do you use DNS Forwarder or Resolver with a Lan Cache Server?

comet424

and if its not possible to do then its not possible.. i figured id ask before trying to figure it out on my own for hours only to find cant be done

stephenw10

You should be able to use the output from that script (but you have to run it to create that) in Unbound in pfSense if that's what you want.

What exactly did you enter and where?

How did you test that?

comet424

i do not know if unbound was "forwarder" or "resolver"

here in this pic.. i reset it up for just epic and Orgin games so far this is under "DNS Forwarder"

the script i dont think i can run that in pfsense.. as i guessing its ment for PiHole... and for unraid there is no need to run a script it has it all built in i guess you just set the DNS Bind ip and upstream IP and Host IP witch is the same as Bind IP.. and ur done.. so i would set it to 192.168.0.33 and upstream 192.168.0.3

so here is the screen shot... and when i had steam ip address's too... Traffic Graph would show "Steam" host even though Epic or Orgin games were being updated.. and i test it by resuming a download in Epic Games Launcher or Origin Games Launcher
i did try also domain override but it didnt work either really... pic below those are the Origin Games servers

and the only check box i checked off in DNS Forwarder was Enable Forwarder... the other boxes i really didnt understand them

comet424

so when i test those i look on unraid and nothing is being written to lancache drive... its just like skipping those links and going straight to the computer and bypassing the lancache

and i not sure do i use Forwarder or Resolver.. as they have both Host Override and Domain Override

does pfsense offer to import these text files of hosts for each server... so you dont need to type them in and just import... like import host overrides

stephenw10

Use the resolver (Unbound) unless you have a really good reason to DNSMasq.

Ok, those host entries look wrong. Epic_Games.download2.epicgames.com is not a valid host.

That should almost certainly be:

Host		Domain
download2	epicgames.com

'Epic_Games' is just the entry name.

You almost certainly need to run that script and then insert the output in the Unbound custom conf.

Domain overrides have to point at another DNS server that will resolve them. Is the Cache server also a DNS server?

Steve

comet424

ok so i never typed in Epic_Games.download2.epicgames.com as host name.. guess pfsense does it... host name is "Epic_Games" it seems to attach it?? here is a pic
and a pic of the servers i added from the github

unraid runs a Docker of lancache server which itself is a DNS Server.. so it does work partially if i point dhcp server dns to 192.168.0.33 and the clients work.. but if i use the non vpn clients then i find pages cant be found amazon pages dont load properly.. as i tried to get both Non VPN and VPN clients to connect to this dns server the lancache as it also hosts Windows Updates.. caches those too. as you dont have to add any ips.. its all built in.. u just point to 192.168.0.33 and all the games are cached to it..

and running the script file i forget which file since ibouncing back and forth couple pages.. do you then import this custom.conf into pfsense to load into the Dns Resolver Host Overrides (Unbond)

ill have to re go over it. and look

so should have changed it then where i did "host" not use epic_games
but should it been

host              ip
cdn3             unrealengine.com
cdn2             unrealengine.com

was that how its supposed to be entered?

update:
so it should look like this right?

comet424

so by having those host names like that above i did in the resolver... i not longer to download the game update.. its stopped it... so something is working in part to block it lol..

rest of internet works..

i re read about the script never done it.. cuz i not sure if it runs under unraid.. but going to copy the files to unraid and see if it does work

i re read it a few times i think i cant use that script
that script is for maybe a
raspberry pi thats running lancache server and unbound and dnsmasq as it talks in the end about re starting those 2 services which i cant do.. for unraid its all in one dns server...

never easy lol ill keep fiddlinglol

stephenw10

Yes, that's the correct format for a host override. The FQDN = hostname.domain.

See: https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-host-overrides.html

If the lancache server is also a dns server then you could just use domain overrides and point to it for the whole domain. E.g. epicgames.com
Assuming the server will override the hosts for cached content and resolve them as itself that should work.

