Fábio Rodrigues Ribeiro
2018-03-01 18:30:02 UTC
Olá boa tarde!
Estou com problemas do pfSense para somente servir DNS (recursivo).
No Unbound seto ACL 0.0.0.0/0 ... E nada.
Marco DNS Forwarder no Unbound... E nada.
Libero ou desativo o firewall (WAN OU LAN)... E nada.
Desmarco proteções, lockout, bogon e entre outros... E nada.
Consultas lookup passam normalmente, tanto no pfSense ou cliente.
Experimentei também com uma maquina real (placas intel) e tenho o mesmo
sintoma. No momento do dump faço uma consulta (DNS) pelo browser vindo
pela rede LAN e recebo o erro DNS_PROBE_FINISHED_NXDOMAIN:
Atualmente a rede WAN está em modo NAT do vmware e a LAN está em modo
Host-Only. Ambas estão sendo alcançadas normalmente, inclusive a internet.
VMware Virtual Machine - Netgate Device ID:
*** Welcome to pfSense 2.4.2-RELEASE-p1 (amd64) on pfSense ***
WAN (wan) -> em0 -> v4/DHCP4: 192.168.48.132/24
LAN (lan) -> em1 -> v4: 192.168.226.129/24
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Disable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
Enter an option: 8
[2.4.2-RELEASE][***@pfSense.localdomain]/root: tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:00:04.123856 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 613, length 8
15:00:04.124078 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 613, length 8
15:00:04.654853 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 614, length 8
15:00:04.654933 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 614, length 8
15:00:05.186598 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 615, length 8
15:00:05.186830 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 615, length 8
15:00:05.718139 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 616, length 8
15:00:05.718201 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 616, length 8
15:00:06.248989 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 617, length 8
15:00:06.249043 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 617, length 8
15:00:06.780552 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 618, length 8
15:00:06.780600 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 618, length 8
15:00:07.312296 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 619, length 8
15:00:07.312357 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 619, length 8
15:00:07.843499 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 620, length 8
15:00:07.843609 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 620, length 8
15:00:08.375041 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 621, length 8
15:00:08.375190 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 621, length 8
15:00:08.907069 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 622, length 8
15:00:08.907187 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 622, length 8
15:00:09.438780 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 623, length 8
15:00:09.438833 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 623, length 8
15:00:09.925200 IP 192.168.48.132.52096 > dns.quad9.net.domain: 63751+
[1au] A? google.com. (39)
15:00:09.967095 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 624, length 8
15:00:09.967143 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 624, length 8
15:00:10.180729 IP dns.quad9.net.domain > 192.168.48.132.52096: 63751
1/0/1 A 172.217.12.206 (55)
15:00:10.181001 IP 192.168.48.132.27048 > dns.quad9.net.domain: 50603+%
[1au] DS? com. (32)
15:00:10.441837 IP dns.quad9.net.domain > 192.168.48.132.27048: 50603$
2/0/1 DS, RRSIG (367)
15:00:10.442752 IP 192.168.48.132.6260 > dns.quad9.net.domain: 51511+%
[1au] DNSKEY? com. (32)
15:00:10.482996 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 625, length 8
15:00:10.483019 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 625, length 8
15:00:10.624300 IP dns.quad9.net.domain > 192.168.48.132.6260: 51511$
3/0/1 DNSKEY, DNSKEY, RRSIG (743)
15:00:10.624658 IP 192.168.48.132.10239 > dns.quad9.net.domain: 24068+%
[1au] DS? google.com. (39)
15:00:10.872239 IP dns.quad9.net.domain > 192.168.48.132.10239: 24068
0/6/1 (760)
15:00:10.873122 IP 192.168.48.1.64078 > 239.192.152.143.6771: UDP,
length 136
15:00:10.873798 IP 192.168.48.1.6771 > 239.192.152.143.6771: UDP, length 136
15:00:10.874032 IP6 fe80::e921:3395:299d:d61.64166 >
ff15::efc0:988f.6771: UDP, length 138
15:00:10.874257 IP6 fe80::e921:3395:299d:d61.6771 >
ff15::efc0:988f.6771: UDP, length 138
15:00:11.014483 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 626, length 8
15:00:11.014552 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 626, length 8
