Can not get the correct dns server from DHCP Static Mappings.

stbird · Nov 5, 2015, 12:55 PM

This is my dncp setting.I have set the dns server to 10.209.2.1 and 10.209.2.2.

This is one of the static mappings. I wish that the client gets ip address 10.209.2.82 and dns server 10.209.3.241.

After I rebooted the pfsense. The client got the right ip 10.209.2.82 and the wrong dns server 10.209.2.1/10.209.2.2.

The pfsense is the only dhcp server. I'm sure about that. I have disabled the dncp server, the client couldn't get any any ip.

Why the dns server setting in static mappings doesn't work? How can I fix the problem?

johnpoz · Nov 5, 2015, 1:17 PM

Make sure you delete the old lease from pfsense, I just tested this - my machine had a reservation.. So I just went in and edited the dns server, but was still getting default ones like you show.

I then changed the IP client should get to .101 vs .100, but he still kept getting .100.. Went in and deleted the OLD lease, show all leases and then renewed and now working.. So make sure you clear out any OLD lease pfsense might have for that mac/ip/etc and then you should be good.

I then edited that and put it back to hand out my normal dns for his reservation, back to his .100 address – deleting the .101 lease and as see from 2nd attachment back to how it was..

stbird · Nov 6, 2015, 12:56 AM

Thank johnpoz for reply.

I have checked all the mac/ip/hostname about the client, only the STATiC lease and it could not to be deleted, if you mean "status–>dhcp leases" in pfsense menu.

I find that your client still get the normal dns server not the static dns from your two attachments. Only the client ip address is changed by dhcp static lease.

I ran some commands in my client. like "ipconfig /release & ipconfig /renew & ipconfig /all". I found that sometimes it could got the right dns servers and sometimes it could not. Then I tried on the other client. It couldn't get the right dns servers at all.

My clients can get the right ip address and gateway from static lease, but can't get dns server from static lease, only the normal one.
I tried to disable the dns forwarder or dns resolver. still not work.

Any ideas?

johnpoz · Nov 6, 2015, 12:37 PM

"I tried to disable the dns forwarder or dns resolver. still not work."

So your just randomly clicking shit hoping to fix your problem - sounds like the plan your taking… Since those would have NOTHING to do with what dhcp hands your client.

What I can tell you for fact is pfsense hands out the correct stuff when uses the correct lease.. If you client got an old lease - then yeah it could be the old dns servers in that lease..

Delete the OLD lease...

As you can see I was pointed to 192.168.9.253 for dns, I then released my lease with /release - I then changed the setting on the server to point to something different for dns.. Now did a renew and there you go new dns server on the client per what I set in dhcp server.

Simple sniff on pfsense for port 67 and then release / renew will show you client ASKING for lease.. See how it asks for its old IP 192.168.1.100, so if old lease on your server you could get that back.. Make sure there are no old leases on the server for that client.. The server sends it hey here is a OFFER for a lease, notice it has the 1.2.3.4 dns in there.. Client then sends back yeah I will take that with a request, server sends it back with ack saying ok there you go its now your lease..

So a simple sniff will show you exactly what is going on vs your random click method on stuff that has nothing to do with dhcp..

Also its possible your client is set to get IP from dhcp but not dns??

stbird · Nov 6, 2015, 3:24 PM

I didn't set any dns servers on clients.

So I sniff the host pfsense and port 67. I find that there is another ack pack with the wrong dns servers 10.209.2.1/2.

Is this a bug?
I have updated my pfsense to v2.2.5(amd64). Nothing changed.

doktornotor · Nov 6, 2015, 3:50 PM

I don't read Japanase. You need to release the old lease. That's all. If you are unable to figure out the MS crap, then simply nuke the leases file on pfSense.


rm -f /var/dhcpd/var/db/dhcpd.leases*

johnpoz · Nov 6, 2015, 3:53 PM

"I find that there is another ack pack"

Why don't you post up this sniff so we can see.. Are you saying multiple offers are being sent, or sounds like client asked for its OLD lease that was not deleted off pfsense.. So yeah pfsense will send that..

I tested this multiple ways when you first posted, and everything is working as it should from my testing.. Yes if the OLD lease is still on the server you could get that sent to you.. Please post up your sniff in pcap for some we can open it and wireshark and look. So we can help you!! I am running 2.2.4 and then again tested this with 2.2.5 and as long as there is NO old lease on pfsense, it gets the correct info…

stbird · Nov 7, 2015, 1:57 AM

I have posted the snap pictures.

