DNS config tips with pfsense behind ISP router

kingrazor

I have a pfSense installation behind an ISP-provided router that is not in bridge mode. I played around with a variety of different DNS configs on this network and had something that mostly worked. Lately, when making changes to networks or setting up new networks, I'm having issues with DNS.

I'm not at all married to my current config, so I'd like to just start over and do things the right way. Is there anything I should know that would be a tip, recommendation, or best practice specifically regarding DNS when pfSense is behind an ISP-provided router?

I have 6 different VLANs each on their own virtual interfaces with their own rules and DHCP servers. I am using pfSense for all DHCP on the network.

SteveITS

@kingrazor If you add a new interface/VLAN you will need to restart the DNS Resolver service so it sees/listens on the new interface.

Otherwise, DNS should "just work" without any changes to the default configuration. Have you set it to forward queries to a specific DNS server? If so, disable DNSSEC.

kingrazor

@SteveITS said in DNS config tips with pfsense behind ISP router:

@kingrazor If you add a new interface/VLAN you will need to restart the DNS Resolver service so it sees/listens on the new interface.

Otherwise, DNS should "just work" without any changes to the default configuration. Have you set it to forward queries to a specific DNS server? If so, disable DNSSEC.

It's definitely not set to defaults anymore. I did not know that about restarting the resolver service when setting up a new interface though, thanks for pointing that out.

Right now I have cloudflare and google DNS servers setup under general setup, and I have it set to ignore local DNS and only use remote. I don't recall whether or not the resolver is set to forwarder mode or not.

johnpoz

@kingrazor said in DNS config tips with pfsense behind ISP router:

I don't recall whether or not the resolver is set to forwarder mode or not.

If you do not have unbound in forwarder mode - then what you put in dns for pfsense has nothing to do with unbound or clients asking unbound for something. It will resolve what asked and not forward to anything.

Setting dns in pfsense general and telling it not to ask itself just means it will not be able to resolve any of its own resource, and will always ask what you have in general for anything.,

if you want some client on your network to get its answer from googledns, then you need to set the client to ask googledns, or you need to have the resolver set to forward. Or you need to use the forwarder vs unbound.

kingrazor

@johnpoz said in DNS config tips with pfsense behind ISP router:

@kingrazor said in DNS config tips with pfsense behind ISP router:

I don't recall whether or not the resolver is set to forwarder mode or not.

If you do not have unbound in forwarder mode - then what you put in dns for pfsense has nothing to do with unbound or clients asking unbound for something. It will resolve what asked and not forward to anything.

Setting dns in pfsense general and telling it not to ask itself just means it will not be able to resolve any of its own resource, and will always ask what you have in general for anything.,

if you want some client on your network to get its answer from googledns, then you need to set the client to ask googledns, or you need to have the resolver set to forward. Or you need to use the forwarder vs unbound.

Ok, that makes sense.

The one setting I don't seem to understand is the local vs remote DNS setting under general setup. I've read the descriptions, but I'm still not sure exactly why I'd use one setting over the other.

johnpoz

@kingrazor for just the reason I explained - if you want pfsense to use remote, but normally you would have it ask local, which would then forward if you wanted to use a specific NS.

Unless you have a special need, the settings out of the box should work - resolve and pfsense pointing to itself 127.0.0.1.. The other options are to allow for unique configurations.

Not everyone has the same needs/wants - which is why pfsense having lots of options nice.

Gertjan

@kingrazor said in DNS config tips with pfsense behind ISP router:

I played around with a variety of different DNS configs...... I'm having issues with DNS.

Stop playing ?

Your upstream ISP router hands over a RFC1918 IP to the WAN interface of pfSense.
Typically, this is a 192.168.10.4 - where the LAN interface of the ISP router uses '192.168.10.0/24'.

pfSense doesn't do anything with DNS servers proposed in this WAN DHCP lease.
Btw : the default WAN IPv4 setting is : use DHCP.

pfSense doesn't need (want) any DNS servers, as it doesn't need them. pfSense taps into the official Internet DNS resource, as pfSense has an autonomous resolver.
The most common case is : you don't need to do anything about DNS when you set up pfSense, and DNS will work out of the box. Exactly like when you buy a new PC or phone : connect to your (wifi) network and "it works" you doing nothing to make it work. People don't have to fiddle with whatever IP settings at all.

By default, your pfSense LAN DHCP server(s) will add the pfSense LAN IP as the DNS for your LAN based devices. So, if they have a DNS request, they will ask pfSense (the resolver). And the resolver goes out doing it's thing = resolving, and when the answer comes back, the client will be informed.

Different setups can exist. If you signed a contract with Google, and they bought all your DNS traffic, then you would have to set up the resolver as a forwarder to 8.8.8.8.
Or maybe you signed up with Quad9 as they offer some nice family filtering ?
Or 1.1.1.1 ?

Al these corporate DNS servers, 8.8.8.8, 9.9.9.9 1.1.1.1 are resolver also. You might need them, the choice is up to you, but just be ware : you also have your own resolver and you don't need any DNS assistance from another source.

@kingrazor said in DNS config tips with pfsense behind ISP router:

or best practice specifically regarding DNS when pfSense is behind an ISP-provided router?

