do you use DNS Forwarder or Resolver with a Lan Cache Server?

comet424

i must done something wrong... with the address's i added.. i not longer have access cant long into my epic of blizzard or orgin.
i must done something dumb somewhere
and does the host /domain override only apply to network outgoing? or all as i have it set for nordvpn out... not for WAN for non vpns

but here is the screen shots doesnt seem to be working

for some reason its like blocked it now instead of allowed it.. i fixed couple things where i had domain.. but epic and blizzard used teh same servers so i added them to host override.. fixed the dup and conflicts but didnt fix it ...

stephenw10

Ok so the script made a list of host overrides but not in the Unbound format. That looks like the DNSMasq format.

Ok, yes if you used a domain override in pfSense to point at Lancache and that was itself using pfSense then you would create a loop for anything Lancache didn't override.

Yes, pfBlocker can serve to block ads etc. Like PiHole.

Those host and domain overrides you have added look correct. If you try to resolve one of them from a host using pfSense for DNS does it return 192.168.0.33?
If so then it's probably failing because Lancache is not answering the queries.

Steve

comet424

@stephenw10
so i got the unbound script... i didnt know there was another file to create it.. as i dont do much linux.. not anymore 20 yrs ago yes

here is the unbound for blizzard

server:
  local-zone: "cdn.blizzard.com" redirect
  local-data: "cdn.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "blizzard.vo.llnwd.net" redirect
  local-data: "blizzard.vo.llnwd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist1-a.akamaihd.net" redirect
  local-data: "blzddist1-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist2-a.akamaihd.net" redirect
  local-data: "blzddist2-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist3-a.akamaihd.net" redirect
  local-data: "blzddist3-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist4-a.akamaihd.net" redirect
  local-data: "blzddist4-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com" redirect
  local-data: "dist.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com.edgesuite.net" redirect
  local-data: "dist.blizzard.com.edgesuite.net 30 IN A 192.168.0.33"
  local-zone: "edge.blizzard.top.comcast.net" redirect
  local-data: "edge.blizzard.top.comcast.net 30 IN A 192.168.0.33"
  local-zone: "edgecast.blizzard.com" redirect
  local-data: "edgecast.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "level3.blizzard.com" redirect
  local-data: "level3.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "llnw.blizzard.com" redirect
  local-data: "llnw.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "nydus.battle.net" redirect
  local-data: "nydus.battle.net 30 IN A 192.168.0.33"

how can i import that though into resolver overrides.. but they dont break it down by host and domain though

ya so my i testing on my 1 comp
gateway and dns points to 192.168.0.1
and i fixed a couple of the domain host overrides so they not conflicting and they all point to 192.168.0.33

and i set the upstream dns to 1.1.1.1 so it wouldnt run in circles not getting internet by pointing to 192.168.0.1 on the lancache dns... but its also not working.. its like now i have those... now all internet access for blizzard launcher orgin launcher and epic launcher have no internet.. is there another check box i need to set to enable it.. and resolver is enabled.. as i use it for NordVPN

ive never used pihole and i was going to but from some videos they said pfsense is better then pihole and why use a raspberry pi if you got pfsense so never tried pihole...

so i not sure what you mean if i resolve from a host using pfsense for dns does it return 192.168.0.33...

if you mean if i try to use epic blizzard or orgin launcher.. no it doesnt... it actually seems to not allow it.. traffic graph shows nothing..

but if i set the computer ethernet connection from 192.168.0.1 dns to 192.168.0.33 then it goes back to working..

as im sure when you add those overrides... you set your computers to 192.168.0.1 as the dns like normally and redirection happens at pfsense level and goes to 192.168.0.33

thats what i guess..

so right now only way its working is like before i set up these over rides.. 192.168.0.33 in the windows ethernet dns...

stephenw10

Ok, great. So you can add those to Unbound in the custom config field like:

From your laptop that is using pfSense (192.168.0.1) as it's DNS server if you run nslookup cdn.blizzard.com it should return 192.168.0.33. If it does that means Unbound is working as expected.

The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server.

