Netgate SG-1000 microFirewall

Author Topic: Strange NSLOOKUP Results on Windows Clients  (Read 199 times)

0 Members and 1 Guest are viewing this topic.

Offline AlientFrost

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Strange NSLOOKUP Results on Windows Clients
« on: February 04, 2018, 09:46:18 am »
Recently added a Let's Encrypt cert to my pfSense box. Using Acme Certificates "app" and a No-IP premium DDNS host - piece of cake. Set my pfSense domain to bounceme.net. Everything running smoothly. My pfSense box is now "pfsense.bounceme.net" and the cert works. (domain has been changed in this post)

However on my Windows clients using DHCP, I am having a weird thing happen when running nslookup. The reply is the same IP (I'm pretty sure it belongs to NO-IP.com) along with the NO-IP suffix added to every search. However, when I add "mylocal" domain in the DHCP scope, everything works fine, but I cannot ping host names only, only FQDN's.

Everything works, web browsing, Linux boxes, VPN, etc. but I've never seen nslookup do what it is doing. Tells me something is wrong, or mis-configured.

Any ideas?

With bounceme.net set as pfSense domain under System\General Setup:

$ nslookup cnn.com
Server:  pfSense.bounceme.net
Address:  10.100.10.1

Non-authoritative answer:
Name:    cnn.com.bounceme.net
Address:  81.82.9.141

$ nslookup usatoday.com
Server:  pfSense.bounceme.net
Address:  10.100.10.1

Non-authoritative answer:
Name:    usatoday.com.bounceme.net
Address:  81.82.9.141

$ nslookup cnn.com. 10.100.10.1
Server:  pfSense.bounceme.net
Address:  10.100.10.1

Non-authoritative answer:
Name:    cnn.com
Addresses:  2a04:4e42::323
          2a04:4e42:200::323
          2a04:4e42:600::323
          2a04:4e42:400::323
          151.101.65.67
          151.101.129.67
          151.101.1.67
          151.101.193.67
       
       
With bounceme.net STILL set as domain, with       
Domain name: "mylocal" in DHCP scope
:

$ nslookup cnn.com
Server:  pfSense.bounceme.net
Address:  10.100.10.1

Non-authoritative answer:
Name:    cnn.com
Addresses:  2a04:4e42:400::323
          2a04:4e42:600::323
          2a04:4e42:200::323
          2a04:4e42::323
          151.101.65.67
          151.101.129.67
          151.101.193.67
          151.101.1.67

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9808
  • Karma: +1107/-311
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #1 on: February 05, 2018, 01:05:36 am »
It is simply appending the search domain to the queries.

When you append a . that tells the resolver not to do that.

That is not pfSense adding the domain. nslookup is just telling you what windows is doing.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #2 on: February 05, 2018, 06:25:00 am »
So you do not control bounceme.net ?  Then you shouldn't be using it internally, since you can not control what is public on it.  Also out of the box unbound is set to transparent zone.  So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.

So if your client appends the search suffix to your query  ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?

Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set.  And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) .  But unbound has no record of.

https://www.unbound.net/documentation/unbound.conf.html
local-zone: <zone> <type>
              Configure a local zone. The type determines the answer  to  give
              if  there  is  no  match  from  local-data.  The types are deny,
              refuse, static, transparent, redirect, nodefault,  typetranspar-
              ent,  inform,  inform_deny,  always_transparent,  always_refuse,
              always_nxdomain, and are explained below. After that the default
              settings  are  listed.  Use  local-data:  to enter data into the
              local zone.  Answers  for  local  zones  are  authoritative  DNS
              answers. By default the zones are class IN.

            static
                 If there is a match from local data, the query  is  answered.
                 Otherwise,  the  query  is  answered with nodata or nxdomain.
                 For a negative answer a SOA is  included  in  the  answer  if
                 present as local-data for the zone apex domain.

            transparent
                 If  there  is a match from local data, the query is answered.
                 Otherwise if the query has a different  name,  the  query  is
                 resolved  normally.   If  the  query  is  for a name given in
                 localdata but no such type of data  is  given  in  localdata,
                 then  a  noerror nodata answer is returned.  If no local-zone
                 is given local-data causes a transparent zone to  be  created
                 by default.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline AlientFrost

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #3 on: February 06, 2018, 11:06:54 am »
It is simply appending the search domain to the queries.

When you append a . that tells the resolver not to do that.

That is not pfSense adding the domain. nslookup is just telling you what windows is doing.

So, not a DNS Guru, there really is nothing wrong here?

Offline AlientFrost

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #4 on: February 06, 2018, 11:12:55 am »
So you do not control bounceme.net ?  Then you shouldn't be using it internally, since you can not control what is public on it.  Also out of the box unbound is set to transparent zone.  So if you look for something that is not in your domain/zone - ie bounceme.net it will try and resolve upstream.

So if your client appends the search suffix to your query  ie your cnn.com.bounceme.net since you have no local record of that it will resolve it upstream and sure could return results since you do not control that domain or you do an have set a wildcard?

