DNS Overides
-
I'm using the DNS forwarder function in CE 2.5.2 and have server overides in place. All work well -
I've have a situation now where I need to enter multiple addresses for a single host.
According to the Documentation: ( https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-host-overrides.html )Host Overrides
Custom DNS entries can be created in the Host Overrides section of the DNS Resolver configuration.
....
(Sections removed for clarity)
....
IP Address
The IP address (either IPv4 or IPv6) to return as the result for a DNS lookup of this entry. May be a single address or a comma-separated list of multiple addresses.
....
(Sections removed for clarity)
....Problem: I can't seem to get multiple addresses to take -
it shows a red error box above with ** "The following input errors were detected: A valid IP address must be specified." **Has anyone else run into this? Any ideas? It won't take two separate IP entries with the same host name name either.
-
@wherewolf It works for me. Check for a typo in one of your IP addresses and do not put a space after the comma.
-
Thank you for trying. I still get the same error. I've checked the addresses, format, and spacing. No dice.
my entry looks like: 123.123.123.12,132.132.132.21 (obscured)
no spaces, comma betwix....
still invalid according to the input error checker.Maybe you are using the DNS OVERRIDE page on the DNS RESOLVER vs DNS FORWARDER? I can't really try that without breaking my live system....
I appreciate your input. -
@wherewolf https://docs.netgate.com/pfsense/en/latest/services/dns/forwarder-overrides.html
"The configuration is identical to Host Overrides in the DNS Resolver, refer there for details. The main difference is that overrides in the DNS Forwarder only support a single address per entry." -
Thank you for clarifying that - I missed it completely. I guess I can use an external DNS server to provide multiple addresses. Unfortunately it becomes just another device to go sideways....
-
@wherewolf Gotta read all three sentencesโฆ ;)
Why can you not use Resolver? It forwards.
I didnโt even realize one could use commas, I just made two entries. Though technically for a domain override.
-
At the time I set this whole network up (a few years back), there seemed to be a higher number of issues with the resolver (maybe the transition to a different underlying package?) than simply using the forwarder with Umbrella - which seemed to be faster overall anyway. Can't really make major changes without extensive testing and evaluation - roughly 3.5k clients behind this setup that operate 24x7 - Network hiccups are frowned upon. This hasn't been an issue until I needed to make this one override entry for two addresses to a single hostname.
"If it's not currently dysfunctional, do not attempt to improve process, purpose, or performance."
-
@wherewolf said in DNS Overides:
Maybe you are using the DNS OVERRIDE page on the DNS RESOLVER vs DNS FORWARDER? I can't really try that without breaking my live system..
If you are using the resolver, Unbound, and you have a doubt, you can switch to the forwarder (ndsmasq) with less then ....10 ? seconds of DNS outage. Even big networks wouldn't really notice any thing while switching.
Pre start the forwarder, dnsmasq, change the listen port to something else as '53' (unbound is bound that port right now). Chose for example "5354.
Now you can copy any host overrides etc. from resolver unbound page to the forwarder dnsmasq settings page.
When ready :
De activate unboud.
On the forwarder page : change port 5353 to 53 and save reload (start).
Done.Both do the same thing differently, and should work.
Btw : with tools like 'dig' you can test drive dnsmasq (forwarder) before firing it up :
[2.6.0-RELEASE][admin@pfsense.my-local-network..net]/root: dig -p 5354 pfsense.my-local-network.net AAAA +short 2001:470:dead:beef:2::1[2.6.0-RELEASE][admin@pfsense.my-local-network.net]/root: dig -p 5354 www.google.com AAAA +short 2a00:1450:4006:802::2004port 5354 is the temporary LANs based forwarder port.
Take note : if your issues don't change, maybe your issue isn't forwarder or resolvers related.
-
@wherewolf said in DNS Overides:
seemed to be a higher number of issues with the resolver
In 2.5 they did fix "Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x."
FWIW we have used Resolver forwarding to Quad9 at all our clients for several years.
The only "issue" I'm aware of is if one has DHCP lease registration (in DNS) enabled then unbound restarts after each DHCP renewal.
re: Forwarder, can you use a domain override to forward the request to an internal DNS server? Not entirely sure that will work but I'd guess 95% sure. (It does for domains obviously.)
-
@steveits said in DNS Overides:
In 2.5 they did fix "Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x."
Keep in mind that "2.5" is very (like very !!) old - 2018 ? That's like 'decades' (IT time scale) for me.
You won't find many people using that version any more. Most of use are scared by the shear number of security issues found since then, and as security tends to win it from "comfort" (or whatever your reason is to stay on 2.5) so 2.5 is gone.I do remember the unbound 1.3.xx which got reverted to unbound 1.12.x. It was a forwarder issue, which could be circumvented by using the resolver as a resolver - as you do.
Further more, if you forward, consider using the light weight forwarder dnsmasq.
" light weight" + "Murphy's law" == less issues.@steveits said in DNS Overides:
The only "issue" I'm aware of is if one has DHCP lease registration ...
Is some what solved, but it needs the admin to sit down, answers some question (like : "what are the devices that I need to know by IP and host name") and then fill in these IP+hostname as entries as MAC static DHCP leases. And done.
The DHCP-lease-info into Unbound integration is flawed, of course. But its also very clear that people @Netgate don't thinks it is, as if so, it would have been solved ages ago.
I 'am also persuaded that people @Netgate tend to know what networking is, and in any case : much better as me (who am I after all). For me, this issue never existed anyway - as I'm DHCP-static MAC mapping my whole live already and never had to deal with +100 server type devices networks ;)@steveits said in DNS Overides:
re: Forwarder, can you use a domain override to forward the request to an internal DNS server?
Like dnsmasq or unboiund that forwards to some local, LAN based PI-Hole ? Yes, why not.
edit !
Great. Know I discover that I reply to @steveits and not @Wherewolf.
He already knew all this. I'll leave the replies anyway. -
Since the bulk of my users are on segregated segments from the rest of the network, they can only resolve the external/public addresses for my internal resources. In this instance, I created a bypass thru a dmz segment for a specific resource and needed to provide them an alternate destination address than what the external DNS resolution provides ( I assumed that would be a "Host" override - provided to the client before external resolution could happen.)
This worked well, just couldn't do both of my DMZ load balancers due to the limitation on DNS Forwarder vs DNS Resolver. Not entirely clear why that limit is there, but I was able to make it work with my external DNS (separate from pfsense) The HA Pfsense's sit inside dual edge routers, so I can pass that segregated traffic into the DMZ without transiting the public/outside interfaces of the routers. Maybe I'm approaching it incorrectly, but I've made it work reliably now so I'm documenting it and moving on to the next crisis. ;) Thanks again for your input! -
@wherewolf Yeah sorry about that. I was using Resolver.
-
@gertjan said in DNS Overides:
"2.5" is very (like very !!) old - 2018 ?
2.5 came out a year ago with 21.02. :)
https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html -
@steveits said in DNS Overides:
https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html
You're right. Thats actually just one year ago.
As I said : deep in the past
-
@gertjan said in DNS Overides:
deep in the past
Using my "Internet years" theory (like dog years) that's 7 Internet years ago.