IMHO : The default "chosen by Netgate" config is the best one.
No hassle, it's KIS applied to the max. Easy to maintain ^^
Extra bonus : DNSSEC, if supported by the hosts (sites) you visit, and will be used by the resolver, which helps you keep the most dangerous 'Internet' situation out of the door : DNS spoofing.

@kingrazor said in DNS config tips with pfsense behind ISP router:

I did not know that about restarting the resolver service when setting up a new interface though

Adding physically a new interface needs a power down first. When powering up, the default resolver settings :

will use them all - you doing 'nothing' extra to make it happen.
That said, you have to assign in pfSense an unassigned interface first, so an "Interface event" will restart most system processes, and among them is the resolver.
If you had manually selected some interfaces then you are in manual mode, and need - or not - to add your interface for the resolver, according to your needs.

As said above : it's up to you to adapt everything to your own specific needs.

So, you were right Keep on playing, formerly known as learning, as that is the solution for you and all of us to determine what is best for you (us).

kingrazor

@Gertjan said in DNS config tips with pfsense behind ISP router:

@kingrazor said in DNS config tips with pfsense behind ISP router:

I played around with a variety of different DNS configs...... I'm having issues with DNS.

Stop playing ?

Your upstream ISP router hands over a RFC1918 IP to the WAN interface of pfSense.
Typically, this is a 192.168.10.4 - where the LAN interface of the ISP router uses '192.168.10.0/24'.

pfSense doesn't do anything with DNS servers proposed in this WAN DHCP lease.
Btw : the default WAN IPv4 setting is : use DHCP.

pfSense doesn't need (want) any DNS servers, as it doesn't need them. pfSense taps into the official Internet DNS resource, as pfSense has an autonomous resolver.
The most common case is : you don't need to do anything about DNS when you set up pfSense, and DNS will work out of the box. Exactly like when you buy a new PC or phone : connect to your (wifi) network and "it works" you doing nothing to make it work. People don't have to fiddle with whatever IP settings at all.

By default, your pfSense LAN DHCP server(s) will add the pfSense LAN IP as the DNS for your LAN based devices. So, if they have a DNS request, they will ask pfSense (the resolver). And the resolver goes out doing it's thing = resolving, and when the answer comes back, the client will be informed.

Different setups can exist. If you signed a contract with Google, and they bought all your DNS traffic, then you would have to set up the resolver as a forwarder to 8.8.8.8.
Or maybe you signed up with Quad9 as they offer some nice family filtering ?
Or 1.1.1.1 ?

Al these corporate DNS servers, 8.8.8.8, 9.9.9.9 1.1.1.1 are resolver also. You might need them, the choice is up to you, but just be ware : you also have your own resolver and you don't need any DNS assistance from another source.

@kingrazor said in DNS config tips with pfsense behind ISP router:

or best practice specifically regarding DNS when pfSense is behind an ISP-provided router?

IMHO : The default "chosen by Netgate" config is the best one.
No hassle, it's KIS applied to the max. Easy to maintain ^^
Extra bonus : DNSSEC, if supported by the hosts (sites) you visit, and will be used by the resolver, which helps you keep the most dangerous 'Internet' situation out of the door : DNS spoofing.

@kingrazor said in DNS config tips with pfsense behind ISP router:

I did not know that about restarting the resolver service when setting up a new interface though

Adding physically a new interface needs a power down first. When powering up, the default resolver settings :

will use them all - you doing 'nothing' extra to make it happen.
That said, you have to assign in pfSense an unassigned interface first, so an "Interface event" will restart most system processes, and among them is the resolver.
If you had manually selected some interfaces then you are in manual mode, and need - or not - to add your interface for the resolver, according to your needs.

As said above : it's up to you to adapt everything to your own specific needs.

So, you were right Keep on playing, formerly known as learning, as that is the solution for you and all of us to determine what is best for you (us).

We're using Comcast as our ISP and I have for many years had issues with their DNS servers, so I never use them if I can help it. So the only sure thing is that I don't want anything on the network using Comcast's DNS servers.

We don't really have a need for internal name resolution on this particular network, more than half of the connected hosts provide no hostname with their DHCP registrations.

My pfsense box only has two physical interfaces, so whenever I add an interface, it's a VLAN with the LAN interface as its parent interface. So pfsense is on while the interface is added.

tinfoilmatt

Configure DNS-over-TLS to prevent the ISP from eavesdropping the entire LAN's (including unbound's) DNS lookups.

The documentation has a config recipe.

Gertjan

@kingrazor said in DNS config tips with pfsense behind ISP router:

We're using Comcast as our ISP and I have for many years had issues with their DNS servers, so I never use them if I can help it. So the only sure thing is that I don't want anything on the network using Comcast's DNS servers.

One more reason why the pfSense default DNS setup would be perfect for you.
No ISP (Comcast) DNS is used by default.

That said, I do presume that Comcast allows you to use the internet, and thus the Internet's 'default' DNS traffic. If they start blocking ordinary DNS traffic then an ISP change would be the your best solution. That said, if they really would do that, they won't stay in business long time ...