Use a client for such query that does not append your search suffix - dig for example.. Use the . in nslookup as Derelict stated already to state this is exactly the fqdn I want to query - don't append any search suffixes that might be set.  And also would suggest setting your zone to static in unbound so it will not try and query upstream for stuff that is in the local zone (you set in general) .  But unbound has no record of.

https://www.unbound.net/documentation/unbound.conf.html
local-zone: <zone> <type>
              Configure a local zone. The type determines the answer  to  give
              if  there  is  no  match  from  local-data.  The types are deny,
              refuse, static, transparent, redirect, nodefault,  typetranspar-
              ent,  inform,  inform_deny,  always_transparent,  always_refuse,
              always_nxdomain, and are explained below. After that the default
              settings  are  listed.  Use  local-data:  to enter data into the
              local zone.  Answers  for  local  zones  are  authoritative  DNS
              answers. By default the zones are class IN.

            static
                 If there is a match from local data, the query  is  answered.
                 Otherwise,  the  query  is  answered with nodata or nxdomain.
                 For a negative answer a SOA is  included  in  the  answer  if
                 present as local-data for the zone apex domain.

            transparent
                 If  there  is a match from local data, the query is answered.
                 Otherwise if the query has a different  name,  the  query  is
                 resolved  normally.   If  the  query  is  for a name given in
                 localdata but no such type of data  is  given  in  localdata,
                 then  a  noerror nodata answer is returned.  If no local-zone
                 is given local-data causes a transparent zone to  be  created
                 by default.

I "sorta" have control of the bounceme.net domain. It is a premium DDNS host. I only did this to get the cert. Usually I would use .mylocal. at this point I am going to try the "static" setting. Thanks for the info!!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #5 on: February 06, 2018, 11:24:37 am »
From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control??  You clearly seem to have it set as a search suffix for some reason?  This bounceme.net

;; QUESTION SECTION:
;bounceme.net.                  IN      NS

;; ANSWER SECTION:
bounceme.net.           86400   IN      NS      nf1.no-ip.com.
bounceme.net.           86400   IN      NS      nf2.no-ip.com.
bounceme.net.           86400   IN      NS      nf3.no-ip.com.
bounceme.net.           86400   IN      NS      nf4.no-ip.com.
bounceme.net.           86400   IN      NS      nf5.no-ip.com.

Why are you using that domain on your pfsense?  You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..

I have queried their name servers for your examples and they do not respond with answers only SOA... You got something more going on then what your showing..

> dig usatoday.com.bounceme.net

; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;usatoday.com.bounceme.net.     IN      A

;; AUTHORITY SECTION:
bounceme.net.           3540    IN      SOA     nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60

;; Query time: 17 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
;; MSG SIZE  rcvd: 114

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline AlientFrost

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #6 on: February 07, 2018, 08:59:10 am »
From a dns guru point of view yes there is something wrong since seems your using a domain locally that you do not control??  You clearly seem to have it set as a search suffix for some reason?  This bounceme.net

;; QUESTION SECTION:
;bounceme.net.                  IN      NS

;; ANSWER SECTION:
bounceme.net.           86400   IN      NS      nf1.no-ip.com.
bounceme.net.           86400   IN      NS      nf2.no-ip.com.
bounceme.net.           86400   IN      NS      nf3.no-ip.com.
bounceme.net.           86400   IN      NS      nf4.no-ip.com.
bounceme.net.           86400   IN      NS      nf5.no-ip.com.

Why are you using that domain on your pfsense?  You really should not be using that domain as a local domain - since clearly you do not control it.. It could reply with all kinds of stuff when you append it as suffix..

I have queried their name servers for your examples and they do not respond with answers only SOA... You got something more going on then what your showing..

> dig usatoday.com.bounceme.net

; <<>> DiG 9.11.2 <<>> usatoday.com.bounceme.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;usatoday.com.bounceme.net.     IN      A

;; AUTHORITY SECTION:
bounceme.net.           3540    IN      SOA     nf1.no-ip.com. hostmaster.no-ip.com. 2011704497 90 120 604800 60

;; Query time: 17 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Tue Feb 06 11:21:09 Central Standard Time 2018
;; MSG SIZE  rcvd: 114

Thank you for the helpful responses. As I mentioned, this all started trying to use a Let's Encrypt SSL cert for the site using ACME CERTIFICATES, which wa a success. The bounceme.net domain is not "my" DDNS domain used - changed it for security purposes for publshing t tis forum. But I AM using a NOIP.com Premium account with one of their premium domains used with this host.

I've since set my DNS to "static" vs. "transparent" and all seems to be back to normal.

Bit more background. I use OpenDNS servers in DNS Server Settings. Also using network wide PIA VPN, as well as a port 53 redirection rule prohibiting clients from using their own DNS. I have no port forwarding open other than the ACME CERTIFICATES NAT. Using various tests I see no DNS leaking whatsoever, however that is not eh scope of this discussion.

I was only concerned about the nslookup answers I was receiving on Windows DHCP clients, and just wanted to know why, and if it was dangerous.

Given the additional information, in your opinion would this setup be wrong? And if so what would you recommend? Again, using a Let's Encrypt CERT is the scope.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Strange NSLOOKUP Results on Windows Clients
« Reply #7 on: February 07, 2018, 10:38:36 am »
Do you have public users that hit your pfsense web gui?  If not I see no reason to use acme cert for an admin only interface - put a cert on their you signed with pfsense CA and trust that CA... Done for 10+ years... Not renew every 90 days..

As to why your getting back answers for usatoday.com.whatever - That should not happen on domain you control, unless you have a wildcard set on it.. Which normally bad practice..

If your using unbound in resolver mode - your dns server settings are pretty pointless... Unbound would be resolving not forwarding out of the box..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)