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

if i set the computer ethernet connection from 192.168.0.1 dns to 192.168.0.33 then it goes back to working..

Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache.

Steve

comet424

@stephenw10
ok so this is working.. i added epic,blizzard,steam, and windows updates unbound to the custom

nslookup cdn.blizzard.com
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    cdn.blizzard.com
Address:  192.168.0.33


nslookup amupdatedl5.microsoft.com
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    amupdatedl5.microsoft.com
Address:  192.168.0.33


nslookup fastly-download.epicgames.com
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    fastly-download.epicgames.com
Address:  192.168.0.33


nslookup update6.dota2.wmsj.cn
Server:  pfSense2.localdomain
Address:  192.168.0.1

Name:    update6.dota2.wmsj.cn
Address:  192.168.0.33

but if i try to use it.. like Blizzard,Epic, Steam it will not log in.. Errors
Windows Update seems to work.. well there is not errors but cant tell if there was an update or not
all i know it passed

is the reason its not working cuz i have the host overrides and domain overrides in there now.. and i should remove them cuz i using the custom section?

not sure what you mean by
"The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server." but i believe ya as your smarter then me at this stuff...

and not sure what you mean here too
"Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache."

do i need to use the dns forwarder then? to forward queries.. and whats the difference between dns forwarder and resolver what do each do

least i know how to use unbond and where it goes (: always learning something new everyday (:

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

is the reason its not working cuz i have the host overrides and domain overrides in there now.. and i should remove them cuz i using the custom section?

No. The custom values are the same as adding host overrides.

not sure what you mean by
"The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server." but i believe ya as your smarter then me at this stuff...

Host overrides cannot create a loop. Domain overrides can.

and not sure what you mean here too
"Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache."

When you are using the Lancache server as a DNS server in the client directly it works.
The only way to do that via pfSense is to use only domain overrides. I recommend you try that first.

do i need to use the dns forwarder then? to forward queries.. and whats the difference between dns forwarder and resolver what do each do

No Unbound can also forward queries. It can be set in forwarding mode to only forward queries but you don't need to do that.

Remove the host overrides and custom values.
Add domain overrides for the domains you need so that the Lancache server is resolving those and can then choose what to resolve as local.

Steve

comet424

so i found that doing it with the custom options and posting the code in there.. that works seems to work... when i did similar in the Host Override it didnt work just blocked it... and doing it "Domain Override" doesnt work

so putting this in the custom options works:

server:
  local-zone: "cdn.blizzard.com" redirect
  local-data: "cdn.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "blizzard.vo.llnwd.net" redirect
  local-data: "blizzard.vo.llnwd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist1-a.akamaihd.net" redirect
  local-data: "blzddist1-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist2-a.akamaihd.net" redirect
  local-data: "blzddist2-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist3-a.akamaihd.net" redirect
  local-data: "blzddist3-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist4-a.akamaihd.net" redirect
  local-data: "blzddist4-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com" redirect
  local-data: "dist.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com.edgesuite.net" redirect
  local-data: "dist.blizzard.com.edgesuite.net 30 IN A 192.168.0.33"
  local-zone: "edge.blizzard.top.comcast.net" redirect
  local-data: "edge.blizzard.top.comcast.net 30 IN A 192.168.0.33"
  local-zone: "edgecast.blizzard.com" redirect
  local-data: "edgecast.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "level3.blizzard.com" redirect
  local-data: "level3.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "llnw.blizzard.com" redirect
  local-data: "llnw.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "nydus.battle.net" redirect
  local-data: "nydus.battle.net 30 IN A 192.168.0.33"
server:
  local-zone: "cdn.unrealengine.com" redirect
  local-data: "cdn.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "cdn1.epicgames.com" redirect
  local-data: "cdn1.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "cdn1.unrealengine.com" redirect
  local-data: "cdn1.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "cdn2.unrealengine.com" redirect
  local-data: "cdn2.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "cdn3.unrealengine.com" redirect
  local-data: "cdn3.unrealengine.com 30 IN A 192.168.0.33"
  local-zone: "download.epicgames.com" redirect
  local-data: "download.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "download2.epicgames.com" redirect
  local-data: "download2.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "download3.epicgames.com" redirect
  local-data: "download3.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "download4.epicgames.com" redirect
  local-data: "download4.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "epicgames-download1.akamaized.net" redirect
  local-data: "epicgames-download1.akamaized.net 30 IN A 192.168.0.33"
  local-zone: "fastly-download.epicgames.com" redirect
  local-data: "fastly-download.epicgames.com 30 IN A 192.168.0.33"
  local-zone: "cdn-patch.swtor.com" redirect
  local-data: "cdn-patch.swtor.com 30 IN A 192.168.0.33"
  local-zone: "lvlt.cdn.ea.com" redirect
  local-data: "lvlt.cdn.ea.com 30 IN A 192.168.0.33"
  local-zone: "origin-a.akamaihd.net" redirect
  local-data: "origin-a.akamaihd.net 30 IN A 192.168.0.33"