Adding host or domain overrides in the pfSense GUI is actually creating Unbound conf lines that are added in the background. When you run that script it creates raw Unbound conf intended to be used with Unbound directly. pfSense has a field for entering conf lines directly if you need to use advanced Unbound features so that's where I would expect to enter it if you are doing it that way.

It shouldn't matter where you run the script since you are manually using it's output anyway.

I would be testing this be simply trying to resolve one of the hosts and seeing what IP it returns.

Steve

comet424

so i did the domain host override.. it wasnt working and i read somewhere you cant use 192.168.0.1 as upstream as it never download it goes into a round robin.. i did try 1.1.1.1 for its up stream.. i dunno if that leaks vpn or not but that part is working at moment

so for unbound.conf then thats a universal.. its not like if you were to run in windows the formatting be different if it was in linux.. you all use the same way to read a unbound config file then? no matter what platform all the spaces or fields are all the same..?

ill give it a try... too bad pfsense doesnt have a package in the install packages that updates or imports these text files from that github site..
but ill try in a bit as i gotta do some runnining around but going to try then the config i not 100% sure how do do it
output/{dnsmasq,unbound}/*

with that folder.. but probably im wrong
but i think it makes a file in an output folder
a file called dnsmasq and unbound
and which ever one u use dnsmasq or unbound is what you use

thats my understanding.. with my dislexia i have to re read things 10 times to try to understand things sometimes so it takes me a bit to learn....

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

so i did the domain host override.. it wasnt working and i read somewhere you cant use 192.168.0.1 as upstream as it never download it goes into a round robin.. i did try 1.1.1.1 for its up stream.. i dunno if that leaks vpn or not but that part is working at moment

Um...not following you there at all.

so for unbound.conf then thats a universal.. its not like if you were to run in windows the formatting be different if it was in linux.. you all use the same way to read a unbound config file then? no matter what platform all the spaces or fields are all the same..?

Maybe not in Windows but I can't imagine anyone is running Unbound in Windows. Linux and FreeBSD are largely similar in many ways. Most of the Unbound config file will be the same and you are only adding parts to it.

ill give it a try... too bad pfsense doesnt have a package in the install packages that updates or imports these text files from that github site..

pfBlocker-NG can import text files with lists of domains and hosts but not to that import as overrides like that. It will block them entirely.

but i think it makes a file in an output folder
a file called dnsmasq and unbound
and which ever one u use dnsmasq or unbound is what you use

That's what it looks like it does, yes.

Steve

comet424

ok ran the script.. made several json files and in it like for blizzard it did

address=/cdn.blizzard.com/192.168.0.33
address=/blizzard.vo.llnwd.net/192.168.0.33
address=/blzddist1-a.akamaihd.net/192.168.0.33
address=/blzddist2-a.akamaihd.net/192.168.0.33
address=/blzddist3-a.akamaihd.net/192.168.0.33
address=/blzddist4-a.akamaihd.net/192.168.0.33
address=/dist.blizzard.com/192.168.0.33
address=/dist.blizzard.com.edgesuite.net/192.168.0.33
address=/edge.blizzard.top.comcast.net/192.168.0.33
address=/edgecast.blizzard.com/192.168.0.33
address=/level3.blizzard.com/192.168.0.33
address=/llnw.blizzard.com/192.168.0.33
address=/nydus.battle.net/192.168.0.33

so how do i import it into pfsense then and i guess it seperates the host and domain?

and what i ment with host override wasnt working is... in Lancache server... i set my upstream to be 192.168.0.1 well apparently people had issues doing it because it never reach the interent... it says goto 192.168.0.1 and then the router says go back to 192.168.0.33 and continous loop.. ppl said to use 1.1.1.1 as the upstream server to get out of the endless loop..

so you mentioned pfBlocker-NG can import text files.. but it only imports to block them you mean.. so i guess no way to import these files now into the DNS Resolver section? or is there another script that will import it into pfsense so i wouldnt need to type just run script and boom i done?

