If you want to run your own dns, you could just install the unbound package on pfsense - no need for MS dns, which I don't believe is viable on WHS anyway.. They really striped out the actual useful features of server with WHS, like dns.. Now maybe there is some patch or something to turn it back on?

Or you could always just run bind on any box on your network, even your WHS, etc.

But if you want to run your own dns, I would really check out unbound package.  Its be working great on my setup.  Has dnssec support and ipv6 support as well.  And has been pretty much rock solid, I keep hearing that it will be fully integrated into the 2.1 line vs a package which I am very much in favor of!

Only thing that would be nicer would be to create package or easy howto in running full blown bind on pfsense.

I must admit I never really touched those settings…

nat.png
nat.png_thumb

Thanks for the info. Doing the extra level of indirection isn't perfect, but at least I can keep my configuration data mostly independent from third party stuff, such that in the case of any changes I only need to alter a CNAME entry and not a bunch of VPN configurations.

Would be great, though, to have server side RFC 2136 support at some point in the future…

You should probably set the Interface to monitor to WAN since that is probably the interface out which the access to http://myip.dnsomatic.com should be sent.

If your WAN IP address was public and changed it is the new address you would probably want to be registered with your dynamic DNS provider.

wallabybob,

Thanks for your reply much appreciated.

Thanks,

Ward.

I don't think its possible with the gui, the unbound does not allow zone xfers for starters, nor do I belive the tiny dns package does as well?  you would have to use axfr-get with tinydns I believe.. Not sure if that is part of the package to get your zone info from your MS dns

Now there is nothing saying you couldn't write some script to pull your host info from your MS dns and import that into unbound.  If using the tinydns package, you could prob get the axfer-get stuff to work?

But off the top I do not believe there is anyway to do what you want with just clicking in the gui, etc.

Perfect, I'll give that a try, never saw that option.

Thanks

Good questions!  Like I said I am new to this.  When I moved the servers over to the DMZ subnet, some are statically set and I did not change the dns to reflect pfsense.  I'll try that.  Also 192.168.3.1 is the DMZ interface

@wallabybob:

They don't seem functional to you. What is your evidence they are functional?

All other computers connected directly to the SMC(10.1.10.1/24) work. And before I started playing around with pfSense, it all worked.

It is often necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab.

I heard about that. Diagnostics: Reset state executed.

Back to the LAPTOP: NSLOOKUP google.com timeout.

What does pfSense shell command ps ax | grep dnsmasq show?

Diagnostics: Execute command results
$ ps ax | grep dnsmasq
36245 ?? S 0:00.01 sh -c ps ax | grep dnsmasq
36729 ?? R 0:00.01 grep dnsmasq
44710 ?? S 147:22.02 /usr/local/sbin/dnsmasq –local-ttl 1 --all-servers -

Your routing table is messed up? What does pfSense shell command netstat -rn show?

Diagnostics: Execute command results
$ netstat -rn
Routing tables
default | 70.x.y.50 | UGS | 0 | 401 | xl0
10.1.10.0/24 | link#1 | U | 0 | 12407 | fxp0
10.1.10.5 | link#1 | UHS | 0 | 0 | lo0
68.87.69.146 | 70.x.y.50 | UGHS | 0 | 5 | xl0
68.87.85.98 | 70.x.y.50 | UGHS | 0 | 35 | xl0
70.x.y.48/30 | link#3 | U | 0 | 9988 | xl0
70.x.y.49 | link#3 | UHS | 0 | 0 | lo0
127.0.0.1 | link#4 | UH | 0 | 3628 | lo0

(link#2 is OPT1 and edited from this list)

What is the IP address of the DNS your laptop is using?

ipconfig /all shows DNS Servers 10.1.10.5 (DHCP assigned)

Your assistance is very much appreciated.

I think I might have fixed it…

For some reason if you check " Non-cached DNS " on that site, it'll show my SOA record.

Weird.

Did you ever get this working? I want to do the same thing, but as far as I can tell it's not possible.

It's all good :). Once i find some time i might take a look at the php code of the gui parser myself.

The box it's stable and in production now :)

No i just hard rebooted the router after it got hang.
thanks

Your not really filtering access, your filtering lookup of the address is all..  If they are smart enough to change the local machines DNS, then they are smart enough to use a host file or a proxy to bypass lookup filter.

You might want to look at the squidguard package if your really interested in content filtering.

I sent that to this user.

Let me know if it's better for you. I did that under pfsense 2.0

I noticed also many things missing and needed to be improve. I will maybe send them once I worked on them.

Let us know if it's usefull for other or only me and this user were lucky to make it work.

J

It is ften necessary to reset firewall states after changing firewall rules. See Diagnostics -> States, click on Reset States tab.

If your access fro LAN2 to LAN1 is being blocked by the firewall default rule you normally see this logged in the firewall log at Status -> System Logs, click on Firewall tab.

my bad, with unbound being available I sometimes forget that not everyone runs it.. for the life of me I don't know why ;)  But I guess not everyone likes to run a fully configurable dns resolver ;) heheh

I do believe sometime down the road unbound will be integrated – but until then yup you can do what cmb suggests.  I would think that prob be the default config?

Or you can install the unbound package ;)

as it was resloved in http://forum.pfsense.org/index.php/topic,42913.0.html dnsmasq thought it's attack " dnsmasq[5522]: possible DNS-rebind attack detected: free.anport.ru"
I added an option "rebind-domain-ok=free.anport.ru" to DNSmasq advanced config and it's all right now.

Did that, made no difference. Same issue with both NIC's. Also hooked it up with a short cable to the cablemodem, also no difference.

edit: I'm back in business. Couldn't get Debian to cooperate (guess I'll have to learn more about Debian before I try that again), but IPFire was willing to cooperate, I'm back online :) , now hoping it keeps working.

But I've still no clue what happened this morning with pfSense.