that covers windows ,epic,steam,blizzard that seems to work

when i remove the custom options .. and do the Domain Override it doesnt. i went and read each one of the unbound lines and took the web address and took it to the first period.. to be the domain... but found it didnt work

and if i put the custom options section back in and leave the domain override it will work...

maybe it has to do something with the "30 IN A" in the custom options that makes it work? not sure what that means

and what i was meaning about a loop in the one page i guess reddit says... the lancache causes a loop it doesnt make it to the internet... so if the router is 192.168.0.1 and your computer is set to 192.168.0.1 and router unbounds to 192.168.0.33 and when the lancache is 192.168.0.33 IP but its upstream is 192.168.0.1 i guess what it does it

router goes to 192.168.0.33 lancache goes to 192.168.0.1 the router goes to 192.168.0.33 then lancache goes to 192.168.0.1 like a do loop.. so never gets internet..
so they recomeneded to use like 1.1.1.1 as the upstream for the lancache upstream dns just to get out of the loop.

so what i found
Lancache (dns 192.168.0.1)
custom options: doesnt work
host override : doesnt work
domain override: doesnt work

lancache (dns 1.1.1.1)
custom options: works
host override : doesnt work
domain override: doesnt work

i wonder if that "30 IN A" makes all the difference as i found when i did the host override it seemed to block like epic,blizzard, steam... and the domain override didnt work at all either... what is that "30 IN A" must be magic lol

so i going to do some more testing.. so far only way it works is through custom options...

so isnt dns resolver same as forwarder? it sees the address and forwards it to the proper server?

stephenw10

For normal DNS queries Unbound (the resolver) in it's default mode resolves the IP addresses directly. In forwarding mode it forwards queries to some other DNS server.
Domain overrides (or the custom options) forward only queries for those domains to the specified server.

Steve

comet424

@stephenw10
ok seems to be working kinda ive run in the amazon page issue where it doesnt generate the page right on Non VPN clients

so at current... i deleted the Domain Overrides... they werent working... the Host Override actually started to work without the need of the custom options: weird i dunno
and im testing on the VPN side
so
192.168.0.1 is the Gateway and DNS for windows i using NordVPN and webpages work and epic blizzard steam all seem to be working for now lol
but i dont know if its truly working reason why is... Traffic Graph shows like "origin" is the traffic

now for the Non VPN
i also use
192.168.0.1 for Gateway and DNS i have a range like 192.168.0.20-40 is nonvpn and rest is vpn as example
same as above the blizzard epic steam seem to be working also just showing "origin" for downloading

but going to like Amazon.. the pages will not generate right why is that ? so you know graphics wont show... and its just like a 1990s webpage just text and text fields no graphics.

and the lancache upstream dns is set to 1.1.1.1

does it mean half dns is working when pages partially load?
is there some other settings i need to adjust?

stephenw10

So by VPN vs Non-VPN you mean clients on your LAN that are policy routed out via NordVPN?

What route does traffic from Lancache use?

It looks like you have Unbound set to the VPN for it's outbound queries.

Where you are going to see issues is when clients are opening connections from on a different WAN to the DNS queries. That's what many sites use to detect VPN use and block it.

