Netgate SG-1000 microFirewall

Author Topic: Authoritative DNS server behind resolver (unbound)  (Read 2383 times)

0 Members and 1 Guest are viewing this topic.

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Authoritative DNS server behind resolver (unbound)
« on: September 05, 2015, 07:16:02 pm »
Happy holiday weekend everyone!

I have incoming port 53 NAT'ed to an internal DNS server which is publicly authoritative for several domains. This is working fine.

I have the resolver (unbound) answering DNS queries for everyone behind pfSense. This is working fine.

What isn't working fine is when these two scenarios intersect. When a client issues a DNS query to the resolver for a domain (let's say contoso.com) on the internal DNS server the resolver returns a SERVFAULT error.

If I add contoso.com to the resolver's domain overrides it works. But this is not ideal because there are many domains on this DNS server and they change frequently.

See the attached images for visualizations of these scenarios and what the desired outcome should be.

Is my desired outcome not reasonable? If it is, how do I go about getting the resolver to do this?

Thanks!

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #1 on: September 05, 2015, 07:21:29 pm »
Correction: The resolver returns SERVFAIL, not SERVFAULT

Also: Firewall rules are wide open with allow-any-to-any on both private networks. (This will not be the end result, but for testing I have everything allowed). Right now everyone is able to talk to each other directly without issue.
« Last Edit: September 05, 2015, 07:25:41 pm by CaptainElmo »

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #2 on: September 05, 2015, 08:11:41 pm »
And how exactly you imagine this "NAT'ed back" should work? The "public IP" DNS server send Unbound back to itself for the domains about which it has no information whatsoever, "surprisingly" you get SERVFAIL...
« Last Edit: September 05, 2015, 08:15:23 pm by doktornotor »
Do NOT PM for help!

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #3 on: September 05, 2015, 08:25:50 pm »
If someone on the internet does a DNS query for contoso.com the public IP of pfSense is returned as the nameserver. That public IP is then queried for the IP address of contoso.com, which correctly gets NAT'ed back into the DNS server. This is all well and good.

I would expect the client to see the same results from a private interface. If the client does a DNS query for contoso.com they should also get back the public IP of pfSense as the nameserver, and when that public IP is queried for the IP address of contoso.com it should therefore arrive on the public IP interface and get NAT'ed exactly the same way as any other internet client does.

At least that's how I imagine it should work, and in fact that's exactly how it does work if I enable forwarding mode on the resolver. But for some reason the resolver won't do that itself - I have to forward the entire lookup process to an external resolver for it to work. This doesn't seem like the correct behavior, but maybe I'm wrong. Or maybe I just don't have the resolver configured correctly?

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #4 on: September 05, 2015, 09:04:30 pm »
Here's another piece of evidence:

When I dig to the public WAN interface of pfSense I can resolve contoso.com just fine from the private client. When I dig to the private interface of pfSense I get SERVFAIL when trying to resolve contoso.com.

So it seems the resolver in pfSense is either not discovering that it's own WAN interface is the nameserver or it is failing to drop the DNS query on that WAN interface once it does discover it.

I'm just wondering if this is expected behavior of the resolver, and if so, why?

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #5 on: September 05, 2015, 09:10:55 pm »
Dude. Yeah, it will get correctly NATed from WAN. There's no reason to NAT anything from the host itself. Sigh.

Hey, root server, where's .com?
A.B.C.D
Hey, A.B.C.D, where's contoso.com?
That's yourself, silly, why are you asking?
He? I have no info on contoso.com. SERVFAIL.

the resolver in pfSense is either not discovering that it's own WAN interface is the nameserver

Except that it's NOT. It's some other machine on LAN behind shitty NAT -- which it will never learn.
« Last Edit: September 05, 2015, 09:16:15 pm by doktornotor »
Do NOT PM for help!

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #6 on: September 05, 2015, 09:31:24 pm »
Aha...that makes sense. pfSense is wearing 2 hats here - router and resolver. The resolver is told that it should know about contoso.com itself so the router/NAT part never gets involved after that.

Crap...that means I'm stuck using the resolver in forwarding mode.

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #7 on: September 05, 2015, 09:41:33 pm »
Well yeah there're no inbound DNS queries to get NATed to the LAN DNS server.
Do NOT PM for help!

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #8 on: September 05, 2015, 09:47:14 pm »
I have the resolver set to listen to the private interfaces only. Any DNS traffic coming in on the WAN interface bypasses the resolver and is passed back to the internal DNS server.

At least that's how I assume it's working, because from the WAN side I am most definitely getting DNS results from the internal DNS server which don't exist anywhere else.

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #9 on: September 05, 2015, 09:51:26 pm »
But that leaves me with a question of why my scenario can't work.

If the resolver is not set to listen to the WAN interface - the same interface it receives as the nameserver - why can't the resolver be smart enough to realize that?

