Split DNS not working

  • hi pfSense gurus, I have the following config:

    PFSense configured as DNS Forwarder with Host Override for Mailserver behind pfSense. I would like that internal (LAN) Clients resolve the Mail-servers internal IP, so I configured it for Split DNS like you could find in hundred of tutorials. One fact, my internal and external Domain name is the same, let say "abc.com"

    The problem is that this configuration works sometimes, sometimes not. NSLookup on the client always gives me the correct answer (internal IP, NOT external) but when I ping "mail.abc.com" sometimes it resolves to the internal IP and sometimes to the external IP.
    When I use the Diagnostic Tool "DNS Lookup" in the pfSense GUI the behavior is the same as on a client. Sometimes internal IP as answer and sometimes external IP.

    What have I done wrong? I found many posts like mine but there where no working solution for me.

    Thank you

    -used pfSense Version: 2.2.2-RELEASE (amd64) (nanobsd) running on a PC Engines Board

  • Banned

    Yeah, that is what you'll get when you point your client you are querying from to both the internal and external DNS servers, or produce similar PEBKAC setup.

  • Banned

    What DNS are your clients using??

  • The clients are configured to use only the pfSense box as the only configured DNS. This is done by DHCP (also the pfSense DHCP) I have also tried to prevent local clients to query external DNS Servers like it is described here:
    https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers but that is not the problem, I guess. The pfSense answers sometimes with the internal and sometimes with the external IP.

  • Banned

    Yeah, and the pfSense DNS server is configured how?

  • DNS forwarder:

    Register DHCP leases… enabled
    Register DHCP static mappings... enabled
    Resolve DHCP mapping first ... enabled
    Query DNS servers sequentially ... enabled

    Require domain ... unchecked
    Do not forward private... unchecked

    Host Overrides:

    Host: mail
    Domain: abc.com
    IP address: 192.168.1.X

    At SYSTEM:General Setup:

    Domain: abc.com
    DNS Servers: the two DNS Servers provided by my ISP

    allow DNS server list to be overridden.... unchecked
    Do not use the DNS Forwarder ... unchecked

  • ? Restrict allowance to:

    IPv4 TCP/UDP LAN net * This Firewall 53 (DNS) * none

  • @hda:

    ? Restrict allowance to:

    IPv4 TCP/UDP LAN net * This Firewall 53 (DNS) * none

    you mean that: https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
    …that doesn't resolve the problem.

  • I am guessing this might be some weird interaction between the client domain suffix lookup and the domain on pfSense.
    Does it make any difference on the client if you just:

    ping mail

    (and let the client add "abc.com" suffix)
    compared to

    ping mail.abc.com


    Or does it sometimes fail to lookup mail.abc.com and actually end up doing some lookup of mail.abc.com.abc.com ?
    (Putting the domain suffix on the end of what is already the FQDN)

    When it goes wrong, flush the client DNS cache (like "ipconfig/flushdns" on Windows) and do the ping again. Does the answer stay wrong for a while? Or is it an really intermittent error?

    I am thinking that perhaps there is some other mechanism somewhere that is causing the pfSense DNS server to get the public IP 1 time (goodnes knows why), and then it has that cached for the time-to-live, which effectively overrides the host override.

Log in to reply