Hi,
I have a software that deploys a DNS forwarder and uses PF to redirect local DNS requests to the forwarder. All of sudden this schema stopped working and I am trying to figure out what could be the problem.
I am troubleshooting the issue and trying to verify every piece. My question is focused on PF part of the solution.
The rules the tool creates are following:
10.142.0.1 is my DNS server, and the local forwarder listens at 12299 local port. As I understand, line #2 redirects traffic coming on the local interface for my DNS server to 127.0.0.1:12299, and line #3 routes it to the local interface. I am not very familiar with PF and asking you to verify if the above rules are enough to serve the purpose. Is the order of rules correct? Unfortunately I do not have logs from the system in working state so I have nothing to compare with.
From the perspective of DNS client, the situation looks like connection being never established.
however, the logs of the forwarder do show that requests are forwarded and meaningful response received. If I logically divide the process into these steps:
If you look at the above PF rules, would you see any clues? Are those enough to serve the purpose? Any other ideas?
I have a software that deploys a DNS forwarder and uses PF to redirect local DNS requests to the forwarder. All of sudden this schema stopped working and I am trying to figure out what could be the problem.
I am troubleshooting the issue and trying to verify every piece. My question is focused on PF part of the solution.
The rules the tool creates are following:
Code:
table <dns_servers> {10.142.0.1}
rdr pass on lo0 inet proto udp to <dns_servers> port 53 -> 127.0.0.1 port 12299
pass out route-to lo0 inet proto udp to <dns_servers> port 53 keep state
10.142.0.1 is my DNS server, and the local forwarder listens at 12299 local port. As I understand, line #2 redirects traffic coming on the local interface for my DNS server to 127.0.0.1:12299, and line #3 routes it to the local interface. I am not very familiar with PF and asking you to verify if the above rules are enough to serve the purpose. Is the order of rules correct? Unfortunately I do not have logs from the system in working state so I have nothing to compare with.
From the perspective of DNS client, the situation looks like connection being never established.
nslookup
and dig
fail with
Code:
;; connection timed out; no servers could be reached
however, the logs of the forwarder do show that requests are forwarded and meaningful response received. If I logically divide the process into these steps:
- send request by Requester
- intercept traffic and route to the Forwarder
- request DNS resolution from the remote server
- receive response by the Forwarder
- re-send it to the Requester,
If you look at the above PF rules, would you see any clues? Are those enough to serve the purpose? Any other ideas?