Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Split DNS not working

    Scheduled Pinned Locked Moved DHCP and DNS
    9 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ckitsbg
      last edited by

      hi pfSense gurus, I have the following config:

      PFSense configured as DNS Forwarder with Host Override for Mailserver behind pfSense. I would like that internal (LAN) Clients resolve the Mail-servers internal IP, so I configured it for Split DNS like you could find in hundred of tutorials. One fact, my internal and external Domain name is the same, let say "abc.com"

      The problem is that this configuration works sometimes, sometimes not. NSLookup on the client always gives me the correct answer (internal IP, NOT external) but when I ping "mail.abc.com" sometimes it resolves to the internal IP and sometimes to the external IP.
      When I use the Diagnostic Tool "DNS Lookup" in the pfSense GUI the behavior is the same as on a client. Sometimes internal IP as answer and sometimes external IP.

      What have I done wrong? I found many posts like mine but there where no working solution for me.

      Thank you

      -used pfSense Version: 2.2.2-RELEASE (amd64) (nanobsd) running on a PC Engines Board

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Yeah, that is what you'll get when you point your client you are querying from to both the internal and external DNS servers, or produce similar PEBKAC setup.

        1 Reply Last reply Reply Quote 0
        • S
          Supermule Banned
          last edited by

          What DNS are your clients using??

          1 Reply Last reply Reply Quote 0
          • C
            ckitsbg
            last edited by

            The clients are configured to use only the pfSense box as the only configured DNS. This is done by DHCP (also the pfSense DHCP) I have also tried to prevent local clients to query external DNS Servers like it is described here:
            https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers but that is not the problem, I guess. The pfSense answers sometimes with the internal and sometimes with the external IP.

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              Yeah, and the pfSense DNS server is configured how?

              1 Reply Last reply Reply Quote 0
              • C
                ckitsbg
                last edited by

                DNS forwarder:

                Register DHCP leases… enabled
                Register DHCP static mappings... enabled
                Resolve DHCP mapping first ... enabled
                Query DNS servers sequentially ... enabled

                Require domain ... unchecked
                Do not forward private... unchecked

                Host Overrides:

                Host: mail
                Domain: abc.com
                IP address: 192.168.1.X

                At SYSTEM:General Setup:

                Domain: abc.com
                DNS Servers: the two DNS Servers provided by my ISP

                allow DNS server list to be overridden.... unchecked
                Do not use the DNS Forwarder ... unchecked

                1 Reply Last reply Reply Quote 0
                • H
                  hda
                  last edited by

                  ? Restrict allowance to:

                  IPv4 TCP/UDP LAN net * This Firewall 53 (DNS) * none

                  1 Reply Last reply Reply Quote 0
                  • C
                    ckitsbg
                    last edited by

                    @hda:

                    ? Restrict allowance to:

                    IPv4 TCP/UDP LAN net * This Firewall 53 (DNS) * none

                    you mean that: https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
                    …that doesn't resolve the problem.

                    1 Reply Last reply Reply Quote 0
                    • P
                      phil.davis
                      last edited by

                      I am guessing this might be some weird interaction between the client domain suffix lookup and the domain on pfSense.
                      Does it make any difference on the client if you just:

                      ping mail
                      

                      (and let the client add "abc.com" suffix)
                      compared to

                      ping mail.abc.com
                      

                      ?

                      Or does it sometimes fail to lookup mail.abc.com and actually end up doing some lookup of mail.abc.com.abc.com ?
                      (Putting the domain suffix on the end of what is already the FQDN)

                      When it goes wrong, flush the client DNS cache (like "ipconfig/flushdns" on Windows) and do the ping again. Does the answer stay wrong for a while? Or is it an really intermittent error?

                      I am thinking that perhaps there is some other mechanism somewhere that is causing the pfSense DNS server to get the public IP 1 time (goodnes knows why), and then it has that cached for the time-to-live, which effectively overrides the host override.

                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.