Here's the sniff packages.
http://pan.baidu.com/s/1mgB2JzU

I have done the command "rm -f /var/dhcpd/var/db/dhcpd.leases*" in ssh shell and rebooted the pfsense. Nothing changed. The client still got the wrong dns servers.

[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: ls -l
total 72
-rw-r--r--  1 dhcpd  _dhcp  32860 Nov  7 09:10 dhcpd.leases
-rw-r--r--  1 dhcpd  _dhcp  36305 Nov  7 08:38 dhcpd.leases~
-rw-r--r--  1 dhcpd  _dhcp      0 Oct 27 05:01 dhcpd6.leases
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: rm -f /var/dhcpd/var/db/dhcpd.leases*
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: ls 
dhcpd6.leases
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: reboot
*** Welcome to pfSense 2.2.5-RELEASE-pfSense (amd64) on pf ***

 WAN (wan)       -> em0        -> v4: 218.90.165.218/29
 LAN (lan)       -> em1        -> v4: 192.168.108.241/24
 NAT303 (opt1)   -> em2        -> v4: 10.209.3.241/24
 NAT302 (opt2)   -> em3        -> v4: 10.209.2.241/24
 0) Logout (SSH only)                  9) pfTop
 1) Assign Interfaces                 10) Filter Logs
 2) Set interface(s) IP address       11) Restart webConfigurator
 3) Reset webConfigurator password    12) pfSense Developer Shell
 4) Reset to factory defaults         13) Upgrade from console
 5) Reboot system                     14) Disable Secure Shell (sshd)
 6) Halt system                       15) Restore recent configuration
 7) Ping host                         16) Restart PHP-FPM
 8) Shell

Enter an option: 8

[2.2.5-RELEASE][root@pfsense]/root: 
[2.2.5-RELEASE][root@pfsense]/root: cd /var/dhcpd/var/db/
[2.2.5-RELEASE][root@pfsense]/var/dhcpd/var/db: ls -l
total 4
-rw-r--r--  1 root   _dhcp  1094 Nov  7 09:28 dhcpd.leases
-rw-r--r--  1 root   _dhcp     0 Nov  7 09:27 dhcpd.leases~
-rw-r--r--  1 dhcpd  _dhcp     0 Oct 27 05:01 dhcpd6.leases

If I empty the dns servers 10.209.2.1/2 on pfsense and Just leave the static dhcp mapping dns server 10.209.3.241 then my client can get the right dns server 10.209.3.241.

Thanks for your help!

johnpoz · Nov 7, 2015, 10:41 AM

Dude I see a release from your client

Where is the REQUEST… Do you have a relay in the mix..

You would not send ACK without request.. There is no request in that sniff..

stbird · Nov 7, 2015, 2:48 PM

I don't have any dhcp relay in my network.

I changed the captue filter to "port 67". There is REQUEST now

http://pan.baidu.com/s/1eQ15ABC

In this sniff I found "dhcp inform" from my client. So I google it. Maybe find out why the client always got the wrong dns servers.

https://readme.phys.ethz.ch/windows/what_to_do_if_windows_vista_gets_the_wrong_dns_servers_via_dhcpinform_answers/
https://lists.isc.org/pipermail/dhcp-users/2013-May/016729.html

I have two win7 clients in my test. One of them is 10.209.3.82 which never got the right dns server, another is 10.209.2.87 which sometime got the right dns server. The difference between them is that 10.209.3.82 is joined AD and 10.209.3.87 did not.

According to https://lists.isc.org/pipermail/dhcp-users/2013-May/016729.html, I cat /var/etc/dhcpd/dhcpd.conf and find "authoritative" in the conf.
How can I delete "authoritative" in the conf?

I think that maybe I can block "dhcp inform" by firewall. but how?

Any helps?

johnpoz · Nov 7, 2015, 2:22 PM

there is nothing wrong with an inform.. Is asking for info.. This is common practice..

Can you post up this sniff so I can open it in wireshark.

Ok – your running AD??? Why would you not be using AD dns and dhcp?? Really if you have AD setup, there is really little point to running dhcp and dns services of pfsense.. AD clients should ONLY Point to AD for dns.. And it makes it much easier for AD name resolution when the dhcp server that is in AD is doing the dhcp..

