Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to test authoritative DNS

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlng55
      last edited by

      Hello everyone,

      I am relatively new to pfSense and I am currently trying to configure a pfSense box as an authoritative DNS server for my domain. The pfsense box will be replacing the existing firewall and authoritative DNS server, but right now the domain records point to the existing server as the authoritative DNS for mydomain.com.

      In pfsense, I installed the dns-server (tinydns) package and configured it to bind to my public IP address. Then I added a new record dnstest.mydomain.com, and finally I added a rule in the firewall to allow traffic on port 53 UDP. I also disabled DNS forwarder because I want this machine to be an authoritative DNS only.

      However, I'm running into issues trying to test the DNS settings. From a Windows computer on a different network, I tried using nslookup to look up dnstest.mydomain.com, specifying the public IP address of the pfSense box, but the requests are timing out.

      nslookup dnstest.mydomain.com pfsense_ip
DNS request timed out
     timeout was 2 seconds.
Server: Unknown
Address: pfsense_ip

      I looked in the tinydns logs and found entries like this:

      2014-12-17 21:02:55.515036500         0.0.0.0:6263 A        not_authority            dnstest.mydomain.com.home

      So the DNS requests are clearly reaching the box, but pfsense is not responding to them. Is this because it somehow knows that the domain records specify a different server as the authoritative DNS? If so, is there any way to test it without changing the domain record to point to the pfsense IP address? I don't want to switch it until I can confirm that it fully works.

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        notice the .home in your query..  Your server is not authoritative for that domain ;)

        not_authority            dnstest.mydomain.com**.home**

        Do a query for your domain your authoritative for ;)

        add a . the end of your query and you should not auto add your suffix search from your pc.

        On a side note - running dns to the public net is a business you really should not want to get into to be honest.  Hosting dns for your own internal domains for your own internal network sure ok.  But once you open dns up to the public your asking for issues if you ask me.  its much easier to let the companies that do this for their bread and butter do it, if you can not just host it off your registrar for low use domains.

        DNS should have more than 1 for example.  And should be geographically and network diversified.  You can have companies like dnsmade easy host your domains for pennies a year.  $29 a year gets you like 10 domains, 400 records, 5 million queries a month.  Vanity dns so it looks like your nameservers are actually yours in your own domain, etc.  They are anycast nameservers in like 16 global locations.  Have unbelievable uptime, etc. etc..  They partnered with Tier one network providers, etc.  You just really can not host your own dns for anywhere close to reliability and speed for anything close to the costs.

        Let the guys that do dns for a living do it, why put yourself through the headaches that can come with public facing dns to be honest..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • T
          tlng55
          last edited by

          Thanks for the reply - I'm wondering though, how does tinydns magically know which domain(s) it is authoritative for? Does it actually query the domain records over the Internet to check, and then ignore queries for domains it knows it's not authoritative for?

          As for hosting our own DNS, I'm sure you are right in that it may be better to use an outside service for the job. However, I'm just a student volunteer helping to set up this pfsense box for a school network, so unfortunately it's not really a decision I can control. We've been hosting our own DNS on an existing FreeBSD server for years without issue, so my job is to simply make the pfsense box do the same jobs that the old server did. Plus, this is an environment where spending any amount of money results in a paperwork nightmare and endless waiting for approval, so I'd rather avoid it.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Again you did a query for a domain that doesn't even exist most likely

            dnstest.mydomain.com**.home**

            Is not

            dnstest.mydomain.com

            If setup tiny to be authoritative for mydomain.com, and created an A record for dnstest in that domain..  Doing a query for dnstest.mydomain.com**.home** tiny will tell you pretty much F off ;) if you didn't set it up for recursive.

            As to what its authoritative for - it would only be authoritative for the zones you created on it..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.