Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense Seems To Require Access to External DNS?

    General pfSense Questions
    3
    3
    351
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jake Biker
      last edited by

      Hi Team,

      We are running a firewalled management network - due to project overhang we need to run the management network on a double NAT for short period.
      DNS is restricted on our network.
      When running a PFSense as a client on the main network it seems to require connectivity to external DNS to work correctly, pick up update availability etc. From the logs of other firewall rules, I can see that the PFSense instance is calling out to a range of DNS servers - is there a definitive list of these IP Addresses and what is their exact purpose please?

      Thanks!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @Jake Biker
        last edited by Gertjan

        @Jake-Biker said in PFSense Seems To Require Access to External DNS?:

        that the PFSense instance is calling out to a range of DNS servers - is there a definitive list of these IP Addresses and what is their exact purpose please?

        pfSense, out of the box, has a resolver.
        So, for starters, it can/will/might use any of these.
        These 13 root servers will only give solution about which tld server to use next.
        One will be chosen (out of many thousand available), and that one will be used to get the (at least 2) domain server server IP addresses to do the final request (example) what is the A record of www.facebook.com. For this example, the domain name servers of facebook were needed.
        This process is the classic way of doing DNS.
        The potential list involved of DNS servers ? Dono. A couple of million ?

        If "visiting facebook DNS servers to visit facebook web servers" isn't possible, you could consider transforming the pfSense resolver into a forwarder.
        First :

        4b0f7d42-dc09-4f4e-af35-213bf4ec4ed8-image.png

        and then set these as shown :

        896d6bce-7df0-4e69-9056-8695fa1aaafa-image.png

        Note : Leave the Python settings as is.

        When saved and applied, from now on, pfSense will ask '8.8.8.8' to handle it's DNS needs.
        If a LAN client is using pfSEnse as a DNS source, then these requests will also get send to 8.8.8.8 (forwarded).
        Keep in mind : devices connected to the LAN(s) of pfSense might use resolving also, or forward to their own favourite DNS servers ( 1.1.1.1 ? ) or doing DoH etc etc, so you will still see DNS traffic going out of pfSense, not originating from pfSense, but from one of the devices on its LAN(s).

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yes if you set Unbound in forwarding mode you can just point it at the local DNS servers on the network.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.