DNS Resolver Config / VLANs
-
Hey guys,
my pfsense network persists of a LAN-Interface (192.168.22.0) and different VLANs (192.168.10.0, 192.168.15.0, … ) which also are using the LAN-Interface.
These VLANs should have access to some hosts of the LAN-Net. The communication is working fine, but only if I response this host with the direct IP-Adress ( Example: VLAN-Host:192.168.15.101 <--> LAN-Host: 192.168.22.8)
If I want to communicate with the other host only trough hostname(elektron) I don't get any response from the host. (Example: 192.168.15.101 <--> LAN-Host: elektron)As a conclusion the mistake must be in the DNS Settings in my opinion. To be sure that nothing is blocked by the firewall, I added an "any-to-any"-Rule for all VLANs.
My Config in "DNS Resolver" looks like this:
Network Interfaces: All
Outgoing Network Interfaces: ALl
DNSSEC: disabled
DNS Query Forwarding: enabled
DHCP Registration: enabled
Static DHCP: enabled
TXT Comment Support: disabled
I should add, that the DNS resolving is working if I am in the same net (LAN-net). But it should also work from the VLAN-Networks.
Do you have any ideas for this Problem?
Thank you for reading.
-
elektron is not a fqdn, what is the domain part something like elektron.yourdomain.tld
Query the dns on pfsense and this fqdn should resolve.
-
Thanks for your reply.
Sure you are right that elektron is not a FQDN. But it should also work by only using the hostname or not? I tried to add "host Overrides" and " Domain Overrides" in DNS Resolver.
Host Overrides: Host: elektron / Domain: elektron.yatego.local / IP: 192.168.22.9
But also with this setting it is not possible to ping the hostname. Also I switched to the pfsense Tool DNS Forwarder but there I get the same result.
-
Your domain is wrong, it should NOT include the hostname.
-
And if you want to resolve just "elektron" check the domain and domain search list on all the dhcp servers for all the vlans.
-
Now ping from the same subnet (192.168.22.x) to elektron is working:
ping elektron
PING elektron (192.168.22.9): 56 data bytes
64 bytes from 192.168.22.9: icmp_seq=0 ttl=64 time=19.944 msOut of the VLAN there has nothing changed.
ping elektron
ping: cannot resolve elektron: Unknown hostI changed the DNS from VLAN to 192.168.22.1 instead of VLAN-DNS 192.168.15.1. But it made also no difference.
Are there some other possible reasons like DNS?
Actually I found a strange mistake in my network settings on client. Every client which want to connect to VLAN net gets a search-domain. I don't know where to deactivate this feature. Can somebody tell me? :)
-
Sigh… The VLAN DHCP server should be set to the VLAN interface IP set on pfSense. Plus, as noted above, you need to set up the domain/domain search list on your DHCP server properly - or set it up manually on each client who is too lazy to type FQDN. It won't work otherwise.
300% PEBKAC.
-
What part do you not understand about search order and domain??
if you want your machine to auto add the domain name then use search suffix..
Here
C:>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : i5-w7
Primary Dns Suffix . . . . . . . : local.lan
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : local.lanSee when I ping just pfsense it comes back fully qualified
C:>ping pfsense
Pinging pfsense.local.lan [192.168.1.253] with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64Ping statistics for 192.168.1.253:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msSame for any other box on my network..
C:>ping storage
Pinging storage.local.lan [192.168.1.8] with 32 bytes of data:
Reply from 192.168.1.8: bytes=32 time=1ms TTL=128
Reply from 192.168.1.8: bytes=32 time<1ms TTL=128Yes even stuff on different segments
C:>ping unificntrl
Pinging unificntrl**.local.lan** [192.168.[b]2.10] with 32 bytes of data:
Reply from 192.168.2.10: bytes=32 time=1ms TTL=63
Reply from 192.168.2.10: bytes=32 time=1ms TTL=63If you have your dhcp stuff register you should even need to do host over rides.. But this is how you do one - see attached.
Again you can not BROADCAST for name on another segment.. So your stuff resolves via host name locally because your broadcasting for it..
-
Thanks for suggestions,
the Problem was that our LAN-net is getting DHCP and DNS from another DHPC-Server which apparently changed also the DNS-Settings incl. Search-Domains. As conclusion it was not possible to communicate from VLAN nets to the parent LAN net via hostnames.