always learning so i appreciate you help so far (:

oh and is the pfBlocker-NG what i need to block ads on the computer either pop ups or youtube or what not?

comet424

i must done something wrong... with the address's i added.. i not longer have access cant long into my epic of blizzard or orgin.
i must done something dumb somewhere
and does the host /domain override only apply to network outgoing? or all as i have it set for nordvpn out... not for WAN for non vpns

but here is the screen shots doesnt seem to be working

for some reason its like blocked it now instead of allowed it.. i fixed couple things where i had domain.. but epic and blizzard used teh same servers so i added them to host override.. fixed the dup and conflicts but didnt fix it ...

stephenw10

Ok so the script made a list of host overrides but not in the Unbound format. That looks like the DNSMasq format.

Ok, yes if you used a domain override in pfSense to point at Lancache and that was itself using pfSense then you would create a loop for anything Lancache didn't override.

Yes, pfBlocker can serve to block ads etc. Like PiHole.

Those host and domain overrides you have added look correct. If you try to resolve one of them from a host using pfSense for DNS does it return 192.168.0.33?
If so then it's probably failing because Lancache is not answering the queries.

Steve

comet424

@stephenw10
so i got the unbound script... i didnt know there was another file to create it.. as i dont do much linux.. not anymore 20 yrs ago yes

here is the unbound for blizzard

server:
  local-zone: "cdn.blizzard.com" redirect
  local-data: "cdn.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "blizzard.vo.llnwd.net" redirect
  local-data: "blizzard.vo.llnwd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist1-a.akamaihd.net" redirect
  local-data: "blzddist1-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist2-a.akamaihd.net" redirect
  local-data: "blzddist2-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist3-a.akamaihd.net" redirect
  local-data: "blzddist3-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist4-a.akamaihd.net" redirect
  local-data: "blzddist4-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com" redirect
  local-data: "dist.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com.edgesuite.net" redirect
  local-data: "dist.blizzard.com.edgesuite.net 30 IN A 192.168.0.33"
  local-zone: "edge.blizzard.top.comcast.net" redirect
  local-data: "edge.blizzard.top.comcast.net 30 IN A 192.168.0.33"
  local-zone: "edgecast.blizzard.com" redirect
  local-data: "edgecast.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "level3.blizzard.com" redirect
  local-data: "level3.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "llnw.blizzard.com" redirect
  local-data: "llnw.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "nydus.battle.net" redirect
  local-data: "nydus.battle.net 30 IN A 192.168.0.33"

how can i import that though into resolver overrides.. but they dont break it down by host and domain though

ya so my i testing on my 1 comp
gateway and dns points to 192.168.0.1
and i fixed a couple of the domain host overrides so they not conflicting and they all point to 192.168.0.33

and i set the upstream dns to 1.1.1.1 so it wouldnt run in circles not getting internet by pointing to 192.168.0.1 on the lancache dns... but its also not working.. its like now i have those... now all internet access for blizzard launcher orgin launcher and epic launcher have no internet.. is there another check box i need to set to enable it.. and resolver is enabled.. as i use it for NordVPN

ive never used pihole and i was going to but from some videos they said pfsense is better then pihole and why use a raspberry pi if you got pfsense so never tried pihole...

so i not sure what you mean if i resolve from a host using pfsense for dns does it return 192.168.0.33...

if you mean if i try to use epic blizzard or orgin launcher.. no it doesnt... it actually seems to not allow it.. traffic graph shows nothing..

but if i set the computer ethernet connection from 192.168.0.1 dns to 192.168.0.33 then it goes back to working..

as im sure when you add those overrides... you set your computers to 192.168.0.1 as the dns like normally and redirection happens at pfsense level and goes to 192.168.0.33

thats what i guess..

so right now only way its working is like before i set up these over rides.. 192.168.0.33 in the windows ethernet dns...

stephenw10

Ok, great. So you can add those to Unbound in the custom config field like:

From your laptop that is using pfSense (192.168.0.1) as it's DNS server if you run nslookup cdn.blizzard.com it should return 192.168.0.33. If it does that means Unbound is working as expected.