While you do have something weird going on.. I have been in IT for 25+ some years and have been working with MS since before it was even a thing.. First windows server we setup was NT3.51 and use to use 3.11 etc.. so been around MS for lot of years and here is the thing.. if your running AD there is really NO POINT to trying to run dhcp and dns services of pfsense.. There just isnt.. Do your self a favor and just use your AD setup..

stbird · Nov 7, 2015, 3:19 PM

Sorry for the sniff package url. I pasted the wrong url and corrected it now.
http://pan.baidu.com/s/1eQ15ABC

Yes, I'm running ad. The pfsense is the only dhcp server in ad.

Most of ad users visit internet by proxy. The ad dns server can't analyze internet domains.
Some users have to visit inernet by nat. They need different dns server. So pfsense is set to another dns server and gateway. I forward ad domain to the ad dns server. It looks work good.

I'm the IT of the company, but not the ad admin. The ad admin is in the parent company.

johnpoz · Nov 7, 2015, 3:44 PM

"The ad dns server can't analyze internet domains."

Well forward that to pfsense dns then… How do your clients find your AD if they are not pointing to AD dns... If you use a proxy - they don't even do dns..

Do yourself a freaking favor and FIX what sounds like a mess... To be honest I can not think of a reason why you would have to hand out different dns if your setup correctly.. dhcp and dns from your AD as MS wants it.. Have your MS dns forward to pfsense to look up stuff like www.pfsense.org. But then again if your clients are using proxy the proxy does the dns..

edit.. Well yup the inform is clearly what is getting answered with the wrong stuff via that ack.. The mac is the same.. But you can tell from the transaction id what is the answer to what.. So need to figure out why dhcp is sending your default stuff to the inform request even when mac is listed.. Seems more like a bug with dnsmasq dhcp vs something in pfsense. But now you have some details to work with in that sniff.

But again - all of that is pointless if you would just up your network in a better fashion..

Here is pretty much OLD thread talking about your exact issue
http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2011q4/005409.html

However, we've noticed some Windows PCs also request DHCP INFORM, and it
appears dnsmasq replies to those requests and provides DNS server
information - those PCs then start to use the DNS servers supplied by
dnsmasq instead of the DNS servers supplied by the primary DHCP server.

stbird · Nov 8, 2015, 4:27 AM

I'm running ad and the dc is not on my control same as the dns(10.209.2.1/2).I have pfsense 2.0 for a while. Just forward my ad domain TO ad dns server. It has worked good for years.

Most of ad users use the normal dhcp settings. They visit internet by proxy. Their dns is 10.209.2.1/2 which can't analyze internet domains like www.pfsense.org.
Some ad users have to visit internet by nat. So they need another dns server which can analyze domain like www.pfsense.org.

"However, we've noticed some Windows PCs also request DHCP INFORM, and it
appears dnsmasq replies to those requests and provides DNS server
information"

Dnsmasq replies to dncp requests? I don't think so. I have disable dns forworder and dns resolver. Still got the normal dns servers.
If I emptied the normal dns server in dhcp setting then the client got the right dns server.
I think the dhcp server replies the "dns inform" not dnsmasq.

I Comment out this line $dhcpdconf .= "authoritative;\n" in /etc/inc/services.inc. It's working now.

Thank johnpoz for your patients and sorry for my english.

johnpoz · Nov 9, 2015, 6:25 AM

your right pfsense runs isc dhcpd not dnsmasq dhcp server my bad, but its the same problem - your problem is still that your dhcpinfrom is getting your configured default setting vs what you setup via a static, this is by dhcp design it seems not a pfsense issue.

Here this is your exact problem.. When windows clients send out the dhcpinform they get the standard dns vs what was setup in reservation.

https://readme.phys.ethz.ch/windows/what_to_do_if_windows_vista_gets_the_wrong_dns_servers_via_dhcpinform_answers/
According to the most current DHCP standard, DHCP servers are not allowed to look up any lease data about the requesting MAC address if they answer to a DHCPINFORM packet. In ISC's interpretation of this rule this even includes group membership which belongs to the configured static (and not dynamic) lease data.

Setting to non authoritative it now just doesn't answer dhcpinform requests I would take it, so no you don't get any dhcpinform info for anything.. Problem is most related to windows asking for wpad.. This sends out a dhcp inform..