DNS Resolver Config / VLANs



  • Hey guys,

    my pfsense network persists of a LAN-Interface (192.168.22.0) and different VLANs (192.168.10.0, 192.168.15.0, … ) which also are using the LAN-Interface.
    These VLANs should have access to some hosts of the LAN-Net. The communication is working fine, but only if I response this host with the direct IP-Adress ( Example:  VLAN-Host:192.168.15.101 <--> LAN-Host: 192.168.22.8)
    If I want to communicate with the other host only trough hostname(elektron) I don't get any response from the host. (Example: 192.168.15.101 <--> LAN-Host: elektron)

    As a conclusion the mistake must be in the DNS Settings in my opinion. To be sure that nothing is blocked by the firewall, I added an "any-to-any"-Rule for all VLANs.

    My Config in "DNS Resolver" looks like this:

    Network Interfaces: All

    Outgoing Network Interfaces: ALl

    DNSSEC: disabled

    DNS Query Forwarding: enabled

    DHCP Registration: enabled

    Static DHCP: enabled

    TXT Comment Support: disabled

    I should add, that the DNS resolving is working if I am in the same net (LAN-net). But it should also work from the VLAN-Networks.

    Do you have any ideas for this Problem?

    Thank you for reading.


  • Rebel Alliance Global Moderator

    elektron is not a fqdn, what is the domain part something like elektron.yourdomain.tld

    Query the dns on pfsense and this fqdn should resolve.



  • Thanks for your reply.

    Sure you are right that elektron is not a FQDN. But it should also work by only using the hostname or not? I tried to add "host Overrides" and " Domain Overrides" in DNS Resolver.

    Host Overrides: Host: elektron / Domain: elektron.yatego.local / IP: 192.168.22.9

    But also with this setting it is not possible to ping the hostname. Also I switched to the pfsense Tool DNS Forwarder but there I get the same result.


  • Banned

    Your domain is wrong, it should NOT include the hostname.


  • Netgate

    And if you want to resolve just "elektron" check the domain and domain search list on all the dhcp servers for all the vlans.



  • Now ping from the same subnet (192.168.22.x) to elektron is working:

    ping elektron
    PING elektron (192.168.22.9): 56 data bytes
    64 bytes from 192.168.22.9: icmp_seq=0 ttl=64 time=19.944 ms

    Out of the VLAN there has nothing changed.

    ping elektron
    ping: cannot resolve elektron: Unknown host

    I changed the DNS from VLAN to 192.168.22.1 instead of VLAN-DNS 192.168.15.1. But it made also no difference.

    Are there some other possible reasons like DNS?

    Actually I found a strange mistake in my network settings on client. Every client which want to connect to VLAN net gets a search-domain. I don't know where to deactivate this feature. Can somebody tell me? :)


  • Banned

    Sigh… The VLAN DHCP server should be set to the VLAN interface IP set on pfSense. Plus, as noted above, you need to set up the domain/domain search list on your DHCP server properly - or set it up manually on each client who is too lazy to type FQDN. It won't work otherwise.

    300% PEBKAC.


  • Rebel Alliance Global Moderator

    What part do you not understand about search order and domain??

    if you want your machine to auto add the domain name then use search suffix..

    Here

    C:>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : i5-w7
      Primary Dns Suffix  . . . . . . . : local.lan
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : local.lan

    See when I ping just pfsense it comes back fully qualified

    C:>ping pfsense

    Pinging pfsense.local.lan [192.168.1.253] with 32 bytes of data:
    Reply from 192.168.1.253: bytes=32 time<1ms TTL=64             
    Reply from 192.168.1.253: bytes=32 time<1ms TTL=64

    Ping statistics for 192.168.1.253:                             
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),       
    Approximate round trip times in milli-seconds:                 
        Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Same for any other box on my network..

    C:>ping storage

    Pinging storage.local.lan [192.168.1.8] with 32 bytes of data:
    Reply from 192.168.1.8: bytes=32 time=1ms TTL=128
    Reply from 192.168.1.8: bytes=32 time<1ms TTL=128

    Yes even stuff on different segments

    C:>ping unificntrl

    Pinging unificntrl**.local.lan** [192.168.[b]2.10] with 32 bytes of data:
    Reply from 192.168.2.10: bytes=32 time=1ms TTL=63
    Reply from 192.168.2.10: bytes=32 time=1ms TTL=63

    If you have your dhcp stuff register you should even need to do host over rides.. But this is how you do one - see attached.

    Again you can not BROADCAST for name on another segment..  So your stuff resolves via host name locally because your broadcasting for it..




  • Thanks for suggestions,

    the Problem was that our LAN-net is getting DHCP and DNS from another DHPC-Server which apparently changed also the DNS-Settings incl. Search-Domains. As conclusion it was not possible to communicate from VLAN nets to the parent LAN net via hostnames.