DNS not getting translated into IP, using PfSense

[Slo-bo-dan]

Hi guys,
We are using PfSense. and are experiencing problems accessing our address blah.blah.blah from our local network.
It is however Working from Any Other Network…

IP is on Local Network, towards which the DNS is supposed to point.
The issue appears to be DNS not getting Resolved or Forwarded or something else, to IP which is on our Local Network.
Pings are going through nicely, as if everything was working properly…

Even crazy ideas are welcome at this point.

P.S. Atm the version of PfSense that we are using is a little bit outdated.
Thank you.

[Kelxin]

Do an ipconfig on one of the clients and see if the DNS is pointing to the pfsense box.

[ShadeOfBlue]

You can confirm DNS queries are resolving to the correct public IP address by using the appropriate terminal command (e.g. nslookup).

But being able to connect to an address on the same network by first going through the external address is not something you can do without the proper configuration on the router. This is a very common problem.

Think about the way packets will flow from the client to the server:

- CLIENT performs DNS query, which ends up returning the external IP address of the ROUTER.

- CLIENT sends a packet to the external IP address of the ROUTER. The source IP of the packet is set to the LAN IP address of the CLIENT.

- ROUTER uses its port forwarding rules to send the packet to the SERVER. The destination IP is changed to that of the SERVER, but the source IP will still be the LAN IP of the CLIENT, in just the same way as other packets coming from the internet retain their source IPs.

- SERVER recieves the packet and then sends a reply to the source IP in the packet, which is the LAN IP of the CLIENT.

- The packet makes its way directly to the CLIENT without going through the external interface of the ROUTER.

- CLIENT sees the reply, but it is not coming from the address it had sent the original request to. It was expecting a reply back from the ROUTER's external IP. The packet is therefore discarded.

A few of the possible solutions to this problem (choose only one):

1. For each client, use the appropriate method (e.g. the hosts file) to manually set the IP address for that domain to the LAN IP of the server.

2. Use hairpin NAT (a.k.a. NAT reflection or an iptables/nftables "masquerade" rule) to rewrite the source IP address of packets sent from the router to the server to the IP of the server. There should be many guides on how to do that in pfSense now that you know what to search for.

3. Create a different subnet for the server. The replies from the server to the client will have their source set back to the router IP automatically in this configuration.

4. Set things up so that DNS queries for that domain from the local network will return the local address instead of the external one.

5. Same as #4, except configure the server to additionally use a local domain (e.g. myserver.local), and make only the local domain resolve to the local address.

I'd normally recommend options 1-3, but it all depends on your needs.

Edited April 12, 2023 by ShadeOfBlue

[Slo-bo-dan]

On 11/04/2023 at 17:33, Kelxin said:

Do an ipconfig on one of the clients and see if the DNS is pointing to the pfsense box.

If i run this following command in cmd, it returns that the DNS is pointing to Windows AD (which we are also hosting locally but separately).
ipconfig /all | findstr /R "DNS\ Servers"
Is that what you meant?

But our PfSense should be the main in charge of DNS.

Also interesting when i do a ping test from PfSense, it pings the correct local IP address. But when i do a ping test, then it pings the correct external IP address.

But our main issue is the following.

1. It recognizes DNS from outside our network properly.
   1.1 (i.e. we make a hotspot on mobile, hookup laptop, type DNS on a browser, everything works perfectly! coz we are accessing it from external network)

2. But internally gets stuck within our network, and doesnt resolve DNS correctly. or maybe DNS is just a symptom, and not a cause?
   2.1. (hookup to local network, type DNS on a browser, displays “This site cant be reached” + timeout msg, and doesnt work
   2.2. hookup to local network, type Internal IP on a browser, displays default documentation page of the server its hosted on, and doesnt work,
   2.3. different attempt: hookup to local network, type Internal IP on a browser + add “/” + add student portal DNS address part, now it
   works, but just on student portal…)

Basically sums up to,
the Professors cant access their stuff from inside the school… But students at least can.
And everything works for everyone when outside of school LAN.

 

 

[xrobwx71]

@BudMan

[+BudMan MVC]

this same post was over on pfsense - already answered them over there, and nothing back..