force local hostname resolution behind internet box

rjcab

Hello,

I temporarily made some chance on my design and my pfsense has only the interface LAN which is used. It provides DHCP et DNS resolver services.
I want that pfsense made the DNS resolver for local hostname within my lan:

The 192.168.1.254 is the LAN interface of my internet Box which provide internet.
DHCP works well and provide IP address and DNS.

my laptop is ok with the DNS 192.168.1.1 but no internet access.

but:

➜  ~ ping jc.local.lan
ping: cannot resolve jc.local.lan: Unknown host
➜  ~ ping google.fr   
ping: cannot resolve google.fr: Unknown host

If I add 8.8.8.8 as DNS on my laptop I have internet.

On my Internet BOX I have this and I cannot delete it:

2 questions:

Why I don't access to internet without put DNS like 8.8.8.8
Why pfsense doesn't make the hostname resolution ?

Thanks

johnpoz

@rjcab You don't put a gateway on your "lan" this turns it into a wan interface..

Most likely everything would be broken in such a setup.

viragomann

@rjcab said in force local hostname resolution behind internet box:

my laptop is ok with the DNS 192.168.1.1 but no internet access.

Sure?
Do a dig or nslookup. This shows, which DNS is requested.

viragomann

@johnpoz said in force local hostname resolution behind internet box:

You don't put a gateway on your "lan" this turns it into a wan interface..

Obviously he use pfSense only for DHCP and DNS without a WAN interface. And the stated gateway on the LAN is the internet router.
So I think, it should work with the LAN gateway.

johnpoz

@viragomann not really how you would do it.. When pfsense only has 1 interface, this would be wan... And you could use it for what you want to use it for in that configuration.

So actual details of what the user is wanting to do, and how was it setup before? They mention.. "I temporarily made some chance on my design"

rjcab

Thanks both of you.

Yes :

Obviously he use pfSense only for DHCP and DNS without a WAN interface. And the stated gateway on the LAN is the internet router.
So I think, it should work with the LAN 

And the box has LAN in 192.168.1.0/24 and the WAN interface of the box is in 178.xxx.xxx.xxx

Am running out of battery, after charging I will make the test on the laptop

johnpoz

@rjcab when you setup pfsense for such a purpose, and this would be pfsense wan, even if on your "lan"..

There are much easier ways to run dhcp/dns services then firing up pfsense for such mundane services.. pihole can do this for example..

rjcab

@johnpoz you are right but this is juste for couple of weeks

johnpoz

@rjcab and a pihole would take all of like 2 minutes to setup, and specifically designed for exactly this - provide dns and also can do dhcp.. Vs software that is meant to be your router/firewall and has very advanced functions and a more complicated setup to be used for such a purpose. And meant to run clean on the box/vm as the only OS... While pihole can just run as some software on any linux distro or as just a docker on any os, etc..

But hey you do you.. But I would expect issues if your trying to tell pfsense hey this is your lan, but hey use it as your wan, etc..

rjcab

➜  ~ dig

; <<>> DiG 9.10.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 1036
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 52 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Sat Feb 24 23:18:51 CET 2024
;; MSG SIZE  rcvd: 12

➜  ~ ping jc.local.lan
ping: cannot resolve jc.local.lan: Unknown host
➜  ~ 

in the static dhcp config:

I this config, no internet access, I need I think to specify somewhere in Pfsense the path or DNS to go outside the LAN.
For the hostname resolution I don't know as the IP address for DNS 1.1 is the right one

rjcab

@johnpoz Sure, But in this way I learn a lot about pfsense :-)

johnpoz

@rjcab I am not sure using something in a way its not actually meant to be used is learning about it ;) But hey have fun..

Btw if your using kea, static reservations will not show up for dns.. And if using isc, you have to tell unbound to register static dhcp reservations..

And your query was refused, so wouldn't matter even if pfsense had a record it could answer with... So you have your ACLs not correct in unbound.

rjcab

@johnpoz

but i didnot understand the unbound stuff, I will look at

johnpoz

@rjcab out of the box pfsense creates automatic ACL (access control lists) to allow say your lan to query it.. But how you have it setup I don't know what the ACLs would be set to, if pfsense thinks lan is a wan, it might not allow queries because well normally you wouldn't want to provide dns to say the internet ;)

That refused there is saying unbound refused to serve you what you asked for.. You may need to manually adjust unbounds ACLs.

I do not believe register static is enabled by default, but your going to want that set as well

rjcab

already enabled:

johnpoz

@rjcab well that refused when you did a dig screams acls.. Manually set it to allow your network to query..

I am not 100% sure if just creating one overrides auto, etc.. So you might want to disable the auto, and just create your own