2nd DHCP domain names not registered in DNS resolver



  • Hi!

    Maybe I got this backwards, and I don't remember how it used to work before 2.2 (i'm now on 2.2.2)

    I've got two DHCP-server active in pfSense. One for the normal LAN-interface and one for the GUEST-LAN.
    The normal LAN provides clients with a domain name: "lan.network" (same as in General setup)
    The GUEST-LAN provides clients with a domain name: "guest.network"

    Devices in the GUEST-LAN picks up and gets the right domain name and it look OK: like this "device100.guest.network"

    Now for what I can't figure out how it should work.

    Testing some name resolution. Ping from a Windows-host connected to:

    • GUEST-LAN for "device100" doesn't work.

    • GUEST-LAN for "device100.guest.network" doesn't work.

    • GUEST-LAN for "device100.lan.network" does resolve the address to the client.

    • LAN for "device100.guest.network" doesn't work.

    • LAN for "device100.lan.network" does resolve the address to the client.

    • LAN for "device100" does resolve the address to the client.

    Shouldn't the DNS resolver also work for the GUEST-LAN domain name?

    More info:
    Reverse lookup in for example Lightsquid and Sarg got me wondering on this issue becuase clients in the guest-lan hade the lan domain name resolved to them.

    Brgs,



  • Assuming you're using the DNS resolver, do you have this enabled: "Register DHCP leases in the DNS Resolver"?

    Otherwise it may just be using the primary domain as a search domain.



  • Yes, I've got that one enabled.

    The only change I've made is to specify that the listening interface should be LAN (Couldn't get DNS resolution over IPSEC else).

    ![pfsense 2.2.2 DHCP server settings.png](/public/imported_attachments/1/pfsense 2.2.2 DHCP server settings.png)
    ![pfsense 2.2.2 DHCP server settings.png_thumb](/public/imported_attachments/1/pfsense 2.2.2 DHCP server settings.png_thumb)


  • Banned

    @iorx:

    The only change I've made is to specify that the listening interface should be LAN

    No, you haven't. Outgoing != listening. Please, read the descriptions. You normally do NOT want DNS listen on WAN. And you normally do NOT restrict DNS queries to LAN since… uhm... no authoritative DNS servers sit there, so your DNS will be completely broken.



  • Sorry 'bout that.
    I referred to why I had changed that option from All to LAN. Didn't get any name resolution, see:
    https://forum.pfsense.org/index.php?topic=92132.msg510024#msg510024

    And again, sorry, for my n00b understanding on the subject. But changing that option to LAN solved my problem referred to. Could you please point me in the right direction for reading up on the subject and/or give me the settings for the DNS that works for the scenario I got here, that is, a working DNS for both IPSEC and a GUEST-LAN.

    Brgs,



  • This is an other issue but a little bit relevant as I was fiddling about with the "Outgoing interface"  :P … Haven't yet checked if this also solves the domain name registration/answer described in the first post.

    https://doc.pfsense.org/index.php/Why_can%27t_I_query_SNMP,_use_syslog,_NTP,_or_other_services_initiated_by_the_firewall_itself_over_IPsec_VPN
    Reading up and understanding one other IPSEC specialty.

    Restored setting for Outgoing interface to "All" and it works as it should now. pfSense it self can now reach the other side of tunnel.

    About not getting traffic from pfsense through tunnel IPSEC
    https://forum.pfsense.org/index.php?topic=92132.msg513079#msg513079

    Btw, what are the recommended setting for "DNS Resolver"

    "Network Interfaces"
    All but not WAN?

    "Outgoing Network Interfaces"
    "All"?


Log in to reply