How to facilitate "hostname.local" name resolution with pfSense?

johnpoz

@princ3ssa I would suggest against use .local as the tld.. This is really a special use case for mdns and not a very good choice if wanting to run your own dns resolution.

home.arpa is the new rfc approved use domain for local stuff.
https://www.rfc-editor.org/rfc/rfc8375.html
Special-Use Domain 'home.arpa.'

This is the domain new installs of pfsense default too.

Also for dns resolution issues, it can be problematic with registering dhcp, registering static reservations are fine. But lease when renew or are obtained cause a restart of dns currently - this can be problematic, especially if using something with large lists or something that could delay the start up for more than a couple of seconds, etc.. Also how many dhcp clients you have, how long the lease is, if you have a lot of clients or really short lease you could have dns restarting every few minutes - which would be bad.

If you don't want to use home.arpa - anything other that isn't a public valid tld prob best, I use local.lan as my domain currently because I haven't gotten around to changing it as of yet, I have a lot of my own certs used on devices, and waiting til when I change them out and can add a home.arpa san to them, once that is all done can easy switch the rest of the network over..

princ3ssa

Oh that's interesting @johnpoz. I just tried pinging a hostname on the local area network server1.home.arpa, but it didn't resolve. The raw ip pings fine. Are there some instructions/tutorials that kinda cover this situation more clearly about how to be sure I can use names and the local nomenclature instead of a public fqdn? I really just want to be sure I'm using hostnames around the network for things since they should be more resilient with several of the devices having both wired and wireless interfaces.

johnpoz

@princ3ssa said in How to facilitate "hostname.local" name resolution with pfSense?:

server1.home.arpa, but it didn't resolve

well you would have to set that up.. What does pfsense show for its domain? In the general section.

That is what the new default in a clean install, but did you call your pfsense server1?

$ dig sg4860.local.lan                                                                
                                                                                      
; <<>> DiG 9.16.32 <<>> sg4860.local.lan                                              
;; global options: +cmd                                                               
;; Got answer:                                                                        
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33750                             
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1                  
                                                                                      
;; OPT PSEUDOSECTION:                                                                 
; EDNS: version: 0, flags:; udp: 4096                                                 
;; QUESTION SECTION:                                                                  
;sg4860.local.lan.              IN      A                                             
                                                                                      
;; ANSWER SECTION:                                                                    
sg4860.local.lan.       3484    IN      A       192.168.9.253                         
                                                                                      
;; Query time: 1 msec                                                                 
;; SERVER: 192.168.3.10#53(192.168.3.10)                                              
;; WHEN: Mon Sep 12 16:09:58 Central Daylight Time 2022                               
;; MSG SIZE  rcvd: 61                                                                 

princ3ssa

I will set it to local.lan (I was using another fqdn for this, but I don't like it since I have multiple domains that really could be used and I would rather use something generic) for now with the pfSense hostname of pfsense (which is what I had).

The server1 is another server on the network and has a static ip set on it (not static through the DHCP server on pfsense). It does not resolve and I'm not sure if there is a way to get it to resolve "automatically" without somehow instructing pfsense that server1 has such and such an ip addy. I was hoping it would automatically populate here somehow and therefore why I was thinking of using the .local "tld".

johnpoz

@princ3ssa said in How to facilitate "hostname.local" name resolution with pfSense?:

and has a static ip set on it (not static through the DHCP server on pfsense)

well sure you can get anything to resolve, you could resolve www.google.com to 192.168.1.100 if you wanted to. But if you do not have dhcp reservation for it through pfsense, even if not being leveraged then no it wouldn't show up in pfsense dns. Unless you create a host override.

So you have to easy methods to get server1.whatever.tld to resolve. either create a static reservation for it in the dhcp server, be it that actual client uses that reservation or not.

Or just host override in the unbound dns section.

princ3ssa

I wonder: is there a way to set up the host overrides from ssh commands to pfsense maybe? That might make the situation more palatable and easy to update instead of working so hard to make some hostnames autopopulate in some other way or even installing some mdns client/server/whatever on each host?

johnpoz

@princ3ssa not sure why setting up a dhcp reservation would be so hard, its a one time thing.. I mean it is way better than setting static on a device.

With a reservation the client will always have the same IP, unless you at some point want to change. It also allows you to update stuff like dns or ntp, etc.

I wouldn't setup a static on a device ever, unless it was some iot sort of device that had no support for for dhcp at all.

How many devices are you talking - you know you could load in either host overrides or even dhcp reservations via editing of the xml file.