The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server.

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

if i set the computer ethernet connection from 192.168.0.1 dns to 192.168.0.33 then it goes back to working..

Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache.

Steve

comet424

@stephenw10
ok so this is working.. i added epic,blizzard,steam, and windows updates unbound to the custom

nslookup cdn.blizzard.com
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    cdn.blizzard.com
Address:  192.168.0.33


nslookup amupdatedl5.microsoft.com
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    amupdatedl5.microsoft.com
Address:  192.168.0.33


nslookup fastly-download.epicgames.com
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    fastly-download.epicgames.com
Address:  192.168.0.33


nslookup update6.dota2.wmsj.cn
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    update6.dota2.wmsj.cn
Address:  192.168.0.33

but if i try to use it.. like Blizzard,Epic, Steam it will not log in.. Errors
Windows Update seems to work.. well there is not errors but cant tell if there was an update or not
all i know it passed

is the reason its not working cuz i have the host overrides and domain overrides in there now.. and i should remove them cuz i using the custom section?

not sure what you mean by
"The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server." but i believe ya as your smarter then me at this stuff...

and not sure what you mean here too
"Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache."

do i need to use the dns forwarder then? to forward queries.. and whats the difference between dns forwarder and resolver what do each do

least i know how to use unbond and where it goes (: always learning something new everyday (:

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

is the reason its not working cuz i have the host overrides and domain overrides in there now.. and i should remove them cuz i using the custom section?

No. The custom values are the same as adding host overrides.

not sure what you mean by
"The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server." but i believe ya as your smarter then me at this stuff...

Host overrides cannot create a loop. Domain overrides can.

and not sure what you mean here too
"Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache."

When you are using the Lancache server as a DNS server in the client directly it works.
The only way to do that via pfSense is to use only domain overrides. I recommend you try that first.

do i need to use the dns forwarder then? to forward queries.. and whats the difference between dns forwarder and resolver what do each do

No Unbound can also forward queries. It can be set in forwarding mode to only forward queries but you don't need to do that.

Remove the host overrides and custom values.
Add domain overrides for the domains you need so that the Lancache server is resolving those and can then choose what to resolve as local.

Steve

comet424

so i found that doing it with the custom options and posting the code in there.. that works seems to work... when i did similar in the Host Override it didnt work just blocked it... and doing it "Domain Override" doesnt work

so putting this in the custom options works:

server:
  local-zone: "cdn.blizzard.com" redirect
  local-data: "cdn.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "blizzard.vo.llnwd.net" redirect
  local-data: "blizzard.vo.llnwd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist1-a.akamaihd.net" redirect
  local-data: "blzddist1-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist2-a.akamaihd.net" redirect
  local-data: "blzddist2-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist3-a.akamaihd.net" redirect
  local-data: "blzddist3-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist4-a.akamaihd.net" redirect
  local-data: "blzddist4-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com" redirect
  local-data: "dist.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com.edgesuite.net" redirect
  local-data: "dist.blizzard.com.edgesuite.net 30 IN A 192.168.0.33"
  local-zone: "edge.blizzard.top.comcast.net" redirect
  local-data: "edge.blizzard.top.comcast.net 30 IN A 192.168.0.33"
  local-zone: "edgecast.blizzard.com" redirect
  local-data: "edgecast.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "level3.blizzard.com" redirect
  local-data: "level3.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "llnw.blizzard.com" redirect
  local-data: "llnw.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "nydus.battle.net" redirect
  local-data: "nydus.battle.net 30 IN A 192.168.0.33"
server:
  local-zone: "cdn.unrealengine.com" redirect
  local-data: "cdn.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "cdn1.epicgames.com" redirect
  local-data: "cdn1.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "cdn1.unrealengine.com" redirect
  local-data: "cdn1.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "cdn2.unrealengine.com" redirect
  local-data: "cdn2.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "cdn3.unrealengine.com" redirect
  local-data: "cdn3.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "download.epicgames.com" redirect
  local-data: "download.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "download2.epicgames.com" redirect
  local-data: "download2.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "download3.epicgames.com" redirect
  local-data: "download3.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "download4.epicgames.com" redirect
  local-data: "download4.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "epicgames-download1.akamaized.net" redirect
  local-data: "epicgames-download1.akamaized.net 30 IN A 192.168.0.33"
  local-zone: "fastly-download.epicgames.com" redirect
  local-data: "fastly-download.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "cdn-patch.swtor.com" redirect
  local-data: "cdn-patch.swtor.com 30 IN A 192.168.0.33"
  local-zone: "lvlt.cdn.ea.com" redirect
  local-data: "lvlt.cdn.ea.com 30 IN A 192.168.0.33"
  local-zone: "origin-a.akamaihd.net" redirect
  local-data: "origin-a.akamaihd.net 30 IN A 192.168.0.33"

