DNS Resolver Config / VLANs

Flori1611

Hey guys,

my pfsense network persists of a LAN-Interface (192.168.22.0) and different VLANs (192.168.10.0, 192.168.15.0, … ) which also are using the LAN-Interface.
These VLANs should have access to some hosts of the LAN-Net. The communication is working fine, but only if I response this host with the direct IP-Adress ( Example:  VLAN-Host:192.168.15.101 <--> LAN-Host: 192.168.22.8)
If I want to communicate with the other host only trough hostname(elektron) I don't get any response from the host. (Example: 192.168.15.101 <--> LAN-Host: elektron)

As a conclusion the mistake must be in the DNS Settings in my opinion. To be sure that nothing is blocked by the firewall, I added an "any-to-any"-Rule for all VLANs.

My Config in "DNS Resolver" looks like this:

Network Interfaces: All

Outgoing Network Interfaces: ALl

DNSSEC: disabled

DNS Query Forwarding: enabled

DHCP Registration: enabled

Static DHCP: enabled

TXT Comment Support: disabled

I should add, that the DNS resolving is working if I am in the same net (LAN-net). But it should also work from the VLAN-Networks.

Do you have any ideas for this Problem?

Thank you for reading.

johnpoz

elektron is not a fqdn, what is the domain part something like elektron.yourdomain.tld

Query the dns on pfsense and this fqdn should resolve.

Flori1611

Thanks for your reply.

Sure you are right that elektron is not a FQDN. But it should also work by only using the hostname or not? I tried to add "host Overrides" and " Domain Overrides" in DNS Resolver.

Host Overrides: Host: elektron / Domain: elektron.yatego.local / IP: 192.168.22.9

But also with this setting it is not possible to ping the hostname. Also I switched to the pfsense Tool DNS Forwarder but there I get the same result.

doktornotor

Your domain is wrong, it should NOT include the hostname.

Derelict

And if you want to resolve just "elektron" check the domain and domain search list on all the dhcp servers for all the vlans.

Flori1611

Now ping from the same subnet (192.168.22.x) to elektron is working:

ping elektron
PING elektron (192.168.22.9): 56 data bytes
64 bytes from 192.168.22.9: icmp_seq=0 ttl=64 time=19.944 ms

Out of the VLAN there has nothing changed.

ping elektron
ping: cannot resolve elektron: Unknown host

I changed the DNS from VLAN to 192.168.22.1 instead of VLAN-DNS 192.168.15.1. But it made also no difference.

Are there some other possible reasons like DNS?

Actually I found a strange mistake in my network settings on client. Every client which want to connect to VLAN net gets a search-domain. I don't know where to deactivate this feature. Can somebody tell me? :)

doktornotor

Sigh… The VLAN DHCP server should be set to the VLAN interface IP set on pfSense. Plus, as noted above, you need to set up the domain/domain search list on your DHCP server properly - or set it up manually on each client who is too lazy to type FQDN. It won't work otherwise.

300% PEBKAC.

johnpoz

What part do you not understand about search order and domain??

if you want your machine to auto add the domain name then use search suffix..

Here

C:>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : i5-w7
  Primary Dns Suffix  . . . . . . . : local.lan
  Node Type . . . . . . . . . . . . : Hybrid
  IP Routing Enabled. . . . . . . . : No
  WINS Proxy Enabled. . . . . . . . : No
  DNS Suffix Search List. . . . . . : local.lan

See when I ping just pfsense it comes back fully qualified

C:>ping pfsense

Pinging pfsense.local.lan [192.168.1.253] with 32 bytes of data:
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64             
Reply from 192.168.1.253: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.253:                             
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),       
Approximate round trip times in milli-seconds:                 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Same for any other box on my network..

C:>ping storage

Pinging storage.local.lan [192.168.1.8] with 32 bytes of data:
Reply from 192.168.1.8: bytes=32 time=1ms TTL=128
Reply from 192.168.1.8: bytes=32 time<1ms TTL=128

Yes even stuff on different segments

C:>ping unificntrl

Pinging unificntrl**.local.lan** [192.168.[b]2.10] with 32 bytes of data:
Reply from 192.168.2.10: bytes=32 time=1ms TTL=63
Reply from 192.168.2.10: bytes=32 time=1ms TTL=63

If you have your dhcp stuff register you should even need to do host over rides.. But this is how you do one - see attached.

Again you can not BROADCAST for name on another segment..  So your stuff resolves via host name locally because your broadcasting for it..

Flori1611

Thanks for suggestions,

the Problem was that our LAN-net is getting DHCP and DNS from another DHPC-Server which apparently changed also the DNS-Settings incl. Search-Domains. As conclusion it was not possible to communicate from VLAN nets to the parent LAN net via hostnames.