This is normally a one and done sort of thing.. Not like something you have to change very often, only time would be normally adding a new device.

princ3ssa

It's not a one time setting if you're setting up docker and other containers pretty frequently.

johnpoz

@princ3ssa said in How to facilitate "hostname.local" name resolution with pfSense?:

It's not a one time setting if you're setting up docker and other containers pretty frequently.

And how exactly are you doing your dockers - mine all use the host IP, they do not have a unique IP on the network, they have unique ports sure. But again, setting a dns entry via host override literally takes all of 3 seconds.. ;)

I currently only have 3 different dockers that I access via fqdn, just simple host override for whatever name I want to use to point to the IP of the host.

princ3ssa

So outside of docker containers, LXCs with their own dedicated IPs and other various VM servers. Lots of complexity in the way of dedicated IP addresses go.

Yeah, no. I don't like doing things with a gui when I can set up a reliable scripted method. I don't really care about the 3 seconds when it can be basically a script call and an ip or a script call from the host and get the ip with the script and voila.

johnpoz

@princ3ssa pfsense is all about the gui.. not really meant for cli sort of commands. But you could prob script something up. But if you setup a reservation for the IP, the fqdn would be there already..

I would have to look if there some way you could do that all from a cli command, never looked into doing something like that since I have never ran into needing something like that.

Patch

@princ3ssa said in How to facilitate "hostname.local" name resolution with pfSense?:

I don't like doing things with a gui when I can set up a reliable scripted method.

My understanding is pfsense is designed to be principally controlled via it's GUI. Doing so ensures modifications are checked, and changes are applied it the intended locations and order.

While it is perfectly possible to control the underlying FreeBSD 12.3 directly, doing so risks that if a program is not used as designed it by not behave as expected.

Gertjan

@princ3ssa said in How to facilitate "hostname.local" name resolution with pfSense?:

working so hard to make some hostnames autopopulate

Hard ??
All you managed to do, using the same time, is "breaking your DNS". ;)

In a perfect world (IMHO) :
When you buy a device, like a phone, printer desktop PC or even a server type device like a NAS, file server, etc, you do not change its network settings.
That's very long for : do nothing, leave it toe the always default "DHCP" (client mode).
Done.
Now comes the "admin" mission.
Connect the device to your pfsense lan network.
Look aththe DHCP server log on pfsense, and see what new device just asked for a DHCP lease : copy the MAC
Or even better : locate the new lease on the Status DHCP Leases page :

and click on the + symbol (the inner white one).

Now, on the page that comes up, give it a "Client identifier" (a network name) like "nas", an IPv4 (outside of the DHCP server pool of that nework) and a DNS host name, like 'nas'.
Done. No need to do more.

Because you chose the dns name, it won't have a stupid name like

Ping from any device to this new "nas.local.lan" right ,now and it will work out of the box, right away, forever.
That wasn't hard - right ?

It will work because :
You have kept all LAN device on "DHCP", so they will obtain an IP, a network, a gateway, a DNS ( !!) server ( it will be the pfsense lan address )
Because every LAN device will ask 'pfsense' to resolve a fqdn, and pfsense (unbound) knows all about local known devices fqdns, it will know about "nas.local.lan".
If the fqdn isn't "local.lan", then unbound knows it has to ask 'above' : it goes out resolving for you.

All 'naming' should be done and kept on a DNS server, pfSense/unbound in this case, that's how the Internet works.
That's how your local network should work.

Btw : nice side effect : all your 'important' devices will always have the same IPv4.
Phones and other BYOD do not need a static MAC DHCP lease, you can keep them in your DHCP pool, random IPv4 will get used.

Making static leases is important as you probably really want to know about all this before your network start using IPv6. Working with IPv6 is the real pain, so better get your DNS act together before things get serious.

@patch said in How to facilitate "hostname.local" name resolution with pfSense?:

My understanding is pfsense is designed to be principally controlled via it's GUI. Doing so ensures modifications are checked, and changes are applied it the intended locations and order.
While it is perfectly possible to control the underlying FreeBSD 12.3 directly, doing so risks that if a program is not used as designed it by not behave as expected.

Yep. Why bother with a GUI ? Download FreeBSD, install it, and you'll have all the tools onboard to do firewalling, routing, DHCPd some DNS, etc.
You'll be editing config files. Now you will obtain what's being called 'hands on experience'. You can even sell your mouse, as (native, without some GUI package) FreeBSD is keyboard only.

princ3ssa

Snarkydy snark snark doesn't do much good in this world in real communiques. Let's try to keep it sincere and real instead of being so passive aggressive, k?

Gertjan

@princ3ssa

Aggressive where ?
Your 'hard' word was related to your name resolution issue.
Some explanation and examples how everything is related might have helped (I thought).
Was trying to convince you. No one knows everything.