DNS Routing Randomness



  • In truth, I haven't been able to figure out whether or not this is a routing or DNS issue, so I'm hoping to get some ideas from the community at large here…

    I have noticed this issue twice

    • Domains with no A record get automatically assigned my routers IP (eg: www.pushover.com [was trying to get to pushover.net] redirects me to my admin interface)

    • For some unknown reason, using a mail client to talk to my exchange server (via HTTPS, remote) I get my routers configurator cert returned

    For the first bullet, I've checked for some kind of wildcard entry and can't seem to find one… I'm not using the forwarder, I'm using the resolver, though it happens regardless of which I use (have tried both independently)
    For the second bullet, I looked at a pcap during the setup phase of my accounts, and I see DNS queries being made and correct responses coming back, and still I get my configurator cert presented

    My suspicion that if I figure out and resolve one of the two symptoms, I'll resolve the other.

    Any thoughts or insights would be appreciated.



  • As an update, I figured I'd post a screen shot of what I'm seeing.

    What's more perplexing to me are the following two symptoms

    • When I use dig to query for entries on a domain that I know has no A records, I get responses that I'd expect

    • When I go to a domain in a browser that has no A record, I'm forwarded to my configurator page

    Am I stroking out here, or is this actually as confusing as I'm making it?



  • LAYER 8 Global Moderator

    you using a proxy?  You doing any sort of forward on ports..

    Your browser should tell you it can not FIND that server - see example..  If your hitting your pfsense, then you have a forward or using a proxy?  Something in your browser or host pointing that name to your IP..




  • Oh I know what I should be seeing, and the results I get occur from several different boxes on the network, so the issue isn't with a single host.

    That said, I have port forwards, yes. I have an XBox One so I have all of that douchery enabled, and I also have a couple random forwards for things like SSH on varying hosts.

    I don't utilize a proxy.

    Could the forwards be screwing with my DNS resolutions? That doesn't make sense to me though..


  • LAYER 8 Global Moderator

    Again what does this have to do with dns resolution?? Clearly when you query for it you get SOA..  with NX… This is your browser doing something..  Your browser should show exactly what mine shows - can not get to server..  so your browser is trying to do something other than simple dns resolution..

    Clear your you local dns cache, clear your browser cache, then go there again... Then look in your cache.. That has NOTHING to do with pfsense..



  • @johnpoz:

    Again what does this have to do with dns resolution?? Clearly when you query for it you get SOA..  with NX… This is your browser doing something..  Your browser should show exactly what mine shows - can not get to server..  so your browser is trying to do something other than simple dns resolution..

    Clear your you local dns cache, clear your browser cache, then go there again... Then look in your cache.. That has NOTHING to do with pfsense..

    I'm following what you're saying now - I think I misread what you'd originally posted.

    That said, the reason that I posted here initially is due to multiple hosts, none of them related, using different browsers and mail clients, all showing identical symptoms (webconfigurator cert being served while attempting any kind of HTTPS, HTTP->HTTPS redirection to webconfigurator for domains that have no A record). Which is where my confusion stemmed from.

    I'm going to root around in my browsers and see if there's any weirdness set.


  • LAYER 8 Global Moderator

    You have shown that pfsense hands back SOA and NX…  Therefore your client got no IP to try and go to, be it pfsense or elsewhere..  So how could it possible end up anywhere?  Your browser should show you CAN not connect to server, because it never got an IP to go too from pfsense.

    What I would do is sniff the traffic and see where in the world your browser is doing a query for that it would ever get an IP to try and connect to that could get redirect to your webgui page..


Log in to reply