.186.10.26
    www.google.com. 286 IN A 70.186.10.24

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 25 msec
    ;; SERVER: 8.8.4.4
    ;; WHEN: Mon Mar 16 11:45:43 2015
    ;; MSG SIZE  rcvd: 160


  • Ok thanks. I will try that DIG command the next time it happens and let you know how that goes.

  • LAYER 8 Netgate

    You don't have to wait for the next time.  Look at the name servers configured on the client and query them - preferably from the same client in case you're dealing with split DNS somewhere or something.  See what answers you get.