PfSense cannot resolve hostnames in local network

fraglord · Dec 5, 2015, 4:11 PM

Hi guys,
I have a Windows 2012 server with AD running in my network that does (amon some other things) provide DHCP and DNS service. All clients receive the IP of this server as their (only) DNS server. On the DNS server I have configured requests that cannot be resolved to be forwarded to my pfSense machine that is running DNS resolvers. So Far so good. This setup works well except one thing: pfsense cannot resolve the hostnames of my LAN clients. How can I achieve this with the setup I am running?

doktornotor · Dec 5, 2015, 4:33 PM

Use the domain overrides (for local reverse zones as well). If you have more AD DCs, you can add the same override multiple times, pointing to different DNS servers.

johnpoz · Dec 5, 2015, 4:34 PM

And what dns is pfsense using?? How exactly is pfsense to resolve your local hosts via your local dns if its pointing to google for example or your isp.

Have it point to itself or be it your using forwarder or resolver and setup a domain over ride for whatever domain your running locally, so that pfsense knows where the nameserver(s) for your local domain are and can query it when it wants to find host.yourlocaldomain.tld

fraglord · Dec 5, 2015, 10:46 PM

My initial idea was to have the pfsense box also receive the IP configuration via DHCP as the other clients so. So I thought it would be aware of the DNS and the domain name (both via DHCP options). And since localhost is the first DNS in the list …. but that didn't work. So i set up two entries (forward and reverse lookup) in the domain overrides section. Just had to allow LAN in the outgoing network interfaces of DNS resolver as well. Works great, Thank you very much! :D
Well now i need to find out why for some clients there is no corresponding entry in the reverse lookup zone although they appear in forward lookup zone.

johnpoz · Dec 6, 2015, 2:52 AM

well that would be an issue with your AD dns and nothing to do with pfsense.

fraglord · Dec 10, 2015, 1:40 PM

After having the domain overrides set up and running it for a few days I have to say it is not resolving (forward and reverse) reliably.
I made sure the entries in the forward and reverse lookup zone of my AD DNS are correct and match with the DHCP. Pinters in the reverse lookup zone are also updated correctly. My windows clients have no problem to do forward and reverse lookup as well.
But doing a DNS lookup (forward and reverse) in pfsense often results with no result or only after I repeat the lookup multiple times.
So I think the "problem" is related to some settings in DNS resolver. As mentioned before I set up two domain overrides (example.local / 192.168.0.10 and 0.168.192.in-addr.arpa / 192.168.0.10).DNSSEC support is disabled for testing. Forwarding mode is enabled. Under "network interfaces" only localhost and LAN are selected. As "outgoing network interfaces" I have selected my WAN connections and LAN. Advanced settings are untouched (default). Any clue?

johnpoz · Dec 10, 2015, 4:55 PM

"Forwarding mode is enabled. Under "network interfaces""

What is the freaking point of using the resolver if your just going to have it forward?

What do you have pfsense pointing to for dns?? Itself?

fraglord · Dec 11, 2015, 2:09 AM

According to the official unbound documentation forwarding mode must be enabled for multi-WAN configurations, which is the case for me.
I only use unbound for the reason to be able to take advantage of pfblockerng and it's DNSBL feature.
First DNS server for pfsense is localhost followed by some others I have set up under system -> general setup.
But I guess all that is not related to DNS lookup problems with my LAN hosts.

johnpoz · Dec 11, 2015, 12:42 PM

"enabled for multi-WAN configurations"

That makes no sense at all… I will have to look into who put that info in the wiki.. It makes NO sense that would be a requirement..

Well what you tell pfsense to use is directly related to looking up your lan hosts, since your lan clients point to your AD dns directly anyway.. So your just want pfsense to use your AD dns as well when you lookup a host name or a ptr on pfsense.

