DNS not getting translated into IP, using PfSense

Networking & Firewalls
21

Screenshot 2023-04-12 112525

22

We do use Microsoft AD, but thats on another server.
But that shouldn’t have anything to do with this server/app, am I correct?

Sorry for not replying sooner directly.
Hopefully you managed to follow through

23

If you say “from any other IP”, do you mean from any other client in your local network…?

Not likely, but the AD controller has most likely something to do with DNS… I’m not a Windows AD expert. But if the Windows domain controller also handles DNS, which is usually the case, the issue could also originate from there somehow. Is 192.168.0.3 the IP of the pfSense box or the IP of the Windows Domain controller?

24

@slo.bo.dan
i’ve rewrite my internal domains e.g. your-domain.local and redirect this to my internal DNS Server to resolve the Name to IP. All other Domains are forwarded to my Permitter Firewall that resolve the public FQDNs to IP.
lts-overwrite

I switched from DNS Resolver to Forwarder these days, because the DNS Resolver (Unbound) was mostly querying DNS servers in the APAC region. There I am 12 flying hours away from it. :laughing:
In both DNS configurations, you must enter your domains and specify the internal DNS server responsible for them. Then your name should be resolved to IP internally.

Good Luck
Andy

25
  1. If we make a hotspot with any random mobile phone, and hookup any random wifi laptop to it, type in the DNS on a browser, it goes through to a locally hosted web app server, and works perfectly.

it just doesnt want to open (the locally hosted web app) when we hook up a random laptop to our local network. (But works just fine when accessing it externally…)

  1. PfSense box is on a different local IP

P.S. Have a current limit of about 20 posts per day atm, had to wait a day

26

  1. It recognizes DNS from outside our network properly.
    1.1 (i.e. we make a hotspot on mobile, hookup laptop, type DNS on a browser, everything works perfectly! coz we are accessing it from external network)

  2. But internally gets stuck within our network, and doesnt resolve DNS correctly. or maybe DNS is just a symptom, and not a cause?
    2.1. (hookup to local network, type DNS on a browser, displays “This site cant be reached” + timeout msg, and doesnt work
    2.2. hookup to local network, type Internal IP on a browser, displays default documentation page of the server its hosted on, and doesnt work,
    2.3. different attempt: hookup to local network, type Internal IP on a browser + add “/” + add student portal DNS address part, now it
    works, but just on student portal…)

Basically sums up to,
the Professors cant access their stuff from inside the school… But students at least can.
And everything works for everyone when outside of school LAN.

27

The DNS resolution from external has nothing to do with your local DNS infrastructure, because it takes place on external DNS servers and resolves correctly to the external IP of your Internet connection. The problem is with your local DNS infrastructure, where the computers on the local network seem to ignore the DNS host overrides on your pfSense. Either because they don’t use pfSense as their primary DNS server, or because the DNS host overrides don’t work for reasons unknown.

On a different IP than what? Diffrent than 192.168.0.3, which according to this post, is the IP of the DNS server your computers are getting the results for their DNS queries from? If that’s the case, they don’t use pfSense as their DNS server, which would explain why the DNS overrides are beeing ignored.

In order to work around this problem, I see three options:

  1. clients must either use pfSense directly as their DNS server, instead of the DNS server they are using now.

  2. The DNS server used by the clients must use pfSense as its upstream DNS server.

  3. The host override configuration has to be done on the other DNS server, instead of in pfSense.

28

I believe you are correct my friend!
Screenshot 2023-04-13 115542

So basically its ignoring our internal DNS setup stuff.
But the DNS stuff externally that we get from CloudFlare is correct.

29

Yes it obviously “ignores” it, but technically it can’t ignore anything it doesn’t see, if, for example, it doesn’t use the pfSense box as its DNS server at all…

So is the IP address that your clients are using as their DNS server, the one you posted here, the IP of your pfSense box, or not?

30

Good question. And, not sure.

We use multiple DNS servers, some provided by ISP, some backups from CloudFlare, apparently something on AD also, and i assumed the highest authority of that bunch at least here locally was PfSense.

When it comes to PfSense, what about Firewall / NAT / Port Forwarding?
Maybe the setup there is incorrect? Ill try to take a pic and obfuscate a bit before sending

31

Screenshot 2023-04-13 120905 B
Screenshot 2023-04-13 120905 B1723×414 25.6 KB

32

Screenshot 2023-04-13 120958 B
Screenshot 2023-04-13 120958 B887×796 55.7 KB

33

Screenshot 2023-04-13 121016 B
Screenshot 2023-04-13 121016 B1786×694 50 KB

34

Well, but that’s the million dollar question. :wink:

My guess would be that the clients are using the DNS servers of the Windows domain, which is generally the way how DNS should be handled in a Windows domain. Unfortunately, I’m not an expert when it comes to Windows domains.

I can only repeat my more general answers:

First of all, the DNS requests must somehow get to pfSense in order for the DNS override entries in pfSense to work.

They can do that either directly…

Client -> pfSense -> Internet

…which is probably not feasible in a Windows AD environment…

…or they could do it via Windows DNS to pfSense:

Client -> Windows DNS -> pfSense -> Internet

The prerequisite for this would be that the Windows DNS servers are configured to use pfSense as their upstream DNS server. However, I have no idea how sensible such solution would be or if this is even possible.

The third option, which would probably make the most sense, would be to manage the local DNS records directly on the Windows DNS servers, instead of on pfSense. But again, I can’t help with details about how you would do that.

35

Thank you, ill try. Will write again if stuck.

36

I just saw your screenshots with the DNS redirect rules. Honestly, no idea if that will work, but to me it looks more like a hacky workaround instead of a clean solution.

Another workaround you could try is NAT Reflection. But I wouldn’t recommend that either.

Local DNS records are the cleanest solution, and ideally you would add them to your primary DNS server that all your clients are already using.

37

DNS options from my point of knowledge

Internal FQDNs
Client -> pfSense -> Domain overwrite -> Windows DNS -> Intranet

Extranet FQDNs
Client -> pfSense -> Internet

This is in my case working well and without issues.

Good luck
Andy

38

Hey guys, tnx for trying to help.
The main problem appears to be conflicting issues between Microsoft AD and PfSense over DNS.
We ended up writing al little script to edit the hosts file on workstations. Until we make a better, cleaner solution.

Can i like buy you a coffee / beer online?

39

Hold up…

  1. You should be setting your DHCP options in your scope to point all windows clients to your MS DNS server.
  2. On your MS DNS server you need to set the Forwarders to point to your pfsense LAN Gateway for the upstream DNS.
  3. You should be ONLY be setting DNS entires on the MS DNS server. NEVER on pfSense.
40

Thank you for your input :+1: :slight_smile:
Its working now as it is, with the help of some tweaks on individual machines, i know its not the cleanest solution. But its good enough for the moment. I will consider this topic closed.
Tnx guys, all of you. Cheers :beers: