Split DNS not working

ckitsbg

hi pfSense gurus, I have the following config:

PFSense configured as DNS Forwarder with Host Override for Mailserver behind pfSense. I would like that internal (LAN) Clients resolve the Mail-servers internal IP, so I configured it for Split DNS like you could find in hundred of tutorials. One fact, my internal and external Domain name is the same, let say "abc.com"

The problem is that this configuration works sometimes, sometimes not. NSLookup on the client always gives me the correct answer (internal IP, NOT external) but when I ping "mail.abc.com" sometimes it resolves to the internal IP and sometimes to the external IP.
When I use the Diagnostic Tool "DNS Lookup" in the pfSense GUI the behavior is the same as on a client. Sometimes internal IP as answer and sometimes external IP.

What have I done wrong? I found many posts like mine but there where no working solution for me.

Thank you

-used pfSense Version: 2.2.2-RELEASE (amd64) (nanobsd) running on a PC Engines Board

doktornotor

Yeah, that is what you'll get when you point your client you are querying from to both the internal and external DNS servers, or produce similar PEBKAC setup.

Supermule

What DNS are your clients using??

ckitsbg

The clients are configured to use only the pfSense box as the only configured DNS. This is done by DHCP (also the pfSense DHCP) I have also tried to prevent local clients to query external DNS Servers like it is described here:
https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers but that is not the problem, I guess. The pfSense answers sometimes with the internal and sometimes with the external IP.

doktornotor

Yeah, and the pfSense DNS server is configured how?

ckitsbg

DNS forwarder:

Register DHCP leases… enabled
Register DHCP static mappings... enabled
Resolve DHCP mapping first ... enabled
Query DNS servers sequentially ... enabled

Require domain ... unchecked
Do not forward private... unchecked

Host Overrides:

Host: mail
Domain: abc.com
IP address: 192.168.1.X

At SYSTEM:General Setup:

Domain: abc.com
DNS Servers: the two DNS Servers provided by my ISP

allow DNS server list to be overridden.... unchecked
Do not use the DNS Forwarder ... unchecked

hda

? Restrict allowance to:

IPv4 TCP/UDP LAN net * This Firewall 53 (DNS) * none

ckitsbg

@hda:

? Restrict allowance to:

IPv4 TCP/UDP LAN net * This Firewall 53 (DNS) * none

you mean that: https://doc.pfsense.org/index.php/Blocking_DNS_queries_to_external_resolvers
…that doesn't resolve the problem.

phil.davis

I am guessing this might be some weird interaction between the client domain suffix lookup and the domain on pfSense.
Does it make any difference on the client if you just:

ping mail

(and let the client add "abc.com" suffix)
compared to

ping mail.abc.com

?

Or does it sometimes fail to lookup mail.abc.com and actually end up doing some lookup of mail.abc.com.abc.com ?
(Putting the domain suffix on the end of what is already the FQDN)

When it goes wrong, flush the client DNS cache (like "ipconfig/flushdns" on Windows) and do the ping again. Does the answer stay wrong for a while? Or is it an really intermittent error?

I am thinking that perhaps there is some other mechanism somewhere that is causing the pfSense DNS server to get the public IP 1 time (goodnes knows why), and then it has that cached for the time-to-live, which effectively overrides the host override.