DNS Forwarding not working as expected

ohmantics · Mar 22, 2015, 8:32 PM

I had everything working in 2.1.5 and upgraded to 2.2.1 by manually setting up based on a saved config.xml, as restoring that config.xml didn't work directly (it would lock up trying to setup the old packages listed).

Something is slightly wrong with DNS and I'm a bit stumped.

I've tried the DNS Resolver and the DNS Forwarder, but I get the same results. It must be something obvious and I'm not seeing it.

Most of my network is working just fine. The exception is an old Airport Extreme providing 2.4 service for our untrusted devices (e.g. Internet of Things that phone home a lot).The Airport is setup for double NAT. It's DHCP is setting itself as the DNS server. The Airport itself is resolving to pfSense, which should be forwarding the requests to the upstream ISP. Except it's not. No DNS is working on the Airport network segment. I can reach pfSense's webConfigurator from that network just fine.

What did I mess up?

Nullity · Mar 22, 2015, 9:29 PM

I am still unclear how your network is setup. With double NAT, one of the netweorks will not be able to directly access the other.
You may need to forward the DNS port.

I think you should avoid configuring the AirPort to use itself as the DNS. Either configure it to share the pfSense IP or your external DNS server's IP via DHCP.

More information about your network topology would help.

ohmantics · Mar 23, 2015, 4:49 AM

@Nullity:

I am still unclear how your network is setup. With double NAT, one of the netweorks will not be able to directly access the other.

That's exactly the idea. The devices on the LAN side of this device are untrusted.

You may need to forward the DNS port.

I don't see in my old config.xml where this was happening before. The gateway for the Airport is pfSense, which routes out.

I think you should avoid configuring the AirPort to use itself as the DNS. Either configure it to share the pfSense IP or your external DNS server's IP via DHCP.

I haven't changed the setup of the Airport, just upgraded pfSense. Obviously, I may have configured it incorrectly, but it did work before.

More information about your network topology would help.

Basic diagram attached.

![Screen Shot 2015-03-22 at 9.42.07 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-22 at 9.42.07 PM.png)
![Screen Shot 2015-03-22 at 9.42.07 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-22 at 9.42.07 PM.png_thumb)

doktornotor · Mar 23, 2015, 9:24 AM

@ohmantics:

@Nullity:

I am still unclear how your network is setup. With double NAT, one of the netweorks will not be able to directly access the other.

That's exactly the idea. The devices on the LAN side of this device are untrusted.

Uh. There are firewall rules for this. Stick the untrusted segment on a separate interface and configure those firewall rules to only allow the traffic you want. Don't shoot yourself in the foot by multiNAT.

johnpoz · Mar 23, 2015, 12:56 PM

^ exactly.. why do you wan to nat when you have firewall that allows you to get as specific or as broad as you want in your rules that allow or block whatever traffic you want.

phil.davis · Mar 23, 2015, 2:46 PM

What did I mess up?

Forgetting all the banter about why would you do it like this, actually it should work fine. This is the same as when I put my test pfSense WAN onto my office LAN and let it get DHCP, like any other device. Behind the test pfSense is some test LAN that is hidden from the view of the office LAN. That works for me all the time.
On the Airport Extreme it would be nice to know that it received a good DHCP address and DNS server… from the upstream pfSense. Then try some packet capture between Airport Extreme and pfSense to see what DNS traffic is actually going between them.

ohmantics · Mar 25, 2015, 4:25 AM

@phil.davis:

What did I mess up?

Forgetting all the banter about why would you do it like this, actually it should work fine. This is the same as when I put my test pfSense WAN onto my office LAN and let it get DHCP, like any other device. Behind the test pfSense is some test LAN that is hidden from the view of the office LAN. That works for me all the time.
On the Airport Extreme it would be nice to know that it received a good DHCP address and DNS server… from the upstream pfSense. Then try some packet capture between Airport Extreme and pfSense to see what DNS traffic is actually going between them.

I tried a packet capture on the LAN interface specifying the Airport's IP address and saw no traffic except the HTTP for the webConfigurator. So, just because, I rebooted the Airport and presto, it works.

I feel stupid. But yeah,… I'm stupid.

For those with the many great ideas of how I could reconfigure things to work better, I get it. In my case, there's only one cable going up to where my APs are and so I can't easily handle both my regular WiFi LAN and this "untrusted" Airport via separate NICs. I'm sure I could get something going with VLANs, but that's not a today problem. Today's problem is buying some new APs that don't suck.