Problem with DNS forwarding



  • Hello all,

    I'm using pfSense version 2.1.5.
    I'm having an issue with internal DNS resolving, but am not 100% sure the culprit is pfSense.
    Maybe my understanding of the DNS resolution in my setup is not entirely correct.

    Here is how everything is set up:
    1. pfSense DNS forwarder is enabled, with "host overrides" entries for domain mydom.com, for example, sens.mydom.com, which has internal IP 10.40.0.76.
    sens.mydom.com also has a public IP configured on public DNS servers.
    2. I have 2 Mac OS X "Servers" acting as internal DNS servers. All internal machines use the 2 Mac OS X servers as primary and secondary DNS servers. Both these internal DNS servers use the IP address of the pfSense box as forwarding server.
    3. There is no mydom.com zone configured on the internal Mac OS X DNS servers. I have manually added entries in the "host overrides" section of the DNS Resolver in pfSense for a few mydom.com hosts, for example, sens.mydom.com.

    The problem is that when I try to resolve sens.mydom.com from my LAN computer, it gives me the public IP address.
    I thought that the DNS resolution would happen as follows:
    a. my computer would try to get the IP address from the local DNS servers
    b. the zone being inexistent there, the local DNS servers ask the forwarding server, which is pfSense
    c. pfSense has the entry already configured manually and therefore replies to the requester with the internal IP 10.40.0.76..
    d. The problem is that the above steps do not seem to work as I expect. Instead, I am getting the public IP!

    Any help is appreciated.

    Thank you.


  • Rebel Alliance Global Moderator

    so when  you query pfsense directly for the host override you created do you get the correct response or not?

    Use nslookup, dig or host or whatever your fav dns query tool is on the os your using..



  • Hello John,

    Thank you for replying.
    Yes, when I query pfSense directly from my LAN computer, I get the correct IP address.

    Please find below the result of the queries:

    mymac:~ user$ nslookup

    sens.mydom.com
    Server: 10.40.0.34
    Address: 10.40.0.34#53

    Non-authoritative answer:
    Name: sens.mydom.com
    Address: A.B.C.D => PUBLIC IP ADDRESS

    server 10.40.0.1 => LAN IP ADDRESS OF pfSense
    Default server: 10.40.0.1
    Address: 10.40.0.1#53

    sens.mydom.com
    Server: 10.40.0.1
    Address: 10.40.0.1#53

    Name: sens.mydom.com
    Address: 10.40.0.76 => CORRECT INTERNAL IP ADDRESS



  • You have to use the DNS forwarder as your DNS server if you want to get its overrides.



  • Do you mean that all LAN machines should use the IP address of the LAN interface of pfSense as their DNS server?

    Thank you



  • Why not set your host overrides/split DNS on your Mac DNS servers instead?



  • Actually, that was my last resort, as there will be about 80 DNS records to create manually on the OS X servers, well on the primary DNS server.

    I think that's what I'll be doing anyway.

    However, for the sake of my understanding, could anyone explain to me why pfSense was not resolving the FQDN to the internal IP?

    Thank you


  • Rebel Alliance Global Moderator

    "why pfSense was not resolving the FQDN to the internal IP?"

    sure looks like it was to me

    sens.mydom.com
    Server:      10.40.0.1
    Address:  10.40.0.1#53

    Name:  sens.mydom.com
    Address: 10.40.0.76 => CORRECT INTERNAL IP ADDRESS



  • Actually I meant why pfSense was not resolving the FQDN to the internal IP, when the local machines use the Mac OS X servers as DNS servers, the latter pointing to pfSense as forwarding server.



  • @netsysadmin:

    Actually I meant why pfSense was not resolving the FQDN to the internal IP, when the local machines use the Mac OS X servers as DNS servers, the latter pointing to pfSense as forwarding server.

    Your shown nslookup results prove the OS X servers aren't actually using the forwarder to provide their answers.



  • Your shown nslookup results prove the OS X servers aren't actually using the forwarder to provide their answers.

    Yes I agree, but did not understand why.

    What I understood is that, if I want to use pfSense's "host overrides", all LAN machines should use pfSense as their DNS server.
    Using another internal DNS server, even if it is configured to use pfSense as a forwarding server, will not correctly resolve the entries in pfSense's "host overrides".

    Did I understand correctly?

    Thank you.


  • Rebel Alliance Global Moderator

    "all LAN machines should use pfSense as their DNS server."

    Huh???

    If your internal forwards to pfsense then, any overrides in pfsense would resolve to what you have the host override too.

    See I created a host override, I setup my windows dns to forward to pfsense..  It resolves the host override I put in pfsense..




  • Since you have a local DNS server you can add an A record on your DNS server with the local IP address.  I have done this for a Web server so when you accessed the server from an outside registered DNS name the web server will resolve to an outside IP address from outside and if you are local the local DNS server will resolve the Web server name to a local IP address.

    Chaining DNS server should work the same way as long as you are local since private IP addresses are not allowed on the internet.