DNS Resolver Config / VLANs



  • Hey guys,

    my pfsense network persists of a LAN-Interface (192.168.22.0) and different VLANs (192.168.10.0, 192.168.15.0, … ) which also are using the LAN-Interface.
    These VLANs should have access to some hosts of the LAN-Net. The communication is working fine, but only if I response this host with the direct IP-Adress ( Example:  VLAN-Host:192.168.15.101 <--> LAN-Host: 192.168.22.8)
    If I want to communicate with the other host only trough hostname(elektron) I don't get any response from the host. (Example: 192.168.15.101 <--> LAN-Host: elektron)

    As a conclusion the mistake must be in the DNS Settings in my opinion. To be sure that nothing is blocked by the firewall, I added an "any-to-any"-Rule for all VLANs.

    My Config in "DNS Resolver" looks like this:

    Network Interfaces: All

    Outgoing Network Interfaces: ALl

    DNSSEC: disabled

    DNS Query Forwarding: enabled

    DHCP Registration: enabled

    Static DHCP: enabled

    TXT Comment Support: disabled

    I should add, that the DNS resolving is working if I am in the same net (LAN-net). But it should also work from the VLAN-Networks.

    Do you have any ideas for this Problem?

    Thank you for reading.


  • LAYER 8 Global Moderator

    elektron is not a fqdn, what is the domain part something like elektron.yourdomain.tld

    Query the dns on pfsense and this fqdn should resolve.



  • Thanks for your reply.

    Sure you are right that elektron is not a FQDN. But it should also work by only using the hostname or not? I tried to add "host Overrides" and " Domain Overrides" in DNS Resolver.

    Host Overrides: Host: elektron / Domain: elektron.yatego.local / IP: 192.168.22.9

    But also with this setting it is not possible to ping the hostname. Also I switched to the pfsense Tool DNS Forwarder but there I get the same result.


  • Banned

    Your domain is wrong, it should NOT include the hostname.


  • LAYER 8 Netgate

    And if you want to resolve just "elektron" check the domain and domain search list on all the dhcp servers for all the vlans.



  • Now ping from the same subnet (192.168.22.x) to elektron is working:

    ping elektron
    PING elektron (192.168.22.9): 56 data bytes
    64 bytes from 192.168.22.9: icmp_seq=0 ttl=64 time=19.944 ms

    Out of the VLAN there has nothing changed.

    ping elektron
    ping: cannot resolve elektron: Unknown host

    I changed the DNS from VLAN to 192.168.22.1 instead of VLAN-DNS 192.168.15.1. But it made also no difference.

    Are there some other possible reasons like DNS?

    Actually I found a strange mistake in my network settings on client. Every client which want to connect to VLAN net gets a search-domain. I don't know where to deactivate this feature. Can somebody tell me? :)


  • Banned

    Sigh… The VLAN DHCP server should be set to the VLAN interface IP set on pfSense. Plus, as noted above, you need to set up the domain/domain search list on your DHCP server properly - or set it up manually on each client who is too lazy to type FQDN. It won't work otherwise.

    300% PEBKAC.


  • LAYER 8 Global Moderator

    What part do you not understand about search order and domain??

    if you want your machine to auto add the domain name then use search suffix..

    Here

    C:>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : i5-w7
      Primary Dns Suffix  . . . . . . . : local.lan
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : local.lan

    See when I ping just pfsense it comes back fully qualified

    C:>ping pfsense

    Pinging pfsense.local.lan [192.168.1.253] with 32 bytes of data:
    Reply from 192.168.1.253: bytes=32 time<1ms TTL=64             
    Reply from 192.168.1.253: bytes=32 time<1ms TTL=64

    Ping statistics for 192.168.1.253:                             
        Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),       
    Approximate round trip times in milli-seconds:                 
        Minimum = 0ms, Maximum = 0ms, Average = 0ms

    Same for any other box on my network..

    C:>ping storage

    Pinging storage.local.lan [192.168.1.8] with 32 bytes of data:
    Reply from 192.168.1.8: bytes=32 time=1ms TTL=128
    Reply from 192.168.1.8: bytes=32 time<1ms TTL=128

    Yes even stuff on different segments

    C:>ping unificntrl

    Pinging unificntrl**.local.lan** [192.168.[b]2.10] with 32 bytes of data:
    Reply from 192.168.2.10: bytes=32 time=1ms TTL=63
    Reply from 192.168.2.10: bytes=32 time=1ms TTL=63

    If you have your dhcp stuff register you should even need to do host over rides.. But this is how you do one - see attached.

    Again you can not BROADCAST for name on another segment..  So your stuff resolves via host name locally because your broadcasting for it..




  • Thanks for suggestions,

    the Problem was that our LAN-net is getting DHCP and DNS from another DHPC-Server which apparently changed also the DNS-Settings incl. Search-Domains. As conclusion it was not possible to communicate from VLAN nets to the parent LAN net via hostnames.