that covers windows ,epic,steam,blizzard that seems to work

when i remove the custom options .. and do the Domain Override it doesnt. i went and read each one of the unbound lines and took the web address and took it to the first period.. to be the domain... but found it didnt work

and if i put the custom options section back in and leave the domain override it will work...

maybe it has to do something with the "30 IN A" in the custom options that makes it work? not sure what that means

and what i was meaning about a loop in the one page i guess reddit says... the lancache causes a loop it doesnt make it to the internet... so if the router is 192.168.0.1 and your computer is set to 192.168.0.1 and router unbounds to 192.168.0.33 and when the lancache is 192.168.0.33 IP but its upstream is 192.168.0.1 i guess what it does it

router goes to 192.168.0.33 lancache goes to 192.168.0.1 the router goes to 192.168.0.33 then lancache goes to 192.168.0.1 like a do loop.. so never gets internet..
so they recomeneded to use like 1.1.1.1 as the upstream for the lancache upstream dns just to get out of the loop.

so what i found
Lancache (dns 192.168.0.1)
custom options: doesnt work
host override : doesnt work
domain override: doesnt work

lancache (dns 1.1.1.1)
custom options: works
host override : doesnt work
domain override: doesnt work

i wonder if that "30 IN A" makes all the difference as i found when i did the host override it seemed to block like epic,blizzard, steam... and the domain override didnt work at all either... what is that "30 IN A" must be magic lol

so i going to do some more testing.. so far only way it works is through custom options...

so isnt dns resolver same as forwarder? it sees the address and forwards it to the proper server?

stephenw10

For normal DNS queries Unbound (the resolver) in it's default mode resolves the IP addresses directly. In forwarding mode it forwards queries to some other DNS server.
Domain overrides (or the custom options) forward only queries for those domains to the specified server.

Steve

comet424

@stephenw10
ok seems to be working kinda ive run in the amazon page issue where it doesnt generate the page right on Non VPN clients

so at current... i deleted the Domain Overrides... they werent working... the Host Override actually started to work without the need of the custom options: weird i dunno
and im testing on the VPN side
so
192.168.0.1 is the Gateway and DNS for windows i using NordVPN and webpages work and epic blizzard steam all seem to be working for now lol
but i dont know if its truly working reason why is... Traffic Graph shows like "origin" is the traffic

now for the Non VPN
i also use
192.168.0.1 for Gateway and DNS i have a range like 192.168.0.20-40 is nonvpn and rest is vpn as example
same as above the blizzard epic steam seem to be working also just showing "origin" for downloading

but going to like Amazon.. the pages will not generate right why is that ? so you know graphics wont show... and its just like a 1990s webpage just text and text fields no graphics.

and the lancache upstream dns is set to 1.1.1.1

does it mean half dns is working when pages partially load?
is there some other settings i need to adjust?