Cannot Reach Pfsense via Hostname

vinny147

Throwing in the towel on trying shooting this with googling and youtube.....

For the life of me I cannot figure out why I cannot get to my pfsense firewall via host name. I have DNS resolver enabled and my DNS servers set to local and Quad9 for backups.

From my PC I can ping the firewall with the IP but not with the host name+domain.

Any advice here?

michmoor

@vinny147 not a lot of detail is offered here...

On your client machine, is pfsense both the default gateway and dns server?
Assuming this is Windows, can you provide a screen shot of ipconfig /all

Are you able to do any DNS resolution on the client machine?

C:\Users\michm>nslookup
Default Server:  GA-FW1
Address:  192.168.50.254

> google.com
Server:  GA-FW1
Address:  192.168.50.254

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4002:c03::8b
          2607:f8b0:4002:c03::8a
          2607:f8b0:4002:c03::71
          2607:f8b0:4002:c03::66
          142.250.9.101
          142.250.9.100
          142.250.9.138
          142.250.9.139
          142.250.9.102
          142.250.9.113

bmeeks

@vinny147 said in Cannot Reach Pfsense via Hostname:

I have DNS resolver enabled and my DNS servers set to local and Quad9 for backups.

This line makes no sense. Are you talking about on your pfSense box itself, or your Windows machine?

If on your client PC, you can't have a local and external DNS server both configured and expect them to return the same thing for internal hosts. Assuming you have your pfSense machine's hostname properly defined in unbound on pfSense, then the only way your PC can reliably query that hostname to resolve it to an IP is when it asks your pfSense box and unbound. If it asks the Quad9 DNS, how do you expect Quad9 to know the name of your local pfSense box? Local clients will NOT use your DNS servers in the order you list them. They will randomly choose one, then continue to use just that one until it fails to respond. Only then will they try the other one. This seems to be a common misconception users have about DNS settings on clients.

If you mean you have DNS Resolver enabled AND the Quad9 IPs listed in SYSTEM > GENERAL SETUP over on pfSense, that is an incorrect setup. When you resolve, you should put NOTHING in those DNS Server boxes under SYSTEM > GENERAL SETUP. Leave them blank.

And lastly, just to be sure, have you given your pfSense firewall a hostname and domain name under SYSTEM > GENERAL SETUP?

vinny147

@bmeeks it turns out I'm of of these who have the common misconception about DNS settings on clients, I thought they were used in the order listed. I changed the DNS Server under System > General Setup to the firewall IP and removed the DNS server entries under the DHCP server and it worked!!

bmeeks

@vinny147 said in Cannot Reach Pfsense via Hostname:

@bmeeks it turns out I'm of of these who have the common misconception about DNS settings on clients, I thought they were used in the order listed. I changed the DNS Server under System > General Setup to the firewall IP and removed the DNS server entries under the DHCP server and it worked!!

Great that it's working for you, but you need to put nothing in the DNS boxes under both SYSTEM > GENERAL SETUP and in the DHCP configuration for DNS on pfSense. When you leave those boxes blank, pfSense automatically uses the firewall address there. Read the help/hint text under each box. It explains how that works.

pfSense, out of the box, needs absolutely nothing at all added anywhere in regards to DNS. It is default configured to act as a true DNS resolver that talks directly to the DNS root servers and then works down from there to find the authoritative DNS server for your query and get the IP address. It needs no DNS IP addresses entered anywhere during configuration. The unbound application used to provide DNS on pfSense intrinsically knows how to find the DNS root servers. That's all it needs to resolve a name to an IP.

Same is true for the DHCP Server on pfSense. Out of the box, when you leave the DNS boxes for DHCP configuration blank, it will automatically provide the firewall interface IP (where the DHCP service is running) as the DNS server for all clients making a DHCP request to pfSense. And again, by default unless the user fiddles with things, the unbound daemon will listen on all the firewall interfaces and thus be there waiting for clients on that subnet to submit DNS queries.

vinny147

@bmeeks Got it. I've made the update and it still works. Thanks again for all the help and detailed answers to help me understand how the system works.