Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sending all firewall-originated DNS through DNS forwarder

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      phil.davis
      last edited by

      My /etc/resolv.conf has the following name servers listed:

      nameserver 127.0.0.1
nameserver 216.146.36.36
nameserver 216.146.35.35

      The last 2 are the DynDNS ones, that I use for DNS filtering. A side-effect is that they always return something when queried - an IP that points to a DynDNS page.
      In DNS Forwarder, I have domain overrides that point queries for my internal domain to the IP of the DNS server for the internal domain names. nd for remote sites, that internal DNS server is across an OpenVPN link (=delay).
      I noticed that the firewall itself does not find my local domain names to IP correctly - it tends to find the dodgy answer from DynDNS. I suspect I could fix this if /etc/resolv.conf only listed 127.0.0.1 (the DNS Forwarder). Then only DNS Forwarder could answer, no chance for the others to get in first with a dodgy answer.
      I can't see any system option to disable writing the other name server IPs to resolv.conf. And there is nothing in system.inc function system_resolvconf_generate() that allows leaving these out.

      a) Is only listing nameserver 127.0.0.1 likely to be the fix?
      b) Is doing this going to put the system into a knot somehow? (e.g. is there some boot-time catch-22 when DNS Forwarder itself starts up that will be a gotcha?)
      c) If (a) and (b) are OK, then should there be an advanced option to only list nameserver 127.0.0.1 in resolv.conf?

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        Hmmm - catch-22, when I remove the last 2 name server lines, DNS Forwarder itself does not know how to lookup names!
        I would DNS Forwarder to know all about how to lookup anything, either internally or externally, as it does now. But I want ordinary programs on the firewall to use only DNS Forwarder to get answers.
        How to achieve that?

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          Maybe in advanced options put:

          server=x.x.x.x
          server=x.x.x.y

          So it will use those upstream servers? The docs claim the domain on that parameter is optional.

          Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • P Offline
            phil.davis
            last edited by

            Yep, that works. I removed all the DNS servers from System:General Setup, and had both these unchecked:
            Allow DNS server list to be overridden by DHCP/PPP on WAN
            Do not use the DNS Forwarder as a DNS server for the firewall

            This makes /etc/resolv.conf contain just:

            domain mydomain.xyz.org
nameserver 127.0.0.1

            Then in DNS Forwarder, Advanced:

            server=216.146.35.35
server=216.146.36.36

            And in DNS Forwarder Domain Overrides I have entries for the various local domains, and local private reverse lookup zones and the IP addresses of the internal DNS servers that know how to answer queries for those (e.g. mydomain.xyz.com 10.42.11.1)

            Now when I "nslookup" from the pfSense command line, it can only ask DNS Forwarder. And DNS forwarder knows how to do "default" queries using the "server=216.146.35.35" line/s. And queries for local names and reverse lookups always get resolved correctly, or NXDOMAIN returned correctly if the local name does not exist.

            The missing element of this configuration is that I can't specify the gateway to use for each upstream DNS server. DNS Forwarder will be using the default route for all of them. That could be fixed by doing this a slightly different way:
            a) Add a checkbox somewhere (General Setup or DNS Forwarder config page?):
            Ā  "Use only the DNS Forwarder as a DNS server for the firewall"
            b) When this is checked:
            Ā  1) Still define routes through the specified gateways for each DNS server IP in General Setup.
            Ā  2) Only put 127.0.0.1 in /etc/resolve.conf - so DNS lookups from apps on the firewall itself all go to the DNS Forwarder.
            Ā  3) Write a separate /etc/resolve-for-dns-forwarder.conf that contains the IPs of the DNS servers specified in General Setup (or given by DHCP).
            Ā  4) On dnsmasq command use "ā€“resolv-file=/etc/resolve-for-dns-forwarder.conf"

            This way DNS Forwarder will be told about the upstream DNS servers automatically, they are routed through the selected gateway/s, and pfSense apps will always use DNS Forwarder to do their DNS lookup work.

            Does this sound like a reasonable enhancement to the system?

            And to me it actually feels like the behavior that many people would want - that DNS done by apps on pfSense itself uses the same path for resolving names as any ordinary LAN client. Or is there some catch-22 that I have forgotten here?

            As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
            If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.