Steve

comet424

so on my network i have is.... i dont have vlan capable or extra switchs to split things
so i use alias's and ranges.

192.168.0.30-49 WAN no vpn straight out the WAN connection avoid VPN
192.168.0.50-150 WAN but no internet thats for my wifi devices switchs,plugs,lights etc
192.168.0.151-254 VPN devices using NordVPN connection

thats basiclly my setup and 192.168.0.2-19 is behind vpn but they are for my server router wifi routers etc..

right now the lancache has an ip of 192.168.0.33 and an upstream inside the lancache dns is 1.1.1.1
i do not know which way it goes out the internet as i cant specify it.. this is a screen shot of unraid

ya to setup nordvpn i had to setup outbound to nordVPN ... i know i mentioned in past i was hoping that you could have like 2 dns's 1 for the vpn and 1 for nonvpn..

so what i wanted was
vpn clients & non vpn (wan) clients access pfsense and both use lancache to cache such as like windows updates... and go out there proper gateways.. like vpns go out nord, and nonvpns go straight out the wan..

but i thinking u cant do it flawlessly? probably say you need like 2 pfsenses running or something or you can only have 1 or the other you cant have both

but why do alot of webpages work fine... but pages like Amazon go all nuts and looking like 90s webpages.. what does amazon do that other pages dont do etc

stephenw10

Technically Unbound can support different 'views' for different source IPs but that's not something pfSense provides gui options for. You'd have to do it all in custom config.

You can choose to run both DNS services on the firewall allowing some variation in responses but for your setup you'd need to duplicate all the overrides.

I assume your system default gateway is via the WAN?

Anyway clients are going to be using DNS requests that go via a mix of both WANs and that will cause some issues.

Steve

comet424

ah ok so not so simple go figure.. and how would i do that in custom config?

and how would you run both dns services? so you could run one for WAN and 1 for NordVPN i figured there be an option like when you have VLANS and under dhcp youd have your own section .. i figured there would be a dns resolver there tab for WAN and another one for NordVPN and so on..
and i not sure how to run both dns services

ya my default gateway is the WAN...

ya so its not simple then to get wans and vpns to go out the same and use the same dns.. i guess mine is complicated setup even though seems simple i guess the work to get to this is a complicated setup..

and maybe that could be a future request? unbound to have different views for different gateways.. i know the downloading throught epic,blizzard,steam, that seems to be working.. its just darn websites ...

so its workable? but u need to do more custom.. nothing you can do in the Rules

cuz,... its too bad the dns resolver doesnt have tabs.. so for the nordvpn then the outbound be nordvpn interface.... and for WAN you could choose wan as the outbound interface..

how do you or others do it thenfor your business's as im sure i cant be only one that does it..
a seperate dns? like pihole... one that you specify the gateway? so its set to 192.168.0.1 as i have it set for its dns 1.1.1.1 so then it would force out wan connection... and then vpn connections it would still use 1.1.1.1 dns but it would go out the nordvpn

nothing is simple lol.. but least its partialy working so far what i wanted... and i really appreciate your help so far.. least i learning stuff..

stephenw10

See: https://unbound.docs.nlnetlabs.nl/en/latest/topics/filtering/tags-views.html#views

You can't run both DNS services on the same port so to have both running you need to set one to a non-default port and then add port forwarding to it for the clients you want to use it.
Then you can have one service (probably Unbound) use the VPN for queries while the other one uses the system default, WAN.

That still doesn't help queries that go via Lancache that all leave via whatever route 192.168.0.33 is given.

This is a complex setup that I would expect to require significant tuning and troubleshooting.

