Reverse DNS Lookups

cmb

So the clients are resolving fine, it's just queries from the firewall itself that don't work unless they're FQDNs? In that case, either the domain under System>General Setup is wrong, or it's not getting replies from its configured DNS server(s).

When you do a DNS lookup from the firewall, it'll append the default domain and do a lookup on that name. If that fails, it'll do a lookup for the hostname minus the domain. Where my domain under System>General Setup is buechler.lan, and I run "ping blah":

21:53:19.946424 IP 10.0.4.2.8205 > 10.0.4.50.53: 4148+ A? blah.buechler.lan. (35)
21:53:19.946803 IP 10.0.4.50.53 > 10.0.4.2.8205: 4148 NXDomain* 0/1/0 (110)
21:53:19.947549 IP 10.0.4.2.60216 > 10.0.4.50.53: 17090+ A? blah. (22)
21:53:19.947826 IP 10.0.4.50.53 > 10.0.4.2.60216: 17090 NXDomain* 0/1/0 (97)

where 10.0.4.50 is the configured DNS server.

NOYB

Here we are trying to get Booman to troubleshoot the issue and CMB is giving away the answers to the test so to speak.  ;)

cmb

@NOYB:

Here we are trying to get Booman to troubleshoot the issue and CMB is giving away the answers to the test so to speak.  ;)

Well, he's still gonna have to troubleshoot the issue, just showing how things work. :)

johnpoz

This poster is unwilling to think his problem through and just wants to blame pfsense.. Or take the 30 seconds it would take to actually see what is happening via a sniff..  I hate these sorts of users to be honest..  But you can not make the horse drink even when you shove the bucket a water over its mouth..

Yes I use the term user, admins atleast good/decent ones do not think like this nor are they unwilling to provide info either proving their train of thought results or showing how they got to this train of though to what they think the problem is.  Users expect someone to fix their problem without providing any sort of details to help..

User: My car won't start
Tech: Does it have gas?
User: It wont start!
Tech:  Does it turn over, does it make a noise - does it have gas?
User: It wont start! Its blue and the tires have air.
Tech: <rolleyes>  Get a new car ;)

BTW I have not seen the web gui dns lookup act this way.. if your doing it from cmd line on pfsense sure.  But the webgui dns lookup does not seem to add your pfsense domain to the query.  Which we don't even know what the user is even doing from pfsense to try and resolve??</rolleyes>

boomam

@cmb:

@NOYB:

Here we are trying to get Booman to troubleshoot the issue and CMB is giving away the answers to the test so to speak.  ;)

Well, he's still gonna have to troubleshoot the issue, just showing how things work. :)

Nothing to troubleshoot, as said, i've solved the issue already. :)

@johnpoz:

This poster is unwilling to think his problem through and just wants to blame pfsense.. Or take the 30 seconds it would take to actually see what is happening via a sniff..  I hate these sorts of users to be honest..  But you can not make the horse drink even when you shove the bucket a water over its mouth..

Yes I use the term user, admins atleast good/decent ones do not think like this nor are they unwilling to provide info either proving their train of thought results or showing how they got to this train of though to what they think the problem is.  Users expect someone to fix their problem without providing any sort of details to help..

You really do have an attitude problem.
The issue from a community point of view is the stout defence of Pf that blinds you from the same thing your accusing me of.
Do not make assumptions on people just because you disagree. My theory proved correct and it was solved.
As said, i thank you for the points of view given as whilst they did not ultimately point me in the correct direction for resolution they at least gave me food for thought. Its often useful to bounce ideas to get the create juices flowing. :)

timboau

This had been irking me for some time as well….

After doing some packet capture I noticed that the request wasn't being passed to the MS DNS Server.

it seems that the DNS resolver was happy to answer the request (unsuccessfully) - as illustrated by the DNS lookup tool 127.0.0.1

I simply turned off the DNS Resolver built into pfsesne and all sprun to life.

johnpoz

What has been irking you??  Not having a clue to how dns works… Yeah that would irk the shit out of me too to the point I would actually learn how it works..