Use custom DNS in static mappings but still use the dns resolver for host overrides

aGeekhere

Hi all, currently i have pfsense set to use cloudflare filtering dns servers, i have setup Static DHCP Mapping and would like to use custom DNS Servers for them.

The issue is when i add a custom DNS server for an ip address say 1.1.1.1 it will bypass the dns resolver and my host overrides stop working.
My setup
System General Setup DNS Server Settings i have
1.1.1.3
1.0.0.3

Services DNS Resolver General Settings
ticked Enable Forwarding Mode
ticked Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
ticked Register DHCP leases in the DNS Resolver
ticked Register DHCP static mappings in the DNS Resolver

Host Overrides
mysite ddns.net 192.168.1.50

What i want to achieve is to use the dns resolver so that my host overrides work but use different DNS for some ip addresses and servers.

Any advice?

Gertjan

@aGeekhere said in Use custom DNS in static mappings but still use the dns resolver for host overrides:

What i want to achieve is to use the dns resolver so that my host overrides work

This the default behavior, all DHCP LAN(s) clients will use pfSense as their DNS. If host overrides are defined locally (!) in your Resolver (unbound), then - and only then - these will be taken in account.
You can set up the resolver (unbound) so it forwards to, for example "1.1.1.1".
Now you have best of both worlds.

Informing a LAN device, when it requests a DHCP lease, that its DNS is "1.1.1.1" will completely short-cuts the pfSense resolver, thus not taken into account all the local DNS settings, like host overrides. The resolver will never 'see' the DNS request from this client as the request isn't send to pfSense.

aGeekhere

@Gertjan said in Use custom DNS in static mappings but still use the dns resolver for host overrides:

This the default behavior, all DHCP LAN(s) clients will use pfSense as their DNS. If host overrides are defined locally (!) in your Resolver (unbound), then - and only then - these will be taken in account.
You can set up the resolver (unbound) so it forwards to, for example "1.1.1.1".
Now you have best of both worlds.

Sorry i do not quite understand, how can i configure some clients to use 1.1.1.1 and still be able to use the host overrides?

bmeeks

@aGeekhere said in Use custom DNS in static mappings but still use the dns resolver for host overrides:

Sorry i do not quite understand, how can i configure some clients to use 1.1.1.1 and still be able to use the host overrides?

You cannot do this. The only way for host overrides to work is when configured within either the DNS Resolver or DNS Forwarder in pfSense (unless you have a completely separate physical DNS server). And your clients must be configured to pass their DNS queries to pfSense.

@Gertjan gave you the proper solution, but perhaps you do not understand the distinction between a resolver and forwarder in DNS. Search for those two terms (and how each works differently) on Google, and then @Gertjan's answer should be more clear.

To recap his solution: configure the DNS Resolver on pfSense to forward requests it is not authoritative for to 1.1.1.1 or any other public DNS provider you choose. But note you only need to configure this forwarding if you want to use external DNS filtering. The DNS Resolver on pfSense in its default state will resolve queries for clients using the DNS root servers (and thus never needs any forwarding server configured). But since you seem to want to take advantage of the DNS filtering provided by Cloudflare, you would configure forwarding. Configure your host overrides in the DNS Resolver on pfSense. Configure all of your clients to use pfSense for DNS.

With the above setup, your clients will send all DNS requests directly to pfSense. The DNS Resolver on pfSense will check first to see if the client is asking for a host covered by a host override entry. If true, the override entry IP address is returned for that host. If false, then the DNS Resolver will pass the query up the line to the configured forwarder (1.1.1.1 from your example). The "filtered" DNS answer from 1.1.1.1 will then be returned to your LAN client. From your original description this seems to be exactly what you want.

SteveITS

I think OP wants some devices (kids) to forward to 1.1.1.3 and the rest to forward to 1.1.1.1.

An option might be another DNS server running somewhere on LAN that also has the overrides.

Unbound has its “view” concept but I don’t know if that can affect forwarding.

aGeekhere

@SteveITS
That is correct, I want some users to use 1.1.1.3 others to use 1.1.1.1 but still have the host overrides work, going to re read the message above to see if i can get it to work

johnpoz

@aGeekhere this question gets asked all the time - what your asking is problematic without a separate cache for the views or different clients, etc..

If client ask for something that would be blocked by filter dns, but they are set to ask non filtered dns - now that is cached. If client that should be filtered then asked they would get back what is in the cache.

Bind can run multiple caches - but not sure something you can configure from the gui.

You could prob get what your wanting out of running both unbound and dnsmasq (forwarder) with them listening on different ports, and then have your clients point to say 1.1.1.3 or whatever that gets redirected to the new port unbound or forwarder is listening on to resolve your local resources, and then just forwards on to 1.1.1.3

Simpler solution to be honest would just run say pihole or something that pointed your clients you want to filter to that.. Then setup a conditional forward on it to forward to pfsense to resolve your local domain.tld resources, and if not in that domain just forward to 1.1.1.3. Thats would I would do.