"I've just been told that my WAN interface is the nameserver, but I'm not listening to that interface, so I better go ahead and query that interface for the DNS lookup I've been asked to resolve."

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #10 on: September 05, 2015, 10:14:37 pm »
No, the DNS server is not "smart enough" to start asking a DNS server it doesn't know about. Once you've written one with such paranormal abilities, please let us know. And yes, you are getting replies when querying from WAN because there's a traffic to match your NAT rule. There's just damn nothing to NAT with outbound DNS. It's completely opposite direction.

Unbound random port -> WAN DNS port 53
WAN DNS port 53 -> Unbound random port

Where on earth does that match your NAT?
« Last Edit: September 05, 2015, 10:23:29 pm by doktornotor »
Do NOT PM for help!

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #11 on: September 06, 2015, 12:09:54 am »
Quote
No, the DNS server is not "smart enough" to start asking a DNS server it doesn't know about.

Not the DNS server - the DNS resolver. Those are two different things, right? My pfSense box has no DNS server on it - only the resolver (unbound).

Quote
There's just damn nothing to NAT with outbound DNS.

I don't understand where outbound NAT comes into this. My outbound NAT settings are wide open on both subnets - allow any to any.

From the private client machine, the following commands work:

1) dig @pfSensePrivateIP pfsense.org   ## pfSense resolver to exterior nameserver
2) dig @pfSenseWanIP contoso.com      ## bypass pfSense resolver directly to NAT'ed interior nameserver
3) dig @8.8.8.8 contoso.com                  ## exterior resolver to NAT'ed interior nameserver

This command doesn't work:

4) dig @pfSensePrivateIP contoso.com    ## use pfSense resolver to NAT'ed interior nameserver

Command 3 above shows that the expected nameserver is being returned as authoritative for contoso.com and that incoming DNS queries are reaching the internal authoritative DNS server. To rule out caching I added a new temporary A record and confirmed that it was being resolved by this command.

Command 2 above shows that the expected path is open and works - the client is able to get its DNS query past the firewall and onto the public interface. The public interface subsequently is able to NAT the DNS query internally to the authoritative DNS server for name resolution. For some reason the DNS *resolver* on pfSense is either not willing or not able to do this same thing on behalf of the client.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10266
  • Karma: +1177/-313
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #12 on: September 06, 2015, 01:53:07 am »
Probably because NAT reflection is a dirty, nasty hack.

Quote
1) dig @pfSensePrivateIP pfsense.org   ## pfSense resolver to exterior nameserver
DNS query originating from LAN to an external nameserver.  Resolver on pfSense asks external nameserver for answer and forwards the response
Quote
2) dig @pfSenseWanIP contoso.com      ## bypass pfSense resolver directly to NAT'ed interior nameserver
NAT reflection forwards request from LAN back to DNS server.
Quote
3) dig @8.8.8.8 contoso.com                  ## exterior resolver to NAT'ed interior nameserver
External resolver queries WAN, gets port forwarded to local name server and receives reply

Quote
4) dig @pfSensePrivateIP contoso.com    ## use pfSense resolver to NAT'ed interior nameserver
This one's different. You are asking the pfSense resolver to query the NAT-reflected WAN IP address.  But this time the request is not coming from LAN, it is coming from pfSense itself (the resolver) (You ask the resolver for an answer, the resolver makes queries on your behalf).

I don't know enough about NAT reflection to tell you why it doesn't work.

You have your answer - domain overrides in the resolver.  You say that's too much work.  Not quite sure what to tell you.

Put your authoritative domains on HE.net or dyn or both and stop mucking around with NAT and, in particular, NAT reflection.

Put another unbound resolver on your LAN and tell your LAN clients to use it instead of the one built into pfSense and it'll probably work.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline doktornotor

  • Hero Member
  • *****
  • Posts: 8551
  • Karma: +964/-278
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #13 on: September 06, 2015, 02:10:57 am »
the request is not coming from LAN, it is coming from pfSense itself (the resolver) (You ask the resolver for an answer, the resolver makes queries on your behalf).

Yeah. Which has been repeated about 20 times now but the OP completely refuses to understand.
Do NOT PM for help!

Offline CaptainElmo

  • Jr. Member
  • **
  • Posts: 53
  • Karma: +0/-0
    • View Profile
Re: Authoritative DNS server behind resolver (unbound)
« Reply #14 on: September 06, 2015, 10:55:07 am »
Thank you Derelict.

The resolver allows me to specify an interface for outgoing queries, so the expectation is that if I specify the LAN interface it should work the same as if the query came from the LAN client itself. Obviously this isn't working as expected, and I suspect you are correct that the "dirty, nasty hack" of NAT reflection is to blame.

I appreciate your help - have a great weekend!