Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Overides

    DHCP and DNS
    dns override dns forwarder dns custom
    4
    15
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wherewolf
      last edited by

      I'm using the DNS forwarder function in CE 2.5.2 and have server overides in place. All work well -
      I've have a situation now where I need to enter multiple addresses for a single host.
      According to the Documentation: ( https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-host-overrides.html )

      Host Overrides
      Custom DNS entries can be created in the Host Overrides section of the DNS Resolver configuration.

      ....
      (Sections removed for clarity)
      ....
      IP Address
      The IP address (either IPv4 or IPv6) to return as the result for a DNS lookup of this entry. May be a single address or a comma-separated list of multiple addresses.

      ....
      (Sections removed for clarity)
      ....

      Problem: I can't seem to get multiple addresses to take -
      it shows a red error box above with ** "The following input errors were detected: A valid IP address must be specified." **

      Has anyone else run into this? Any ideas? It won't take two separate IP entries with the same host name name either.

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @Wherewolf
        last edited by

        @wherewolf It works for me. Check for a typo in one of your IP addresses and do not put a space after the comma.

        1 Reply Last reply Reply Quote 0
        • W
          Wherewolf
          last edited by

          Thank you for trying. I still get the same error. I've checked the addresses, format, and spacing. No dice.
          my entry looks like: 123.123.123.12,132.132.132.21 (obscured)
          no spaces, comma betwix....
          still invalid according to the input error checker.

          Maybe you are using the DNS OVERRIDE page on the DNS RESOLVER vs DNS FORWARDER? I can't really try that without breaking my live system....
          I appreciate your input.

          S GertjanG KOMK 3 Replies Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Wherewolf
            last edited by

            @wherewolf https://docs.netgate.com/pfsense/en/latest/services/dns/forwarder-overrides.html
            "The configuration is identical to Host Overrides in the DNS Resolver, refer there for details. The main difference is that overrides in the DNS Forwarder only support a single address per entry."

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • W
              Wherewolf
              last edited by

              Thank you for clarifying that - I missed it completely. I guess I can use an external DNS server to provide multiple addresses. Unfortunately it becomes just another device to go sideways....

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @Wherewolf
                last edited by

                @wherewolf Gotta read all three sentences… ;)

                Why can you not use Resolver? It forwards.

                I didn’t even realize one could use commas, I just made two entries. Though technically for a domain override.

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • W
                  Wherewolf
                  last edited by

                  At the time I set this whole network up (a few years back), there seemed to be a higher number of issues with the resolver (maybe the transition to a different underlying package?) than simply using the forwarder with Umbrella - which seemed to be faster overall anyway. Can't really make major changes without extensive testing and evaluation - roughly 3.5k clients behind this setup that operate 24x7 - Network hiccups are frowned upon. This hasn't been an issue until I needed to make this one override entry for two addresses to a single hostname.

                  "If it's not currently dysfunctional, do not attempt to improve process, purpose, or performance."

                  S 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @Wherewolf
                    last edited by Gertjan

                    @wherewolf said in DNS Overides:

                    Maybe you are using the DNS OVERRIDE page on the DNS RESOLVER vs DNS FORWARDER? I can't really try that without breaking my live system..

                    If you are using the resolver, Unbound, and you have a doubt, you can switch to the forwarder (ndsmasq) with less then ....10 ? seconds of DNS outage. Even big networks wouldn't really notice any thing while switching.

                    Pre start the forwarder, dnsmasq, change the listen port to something else as '53' (unbound is bound that port right now). Chose for example "5354.
                    Now you can copy any host overrides etc. from resolver unbound page to the forwarder dnsmasq settings page.
                    When ready :
                    De activate unboud.
                    On the forwarder page : change port 5353 to 53 and save reload (start).
                    Done.

                    Both do the same thing differently, and should work.

                    Btw : with tools like 'dig' you can test drive dnsmasq (forwarder) before firing it up :

                    [2.6.0-RELEASE][admin@pfsense.my-local-network..net]/root: dig -p 5354 pfsense.my-local-network.net AAAA +short
                    2001:470:dead:beef:2::1
                    
                    [2.6.0-RELEASE][admin@pfsense.my-local-network.net]/root: dig -p 5354 www.google.com AAAA +short
                    2a00:1450:4006:802::2004
                    

                    port 5354 is the temporary LANs based forwarder port.

                    Take note : if your issues don't change, maybe your issue isn't forwarder or resolvers related.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @Wherewolf
                      last edited by

                      @wherewolf said in DNS Overides:

                      seemed to be a higher number of issues with the resolver

                      In 2.5 they did fix "Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x."

