Bug #14288
closed
Setting system DNS servers can incorrectly modify routes for interface addresses
100%
Description
Tested on 23.01
Using an address on lo0 (e.g. a localhost VIP or simply @127.0.0.1) as a DNS sever under System / General Setup results in a missing route for the specified address.
Example below after adding 127.0.0.1 (persists reboots):
[23.01-RELEASE][root@router.lab.arpa]/root: netstat -rn4 Routing tables Internet: Destination Gateway Flags Netif Expire default 10.0.5.1 UGS vmx1 10.0.5.0/24 link#2 U vmx1 10.0.5.75 link#2 UHS lo0 172.19.0.0/20 192.0.2.4 UGS vmx2 192.0.2.0/28 link#3 U vmx2 192.0.2.1 link#3 UHS lo0 192.0.2.200/29 link#11 U vmx3.522 192.0.2.201 link#11 UHS lo0 192.0.2.240/28 link#9 U vmx3.521 192.0.2.241 link#9 UHS lo0 192.168.0.0/20 198.51.100.2 UGS vmx0 198.51.100.0/28 link#1 U vmx0 198.51.100.1 link#1 UHS lo0
Updated by Marcos M over 1 year ago
- Description updated (diff)
- Affected Version set to 2.5.1
Some related discussion:
https://forum.netgate.com/topic/162791/
The issue was introduced in 2.5.1 with https://redmine.pfsense.org/issues/11578. The code removes the route when a gateway is not set for the DNS server. Since this process only deletes routes on localhost (routes for other interfaces remain), validation could be added to prevent localhost routes from being deleted. This should be an adequate solution given that a localhost gateway cannot be created and hence used in the DNS Servers option.
Note:
Due to this issue and https://redmine.pfsense.org/issues/12078, it's no longer possible to configure pfSense to use bind for its own DNS queries (e.g. update checks).
Updated by Steve Wheeler over 1 year ago
This impacted quite a few users at the time. It should at least be documented. I would prefer to see a note on the General Setup page to prevent foot shooting.
Updated by Marcos M over 1 year ago
- Subject changed from Using a localhost address as a system DNS server prevents its route from being added to Setting system DNS servers can incorrectly modify routes for interface addresses
- Status changed from New to Pull Request Review
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1029
This ignores route changes when the DNS IP address exists on an interface.
Updated by Marcos M over 1 year ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset e47285ae279a35b3a5211a093299eb69d3344592.
Updated by Jim Pingle over 1 year ago
- Target version set to 2.7.0
- Plus Target Version set to 23.05.1