• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS queries | resolver, host overrides, dhcp & external dns

Scheduled Pinned Locked Moved DHCP and DNS
6 Posts 2 Posters 1.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    mfr
    last edited by Nov 24, 2015, 7:08 PM

    Hi
    My DNS resolution is not working correctly as it seems. What could be the problem? I tried already different scenarios, but can't get it to work.

    I have setup pfsense with a site-to-site vpn. I'm trying to get the name resolution of Site1 to work.
    In Site1 I'm using

    • resolver

    • and host overrides in resolver to resolve some hostnames with static IPs

    • in System / General Setup I have 2 wan dns hosts of my ISP

    • If I connect a client with DHCP it gets the IP of pfsense as DNS and no other DNS servers.

    • DNS lookups from client for hostnames in host overrides are working

    But DNS lookups to external hosts are not working until I enter the DNS Servers under Services / DHCP Server / DNS servers
    But if I do that, the DNS lookups from the client for hostnames in hosts overrides go to the ISP DNS servers.

    How can I resolve the internal hostnames AND the external ?
    What could be the problem?

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Nov 24, 2015, 7:12 PM

      You resolver isn't set up right. Post the settings for the resolver and make sure pfSense itself can make queries to outside addresses:

      What does this show:

      Diagnostics > Command prompt

      Command: drill @8.8.8.8 www.google.com Execute

      Leave your DHCP server giving pfSense as the DNS server to inside hosts and fix your resolver.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • M
        mfr
        last edited by Nov 24, 2015, 10:04 PM

        pfsense shell (before and after removing ISP DNS from Services / DHCP DNS Servers)

        # drill @8.8.8.8 www.google.com Execute
        ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 1084
        ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
        ;; QUESTION SECTION:
        ;; Execute.     IN      A
        
        ;; ANSWER SECTION:
        
        ;; AUTHORITY SECTION:
        .       1091    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2015112401 1800 900 604800 86400
        
        ;; ADDITIONAL SECTION:
        
        ;; Query time: 8 msec
        ;; SERVER: 8.8.8.8
        ;; WHEN: Tue Nov 24 23:01:31 2015
        ;; MSG SIZE  rcvd: 100
        #
        
        

        after removing the ISP DNS from Services / DHCP DNS Servers

        nslookup 8.8.8.8 
        

        returns "Server failed" (Win10)

        24.11.png
        24.11.png_thumb
        24.111.png
        24.111.png_thumb

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Nov 24, 2015, 11:45 PM

          The Execute was for the GUI.

          Run this: drill @8.8.8.8 www.google.com

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • M
            mfr
            last edited by Nov 25, 2015, 5:46 AM

            Oh, thanks

            
            # drill @8.8.8.8 www.google.com
            ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 17594
            ;; flags: qr rd ra ; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
            ;; QUESTION SECTION:
            ;; www.google.com.      IN      A
            
            ;; ANSWER SECTION:
            www.google.com. 18      IN      A       173.194.116.48
            www.google.com. 18      IN      A       173.194.116.51
            www.google.com. 18      IN      A       173.194.116.52
            www.google.com. 18      IN      A       173.194.116.50
            www.google.com. 18      IN      A       173.194.116.49
            
            ;; AUTHORITY SECTION:
            
            ;; ADDITIONAL SECTION:
            
            ;; Query time: 7 msec
            ;; SERVER: 8.8.8.8
            ;; WHEN: Wed Nov 25 06:46:58 2015
            ;; MSG SIZE  rcvd: 112
            
            
            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Nov 25, 2015, 6:09 AM

              Do your firewall rules prevent LAN hosts from querying LAN address for DNS?

              This just works out-of-the-box. Have to figure out what, specifically, you've done to make it not work.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received