So I created a zone on my 2k8r2 box called example.com, with a reverse for 1.2.3 created a host.example.com with 1.2.3.4 as its IP and it created the reverse record in the reverse zone... I then enabled unbound to use my lan interface, since normally its just using wan for queries. I then created the overrides.. As you can see if I query the local dns, it is working... And then also if I have pfsense look it up it works as well both in the gui and from cmd line... But if you have pfsense forward somewhere, and that somewhere doesn't know about your local zones... Then how would it ever look them up?

fraglord · Dec 12, 2015, 1:47 AM

Thanks for your detailed answer. That is also the way I have set it up. But the good news is that it "seems" to work now. The only thing I did - because i forgot to do earlier - was signing the forward and reverse lookup zones on my AD DNS. Not sure if it's related tho.
From the webui reverse lookups working flawless but forward lookups not work! If I log in to the console and ping a host by the hostname or FQDN it resolves properly or if i simply resolve with the host command. Reverse and forward lookups from console are reliable!
Also I noticed the domain overrides not seem to be applied when i use the DNS Lookup via the webui. It still shows me the query times from the servers set under system -> general setup. How come DNS Lookup still queries the "wrong" DNS servers (except localhost) and ignores my domain override in unbound?!
BTW: forwarding mode enabled or not does not change anything.

johnpoz · Dec 12, 2015, 10:43 AM

Forwarding mode would change a lot… When Not in forward mode there is NO way dns could ask the wrong server... Since the "resolver" would query roots and work its way down to owning ns for the domain trying to query.

What exactly is not working in webui ?? Where does it show it asked, only 127.0.0.1 that is set to resolver mode.. Or does it list asking other servers?

If not working why don't you just sniff and validate that where it sent a query too, and why there no answer if your AD got asked..

doktornotor · Dec 12, 2015, 10:54 AM

@fraglord:

It still shows me the query times from the servers set under system -> general setup.

You should have no servers set up there.

johnpoz · Dec 12, 2015, 11:16 AM

When using the resolver as actual resolver.. You have no need to put anything there.

If they are going to allow forwarder mode in the resolver, then they really should allow user in the resolver section either with text box or using the advanced box to set where forwarded vs using the stuff from the general settings which is how its done I think??

Not 100% not sure why anyone would use forwarder mode ;)

You can just check with unbound on what ns it would use to lookup something…

[2.2.5-RELEASE][root@pfSense.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup 4.3.2.1.in-addr.arpa
The following name servers are used for lookup of 4.3.2.1.in-addr.arpa.
The noprime stub servers are used:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 1 IP addresses.
192.168.9.19 not in infra cache.
[2.2.5-RELEASE][root@pfSense.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup www.example.com
The following name servers are used for lookup of www.example.com.
The noprime stub servers are used:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 1 IP addresses.
192.168.9.19 not in infra cache.

fraglord · Dec 12, 2015, 5:44 PM

Well I let you know why I use forwarding mode in the other thread already ;)

As you instructed on console I checked forward and reverse lookup with unbound-control and it its working reliable. And there is, just like it supposed to be, only the IP of my AD DNS :D
Also darkstat is able to properly display the hostnames via reverse lookup.

The DNS lookup via webui still not working properly. Reverse lookups are working but forwards lookup fail or only show a result if I push the DNS lookup button multiple times in row; sometimes just not at all. And like I told you already, I still not get it why all the DNS servers set under system -> general setup are queried ALTHOUGH proper domain overrides (forward & reverse) are set up?!

johnpoz · Dec 13, 2015, 3:53 PM

so unbound knows that its suppose to ask your server… But is pfsense set to only ask unbound? That is the problem with forwarding..

fraglord · Dec 13, 2015, 7:47 PM

What do you mean by that? dnsmasq is disabled of course.
I not see why this behaviour is related to forwarding mode. If there is a domain override set, I expect it to override whatever the settings are and query the server specified for this domain override. Or am I wrong?
Even more surprising is the fact that unbound actually does query the server with respect to the domain override but the DNS lookup from the webinterface does not.

johnpoz · Dec 13, 2015, 10:32 PM

Dude what part do you not understand if you have pfsense set to ask other servers??? What do you have in the general setup? Its fine if it asks your server for your local stuff, but if pfsense happens to ask say googledns then NO its not going to get an answer..

What does your output of the webgui look look? IF its not doing a query to loopback (unbound) that will then ask your AD, then no it would never find your stuff..

fraglord · Dec 25, 2015, 5:09 PM

Today I upgraded to pfsense version 2.2.6 and noticed something very odd. With "unbound-control -c /var/unbound/unbound.conf lookup" I am not able to lookup (forward and reverse) any local hostnames / IP address anymore:

no delegation from cache; goes to configured roots

Lookups for local hostnames via the webui still not work and seem to ignore the domain overrides I have set. :P