15:00:11.545820 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 627, length 8
15:00:11.545840 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 627, length 8
15:00:12.077135 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 628, length 8
15:00:12.077228 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 628, length 8
15:00:12.608115 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 629, length 8
15:00:12.608173 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 629, length 8
15:00:12.875465 IP 192.168.48.1.64078 > 239.192.152.143.6771: UDP,
length 136
15:00:12.875619 IP 192.168.48.1.6771 > 239.192.152.143.6771: UDP, length 136
15:00:12.875673 IP6 fe80::e921:3395:299d:d61.64166 >
ff15::efc0:988f.6771: UDP, length 138
15:00:12.875901 IP6 fe80::e921:3395:299d:d61.6771 >
ff15::efc0:988f.6771: UDP, length 138
15:00:13.139386 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 630, length 8
15:00:13.139501 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 630, length 8
15:00:13.670592 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 631, length 8
15:00:13.670793 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 631, length 8
15:00:14.201479 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 632, length 8
15:00:14.201568 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 632, length 8
15:00:14.252141 IP 192.168.48.1.17500 > 192.168.48.255.17500: UDP,
length 133
15:00:14.732367 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 633, length 8
15:00:14.732421 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 633, length 8
15:00:15.262757 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 634, length 8
15:00:15.262823 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 634, length 8
15:00:15.793398 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 635, length 8
15:00:15.793537 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 635, length 8
15:00:16.325225 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 636, length 8
15:00:16.325334 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 636, length 8
^C
65 packets captured
65 packets received by filter
0 packets dropped by kernel
Abraços
Estou com problemas do pfSense para somente servir DNS (recursivo).
No Unbound seto ACL 0.0.0.0/0 ... E nada.
Marco DNS Forwarder no Unbound... E nada.
Libero ou desativo o firewall (WAN OU LAN)... E nada.
Desmarco proteções, lockout, bogon e entre outros... E nada.
Consultas lookup passam normalmente, tanto no pfSense ou cliente.
Experimentei também com uma maquina real (placas intel) e tenho o mesmo
sintoma. No momento do dump faço uma consulta (DNS) pelo browser vindo
pela rede LAN e recebo o erro DNS_PROBE_FINISHED_NXDOMAIN:
Atualmente a rede WAN está em modo NAT do vmware e a LAN está em modo
Host-Only. Ambas estão sendo alcançadas normalmente, inclusive a internet.
VMware Virtual Machine - Netgate Device ID:
*** Welcome to pfSense 2.4.2-RELEASE-p1 (amd64) on pfSense ***
WAN (wan) -> em0 -> v4/DHCP4: 192.168.48.132/24
LAN (lan) -> em1 -> v4: 192.168.226.129/24
0) Logout (SSH only) 9) pfTop
1) Assign Interfaces 10) Filter Logs
2) Set interface(s) IP address 11) Restart webConfigurator
3) Reset webConfigurator password 12) PHP shell + pfSense tools
4) Reset to factory defaults 13) Update from console
5) Reboot system 14) Disable Secure Shell (sshd)
6) Halt system 15) Restore recent configuration
7) Ping host 16) Restart PHP-FPM
8) Shell
Enter an option: 8
[2.4.2-RELEASE][***@pfSense.localdomain]/root: tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:00:04.123856 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 613, length 8
15:00:04.124078 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 613, length 8
15:00:04.654853 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 614, length 8
15:00:04.654933 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 614, length 8
15:00:05.186598 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 615, length 8
15:00:05.186830 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 615, length 8
15:00:05.718139 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 616, length 8
15:00:05.718201 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 616, length 8
15:00:06.248989 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 617, length 8
15:00:06.249043 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 617, length 8
15:00:06.780552 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 618, length 8
15:00:06.780600 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 618, length 8
