DNS Resolution Behavior under 23.01 appears to ignore setting
-
I've just upgraded from 22.05 and 23.01 and noticed that the
DNS Resolution Behavior
setting underSystem\General Setup
appears to ignore the settingUse remote DNS Servers, ignore local DNS
when I have the DNS Forwarder service enabled.Regardless of what I set the
DNS Resolution Behavior
setting to it still includes127.0.0.1
as a name server in/etc/resolve.conf
. If I disable the DNS forwarder service then it removes127.0.0.1
as a name server in/etc/resolve.conf
, however enabling the service adds the entry bakc in despite theDNS Resolution Behavior
setting.Manually editing
/etc/resolve.conf
fixes it until I make configuration changes. -
I can't reproduce this. When I set it to "use remote, ignore local" then only the name servers listed on System > General are present even when using the DNS forwarder.
Do you maybe have
127.0.0.1
in that list?Or if you have allowed overrides to DNS servers, it's possible it's coming from DHCP or similar, but that seems unlikely.
Looking at the code there isn't any way that setting is
remote
in the config which would result in it being added that way, so it has to be coming from something else. -
I don't have
127.0.0.1
specified as a DNS server anywhere that I can see.DNS override is disabled.
When I try setting use local DNS, ignore remote it still lists the remote DNS in the system information on the dashboard.
I think I've fixed it by removing
localhost
from the selected interfaces in the DNS Forwarder settings.Perhaps there's something in the code in the DNS Forwarder settings that overrides the general settings?
-
@kesawi Slightly off topic, I'm interested to understand why you want this setting?
What in your environment etc needs this config or how do expect the behavior to change.
Personally, I am using Cloudflare 1.1.1.2 /1.0.0.2 in my General setup /DNS
I can see 127.0.0.1 also listed in the DNS Servers on the main status page, due to the setting 'Use Local DNS (127.0.0.1) fall back to remote DNS servers.
Inside my DHCP I set the pfsense box as DNS server and have experimented with FW rules on the LAN to block other DNS going out
-
@jasonau good to see another Brisbane local on the forums.
I use Active Directory on my primary LAN for DNS and DHCP to my clients. I have a guest network and a DMZ with some public facing servers which are served by pfSense for DNS Forwarder and DHCP. I also have several internal DNS based aliases for firewall rules.
I need pfSense to be able to resolve local addresses for the firewall alias rules, but don't want the guest or DMZ network to be able to query any of the DNS entries for my LAN. I figure if clients of my guest or DMZ networks get pwned I don't want them to be able to start reverse resolving my private IP addresses to potentially map my LAN network. I have specific rules in the DNS Forwarder settings blocking lookup for my internal LAN domains.