Skip to main content

A curious case of DNS tomfoolery

Preface: I self-host several web services on a small server inside my home. This leads to some oddness when it comes to accessing those services from within the network, because all of my domain names are pointed to public IP addresses.

The “easy” fix for this is called Split-horizon DNS , or just split DNS for short. Basically, run a DNS server inside the network that returns internal IP addresses for the specified hostnames.

So I did that. First I did it on my pi.hole, but the hostnames still resolved to the external IP. So I tried on my pfSense firewall, and got the same outcome. This was baffling because both pfSense and pi.hole are mature products and this is a very simple ‘well-known’ feature.

I left the settings in place on the pfSense, and queried for the hostname from the pfSense and it worked fine. Eventually I tried several other devices and they all worked fine.

In fact, everything worked fine except for my work Macbook . It always returned the external IP.

I was frustrated and confused, but figured that IT put in some sort of “block and redirect” to their own DNS servers. Eventually I checked /etc/resolv.conf on the Macbook and found that something kept invisibly setting the OS to use 127.0.0.1 (aka localhost) as the only DNS server. Hmph. A few cryptic commands (why no useful netstat, Apple?) later and I was looking at the application that was listening on port 53 (DNS) on localhost: a dnscrypt executable included with the Cisco VPN client.

Well, I guess that makes sense. dnscrypt is a useful open-source application to do exactly this: proxy DNS requests over an encrypted connection to a specified DNS server. Encrypted DNS to known servers for the VPN connection. Except that killing the process it just makes it restart, and closing the VPN client leaves it running. I’m not going to futz with a company installed VPN client. I’ll just admit defeat at this point.

The pi.hole was probably working all along, but by that time I had blown up the config – so I set up pfBlockerNG instead, which is a native pfSense package that has a similar purpose (blocking ads), but also has additional powerful features. A topic for another post.