                      FWIW we have used Resolver forwarding to Quad9 at all our clients for several years.

                      The only "issue" I'm aware of is if one has DHCP lease registration (in DNS) enabled then unbound restarts after each DHCP renewal.

                      re: Forwarder, can you use a domain override to forward the request to an internal DNS server? Not entirely sure that will work but I'd guess 95% sure. (It does for domains obviously.)

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @SteveITS
                        last edited by Gertjan

                        @steveits said in DNS Overides:

                        In 2.5 they did fix "Changed: Temporarily move back to Unbound 1.12.x due to instability on Unbound 1.13.x."

                        Keep in mind that "2.5" is very (like very !!) old - 2018 ? That's like 'decades' (IT time scale) for me.
                        You won't find many people using that version any more. Most of use are scared by the shear number of security issues found since then, and as security tends to win it from "comfort" (or whatever your reason is to stay on 2.5) so 2.5 is gone.

                        I do remember the unbound 1.3.xx which got reverted to unbound 1.12.x. It was a forwarder issue, which could be circumvented by using the resolver as a resolver - as you do.
                        Further more, if you forward, consider using the light weight forwarder dnsmasq.
                        " light weight" + "Murphy's law" == less issues.

                        @steveits said in DNS Overides:

                        The only "issue" I'm aware of is if one has DHCP lease registration ...
                        Is some what solved, but it needs the admin to sit down, answers some question (like : "what are the devices that I need to know by IP and host name") and then fill in these IP+hostname as entries as MAC static DHCP leases. And done.
                        The DHCP-lease-info into Unbound integration is flawed, of course. But its also very clear that people @Netgate don't thinks it is, as if so, it would have been solved ages ago.
                        I 'am also persuaded that people @Netgate tend to know what networking is, and in any case : much better as me (who am I after all). For me, this issue never existed anyway - as I'm DHCP-static MAC mapping my whole live already and never had to deal with +100 server type devices networks ;)

                        @steveits said in DNS Overides:

                        re: Forwarder, can you use a domain override to forward the request to an internal DNS server?

                        Like dnsmasq or unboiund that forwards to some local, LAN based PI-Hole ? Yes, why not.

                        edit !

                        Great. Know I discover that I reply to @steveits and not @Wherewolf.
                        He already knew all this. I'll leave the replies anyway.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        S 1 Reply Last reply Reply Quote 0
                        • W
                          Wherewolf
                          last edited by

                          Since the bulk of my users are on segregated segments from the rest of the network, they can only resolve the external/public addresses for my internal resources. In this instance, I created a bypass thru a dmz segment for a specific resource and needed to provide them an alternate destination address than what the external DNS resolution provides ( I assumed that would be a "Host" override - provided to the client before external resolution could happen.)
                          This worked well, just couldn't do both of my DMZ load balancers due to the limitation on DNS Forwarder vs DNS Resolver. Not entirely clear why that limit is there, but I was able to make it work with my external DNS (separate from pfsense) The HA Pfsense's sit inside dual edge routers, so I can pass that segregated traffic into the DMZ without transiting the public/outside interfaces of the routers. Maybe I'm approaching it incorrectly, but I've made it work reliably now so I'm documenting it and moving on to the next crisis. ;) Thanks again for your input!

                          1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM @Wherewolf
                            last edited by

                            @wherewolf Yeah sorry about that. I was using Resolver.

                            1 Reply Last reply Reply Quote 0
                            • S
                              SteveITS Galactic Empire @Gertjan
                              last edited by

                              @gertjan said in DNS Overides:

                              "2.5" is very (like very !!) old - 2018 ?

                              2.5 came out a year ago with 21.02. :)
                              https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html

                              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                              Upvote 👍 helpful posts!

                              GertjanG 1 Reply Last reply Reply Quote 1
                              • GertjanG
                                Gertjan @SteveITS
                                last edited by Gertjan

                                @steveits said in DNS Overides:

                                https://docs.netgate.com/pfsense/en/latest/releases/2-5-0.html

                                You're right. Thats actually just one year ago.
                                As I said : deep in the past 😊

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                S 1 Reply Last reply Reply Quote 0
                                • S
                                  SteveITS Galactic Empire @Gertjan
                                  last edited by

                                  @gertjan said in DNS Overides:

                                  deep in the past

                                  Using my "Internet years" theory (like dog years) that's 7 Internet years ago.

                                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                  Upvote 👍 helpful posts!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.