Steve

comet424

ah ok so its not really fesable..

so... now i kinda confused so if the lancache uses 1.1.1.1 shouldnt WAN and VPN have no issues as its contacting 1.1.1.1 for its dns service?

and would it help if i had 2 lancaches

192.168.0.32     dns 1.1.1.1   (WAN)
192.168.0.33    dns 192.168.0.1   (VPN)

or do you still fall in the trap that the dns resolver is only set to the nordvpn outbound.
but then you run in issue not using the same cache dns...

since its complex its best to scrap idea maybe

its only most like you need 3 pfsenses
1 to go out the wan
1 does vpn
1 down the wan on the LAN
and the 2 would access the one going out the WAN like a tree

are there better solutions? how does that work when like say your vpn or ISP offers 2 dns's would that be like 2 pfsenses...

and i guess there is no way to setup outbound to all interfaces.. but also have no vpn leakage. like a block rule..
but im guessing thats not possible..

i just thinking of ideas.. and probably they dont exisit lol

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

so... now i kinda confused so if the lancache uses 1.1.1.1 shouldnt WAN and VPN have no issues as its contacting 1.1.1.1 for its dns service?

Yes, queries to 1.1.1.1 will work via either route but will connect to different servers and hence resolve in different locations. Services you connect to can see approximately where it was resolved so it they see your traffic coming from the US but DNS queries resolving in Europe you get flagged.

and would it help if i had 2 lancaches

192.168.0.32     dns 1.1.1.1   (WAN)
192.168.0.33    dns 192.168.0.1   (VPN)

Yes, that would probably work since you can then route traffic from one via the VPN.

At that point though it's easier to just pass the correct Lancache IP to clients to use for DNS directly. That removes the entire problem.

You should have two subnets for this though. That would be the first thing I would do. Get a managed switch and setup two VLANs.

comet424

ah ok lot to learn here i thought the dns stuff it could know if i accessed from pfsense from the
WAN range in aliases it would then dns resolve through WAN port and if it sees VPN range in aslias it would dns resolve through the vpn keeping both seperated... but i guess thats too much over head for the pfsense software to seperate probably .. and no one hungry to tackle that lol

so ive never played with vlans except i made a couple in interface section.. so never even used it.. so how would 2 subnets work and using 1 lancache to serve both cuz thats what i wanted 1 cache handles it all... and is there a certain managed switch to get i have looked them up kinda and there are so many L1 L2 L3 level something i dunno i just stuck with regular switch no managed.. dont even know what brand is good for home use

and when you say pass the correct lancache ip to clients do you mean like

all the ips in dhcp would get 192.168.0.33 if so i did that too but i was running into i dunno the lancache was getting overloaded.. sometimes pages wouldnt be found so i had to restart the lancache server.... and i still ran in the problem on WAN side amazon pages wouldnt load.. so id change the dns to 192.168.0.1 or it was 1.1.1.1 to go out the wan so i could use amazon...

vicious circle... but ya id look into a managed switch but i wouldnt know how to go past it as all i done was set up 2 vlans and i saw them in rules and that was it lol
so 0 experience there

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

how would 2 subnets work and using 1 lancache to serve both cuz thats what i wanted 1 cache handles it all...

You would need 2 caches or configure a single server in some way to send upstream queries via different routes depending on the source. It probably can't do that though.

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

when you say pass the correct lancache ip to clients do you mean like
all the ips in dhcp would get 192.168.0.33

Yes exactly. And clients from the other subnet would get the other lancache server.

comet424

ah can you do this

lancache be say on a Vlan
so 192.168.10.2 that uses WAN

and then say the VPN and non VPN you set the dns to 192.168.10.2

or that wouldnt work because of dns resolver is set for vpn outbound.

reason i doing all this is my internet in country is only 5mb down 500k up if i get that so i try to cache my windows updates and games for my vpn and non vpn.. as i dont live in town so i dont get what people in town get there like 25gb or faster internet or whatever they get...

i wonder how companies do it? or they dont

and ill look into getting a managed switch see what computer store has

comet424

does this work?

modem
"---------
pfsense #1 192.168.0.1 and dhcp range and connects to 192.168.0.33 lancahce
goes out the modem on WAN
"----------
pfsense #2 192.168.1.1 dhcp range.. and connects to 192.168.0.33 lancahce and goes out the VPN through pfsense #1

does that work?

or both can use 19.168.0.x #1 would use range 1-100 and #2 would use 192.168.0.101-254

just a thought dunno if it would work but your expert and i just learn as i go (: