I'm having trouble with accessing my DNS caching resolver from within the machine it runs on. I have dnscache(8) set up listening for network queries from clients
To allow clients to reach the service I set up the firewall rules
This works fine for queries from the outside clients on the network. The problem is I cannot reach the service from the machine it self, which is configured to use it's own DNS service
It turns out pf() blocks these queries since they are not passed via em0 interface but via lo0.
To fix this, I tried to add explicit rules to allow this kind of traffic, but pf() keeps blocking it.
I'd appreciate any input helping me to find out what I'm doing wrong. Thanks.
Code:
dnscache dnscache 31267 3 udp4 192.0.2.53:53 *:*
dnscache dnscache 31267 4 tcp4 192.0.2.53:53 *:*
To allow clients to reach the service I set up the firewall rules
Code:
EXT_NIC=em0
DNSCACHE_PORT=53
# incoming TCP querries to DNS cache from clients
pass in quick on $EXT_NIC inet proto tcp from $DNSCACHE_CLIENT_NETS to $EXT_IP port $DNSCACHE_PORT flags $SYN_ONLY modulate state \\
(max-src-states 5, max-src-conn 5, max-src-conn-rate 15/5)
# stateless incoming UDP querries to DNS cache from clients
# querries
pass in quick on $EXT_NIC inet proto udp from $DNSCACHE_CLIENT_NETS to $EXT_IP port $DNSCACHE_PORT no state
# responses
pass out quick on $EXT_NIC inet proto udp from $EXT_IP port $DNSCACHE_PORT to $DNSCACHE_CLIENT_NETS no state
This works fine for queries from the outside clients on the network. The problem is I cannot reach the service from the machine it self, which is configured to use it's own DNS service
Code:
# cat /etc/resolv.conf
nameserver 192.0.2.53
It turns out pf() blocks these queries since they are not passed via em0 interface but via lo0.
Code:
# /usr/sbin/tcpdump -nn -e -l -tttt -i pflog0 -s 0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 65535 bytes
2013-08-29 16:46:32.538047 rule 0..16777216/0(match): block in on lo0: 192.0.2.53.49179 > 192.0.2.53.53: 38019+ A? xxxx.yyy.zzz. (30)
To fix this, I tried to add explicit rules to allow this kind of traffic, but pf() keeps blocking it.
Code:
# querries
pass in quick on lo0 inet proto udp from $EXT_IP to $EXT_IP port $DNSCACHE_PORT no state
# responses
pass out quick on lo0 inet proto udp from $EXT_IP port $DNSCACHE_PORT to $EXT_IP no state
I'd appreciate any input helping me to find out what I'm doing wrong. Thanks.