15:00:07.312296 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 619, length 8
15:00:07.312357 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 619, length 8
15:00:07.843499 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 620, length 8
15:00:07.843609 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 620, length 8
15:00:08.375041 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 621, length 8
15:00:08.375190 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 621, length 8
15:00:08.907069 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 622, length 8
15:00:08.907187 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 622, length 8
15:00:09.438780 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 623, length 8
15:00:09.438833 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 623, length 8
15:00:09.925200 IP 192.168.48.132.52096 > dns.quad9.net.domain: 63751+
[1au] A? google.com. (39)
15:00:09.967095 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 624, length 8
15:00:09.967143 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 624, length 8
15:00:10.180729 IP dns.quad9.net.domain > 192.168.48.132.52096: 63751
1/0/1 A 172.217.12.206 (55)
15:00:10.181001 IP 192.168.48.132.27048 > dns.quad9.net.domain: 50603+%
[1au] DS? com. (32)
15:00:10.441837 IP dns.quad9.net.domain > 192.168.48.132.27048: 50603$
2/0/1 DS, RRSIG (367)
15:00:10.442752 IP 192.168.48.132.6260 > dns.quad9.net.domain: 51511+%
[1au] DNSKEY? com. (32)
15:00:10.482996 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 625, length 8
15:00:10.483019 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 625, length 8
15:00:10.624300 IP dns.quad9.net.domain > 192.168.48.132.6260: 51511$
3/0/1 DNSKEY, DNSKEY, RRSIG (743)
15:00:10.624658 IP 192.168.48.132.10239 > dns.quad9.net.domain: 24068+%
[1au] DS? google.com. (39)
15:00:10.872239 IP dns.quad9.net.domain > 192.168.48.132.10239: 24068
0/6/1 (760)
15:00:10.873122 IP 192.168.48.1.64078 > 239.192.152.143.6771: UDP,
length 136
15:00:10.873798 IP 192.168.48.1.6771 > 239.192.152.143.6771: UDP, length 136
15:00:10.874032 IP6 fe80::e921:3395:299d:d61.64166 >
ff15::efc0:988f.6771: UDP, length 138
15:00:10.874257 IP6 fe80::e921:3395:299d:d61.6771 >
ff15::efc0:988f.6771: UDP, length 138
15:00:11.014483 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 626, length 8
15:00:11.014552 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 626, length 8
15:00:11.545820 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 627, length 8
15:00:11.545840 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 627, length 8
15:00:12.077135 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 628, length 8
15:00:12.077228 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 628, length 8
15:00:12.608115 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 629, length 8
15:00:12.608173 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 629, length 8
15:00:12.875465 IP 192.168.48.1.64078 > 239.192.152.143.6771: UDP,
length 136
15:00:12.875619 IP 192.168.48.1.6771 > 239.192.152.143.6771: UDP, length 136
15:00:12.875673 IP6 fe80::e921:3395:299d:d61.64166 >
ff15::efc0:988f.6771: UDP, length 138
15:00:12.875901 IP6 fe80::e921:3395:299d:d61.6771 >
ff15::efc0:988f.6771: UDP, length 138
15:00:13.139386 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 630, length 8
15:00:13.139501 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 630, length 8
15:00:13.670592 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 631, length 8
15:00:13.670793 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 631, length 8
15:00:14.201479 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 632, length 8
15:00:14.201568 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 632, length 8
15:00:14.252141 IP 192.168.48.1.17500 > 192.168.48.255.17500: UDP,
length 133
15:00:14.732367 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 633, length 8
15:00:14.732421 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 633, length 8
15:00:15.262757 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 634, length 8
15:00:15.262823 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 634, length 8
15:00:15.793398 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 635, length 8
15:00:15.793537 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 635, length 8
15:00:16.325225 IP 192.168.48.132 > 192.168.48.2: ICMP echo request, id
26811, seq 636, length 8
15:00:16.325334 IP 192.168.48.2 > 192.168.48.132: ICMP echo reply, id
26811, seq 636, length 8
^C
65 packets captured
65 packets received by filter
0 packets dropped by kernel
Abraços