OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: epoch on April 30, 2016, 02:08:41 pm

Title: Resolving LAN hosts (reverse) in log files with local DNS servers?
Post by: epoch on April 30, 2016, 02:08:41 pm
I have setup OPNsense 16.1.12-amd64 to use the following servers:
127.0.0.1
208.67.220.220
208.67.220.222
8.8.4.4
8.8.8.8

DNS resolver is not configured (I don't know that I need it.)
DNS forwarder is configured as this:
Enable DNS Forwarder [X]
Register DHCP leases in DNS forwarder [X]
Register DHCP static mappings in DNS forwarder [X]
Resolve DHCP mappings first [X]
Query DNS servers sequentially [X]
Require domain [X]
Do not forward private reverse lookups [  ]
Listen Port [  ]
Interfaces [All]
Strict Interface Binding [  ]

Domain Overrides:
lan   192.168.1.253   Authoritative DNS on dns.lan
1.168.192-in.addr.arpa   192.168.1.253   Authoritative DNS on dns.lan - Reverse
(along with other "!" domain entries to selectively block forward or reverse lookups forwarding)

In dnsmasq logs I can read this:
Apr 30 13:35:43   dnsmasq[22219]: read /etc/hosts - 9 addresses
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 8.8.8.8#53
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 8.8.4.4#53
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 208.67.220.222#53
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 208.67.220.220#53
Apr 30 13:35:43   dnsmasq[22219]: ignoring nameserver 127.0.0.1 - local interface
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain foo
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain bar
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain baz
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain qux
Apr 30 13:35:43   dnsmasq[22219]: using local addresses only for domain 172-in.addr.arpa
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 192.168.1.253#53 for domain lan
Apr 30 13:35:43   dnsmasq[22219]: using nameserver 192.168.1.253#53 for domain 1.168.192-in.addr.arpa
...

When I ask for a reverse lookup for, say, 192.168.1.252 in the firewall logs, I only get "cannot resolve."

This works from any other host on the LAN, eg:
$ dig +nocmd +noquestion -x 192.168.1.252
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26031
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; ANSWER SECTION:
252.1.168.192.in-addr.arpa. 1800 IN   PTR   odessa.lan.

;; Query time: 0 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Sat Apr 30 13:43:05 2016
;; MSG SIZE  rcvd: 68

I went to the shell on OPNsense. I can resolve forward:
# dig +nocmd +noquestion odessa.lan
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54598
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; ANSWER SECTION:
odessa.lan.      1625   IN   A   192.168.1.252

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 30 13:48:45 CEST 2016
;; MSG SIZE  rcvd: 55

But the reverse lookup gives this:
# dig -x 192.168.1.252

; <<>> DiG 9.10.3-P4 <<>> -x 192.168.1.252
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41946
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;252.1.168.192.in-addr.arpa.   IN   PTR

;; AUTHORITY SECTION:
252.1.168.192.in-addr.arpa. 10800 IN   SOA   localhost. nobody.invalid. 1 600 1200 604800 10800

;; Query time: 14 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Apr 30 13:46:10 CEST 2016
;; MSG SIZE  rcvd: 114

How can I get OPNsense to forward reverse lookups to other private DNS servers?