One pfsense DNS resolver to use another pfsense as DNS server???

CadilLACi · Feb 6, 2018, 1:06 PM

Hi there!

I got 2 pfsense VM-s, one in the main office(192.168.12.1) , one in the branch office(10.0.0.1). they are connected via openvpn tunnel.

I got DNS resolver(unbound) set up in both locations. In the main office, I got a lot of host overrides, that I use to mask global DNS entries when connecting to the network.

I would like to set up the branch office DNS resolver to query the main office for DNS lookups, so that I don't have to mirror my host overrides.

In the branch office, if I run "dig hostoverride.mydomain.etc @192.168.12.1", it returns the CORRECT A record just fine. So i can query the main office DNs server from there just fine, and the host overrides work.

In the branch office, the topmost DNS server in system/general setup is 192.168.12.1, the main office pfsense box. If i run diagnostics/DNS lookup, and query
hostoverride.mydomain.local, it returns the CORRECT A record just fine. In system/genereal_setup, disable dns forwarder is clicked, so the branch office pfsense box itself does not usse it's own DNS resolver. So the branch office pfsense box can query the DNS server of the main office pfsense box just fine.

However, if in the branch office I run a command prompt "dig hostoverride.mydomain.etc @10.0.0.1", so I query it's own DNS resolver, I get no answers.
Global DNS resolutions work, host overrides work, but I just CAN'T GET the branch office DNS resolver to use the main office DNS resolver as an upstream server.

I could give out the IP of the main office pfsense box as a DNs server DHCP option, but that seems too crude. can't the 2 dens forwarders handle it between eachother?

I am sure I am doing something fundamentally wrong, but i just can'tget my head around it.

Please enlighten me!

johnpoz · Feb 6, 2018, 2:35 PM

Resolvers do not use upstream dns, other than the roots walking down to the authoritative servers for the domain in question.

You could setup a domain override on the downstream to point to the upstream for specific domains. But if you really just want the downstream to go ask the upstream, then set that unbound to just forward or use the forwarder.

CadilLACi · Feb 6, 2018, 3:32 PM

Hi!

Doesn't the Enable forwarding Mode checkbox do the same for th DNS resolver?

johnpoz · Feb 6, 2018, 4:02 PM

Yes if you enable forwarder mode in unbound, the check then it will no longer resolve but forward.

CadilLACi · Feb 21, 2018, 3:04 PM

Okay, I managed to solve this!!!

After turning up the log level to 5 and filtering the messages correctly, I ran into this:

sanitize: "removing public name with private address"

Turns out, the DNs query was made, the right address was returned and then thrown out the window, becouse it was a private address!!!!

Check out this post: https://blog.jenningsga.com/pfsense-dns-resolver-and-private-domains/

so adding this to the custom options solved the problems:

server:
private-domain: mydomain.net ;D ;D ;D ;D ;D

Hope it helps someone other than me!

johnpoz · Feb 21, 2018, 3:55 PM

Yes out of the box pfsense uses rebinding protection

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections