Trying to use DNS Resolver to redirect FQDN to the webgui
-
Hi there, I am a newbie to pfSense. I was trying to play around with DNS resolver, to see if I could direct a fully qualified domain name to the local host.
Under Host Overrides, I put in "firewall" under Host and "domainname.extension" under domain, and 192.168.1.1 under IP.
I was expecting to be able to type in firewall.domainname.extension to be able to access the web GUI but it didn't work. Any ideas?
One of the main reasons I wanted to do this was so that I could put in a valid SSL certificate with the domain name as the common name. Also, just interesting to see how these features work. Thanks!
-
Works for me.
Define "it didn't work"
What is the output of nslookup firewall.domainname.extension?
-
Works for me.
Define "it didn't work"
What is the output of nslookup firewall.domainname.extension?
Here is the output in Chrome:
This site can’t be reached firewall.domainname.ext’s server DNS address could not be found. DNS_PROBE_FINISHED_NXDOMAINI can get it to work by modifying /etc/hosts on each of the clients but I was hoping to get it to work at the firewall instead.
Thanks for the reply! -
I am guessing that you are running a linux client. Open a terminal and
nslookup firewall.domainname.extension
cat /etc/resolv.conf -
Output from the nslookup command:
Server: 127.0.1.1 Address: 127.0.1.1#53 ** server can't find firewall.domain.ext: NXDOMAINAnd output from the cat command:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 127.0.1.1 search domain.extThanks again!
-
Fr@oneleaf:
Output from the nslookup command:
That is from the client? You are not using the pfSense DNS at all, how could it work?
-
Yea that is from the client. Sorry, still pretty new at this. I thought that the settings in pfSense was all I needed. So am I supposed to use the IP address of the pfSense firewall as the DNS on the clients? Instead of, say, 8.8.8.8 and 8.8.4.4?
Thanks!
-
Yes of course. If you run a local DNS server on the client, it will never work. You need to at least make it forward the requests to pfSense.
-
Yes of course. If you run a local DNS server on the client, it will never work. You need to at least make it forward the requests to pfSense.
Ahhhh thanks! I had a feeling it was something really simple that I was missing. Gonna give it a try later tonight and test it.
-
So trying to better understand. In my Linux system, the main network settings has 127.0.1.1 as the DNS server. And then under the LAN settings, it has the Google servers 8.8.8.8 and 8.8.4.4. I tried replacing the 127.0.1.1 with 192.168.1.1 (pfSense router) and the DNS Resolver host override now works. Is this the best way to do it? Or is it better to use 127.0.1.1 and change from the Google servers to the pfSense router?
-
Does not matter. A local resolver on clients needs to forward to pfSense for overrides to work. I have no idea about your system and how to make resolvconf and the unknown DNS server there to point to pfSense.
-
127.0.1.1 in resolv.conf on linux is a sign that you are running a separate local resolver, such as dnsmasq. What Linux distro are you using?
-
your going to what your linux client to point to the local cache that is fine.. But it needs to forward to pfsense..
For example here on my linux box, you see its pointing to itself loopback
user@ubuntu:~$ nslookup
pfsense.local.lan
Server: 127.0.0.1
Address: 127.0.0.1#53Non-authoritative answer:
Name: pfsense.local.lan
Address: 192.168.9.253Its running dnsmasq client for caching.. Which gets forwarded.
look in /run/dnsmasq/resolv.conf and you should see where your actually pointing. Or if running desktop with network manager you could look there or use the nm-tool etc..
But yeah its kind of impossible to resolve stuff that is in pfsense dns if you never ask it for anything ;)
-
What is the output of
dig @192.168.1.1 firewall.domain.ext
ifconfig -
127.0.1.1 in resolv.conf on linux is a sign that you are running a separate local resolver, such as dnsmasq. What Linux distro are you using?
Yea, I am using Linux Mint 18 and I found out any changes to the setting where I change 127.0.1.1 to 192.168.1.1 gets reverted back on a reboot. So I change it in the network connection area from the Google public DNS servers to only 192.168.1.1
your going to what your linux client to point to the local cache that is fine.. But it needs to forward to pfsense..
Thanks. Yea, I got it to work by keeping the serting to point to the local address but then forward to 192.168.1.1.
It worked, but after a few hours, it temporarily was unable to resolve the url in both nslookup and in the browser. It worked again later on. I wonder if pfSense sometimes looks to an external DNS over the local override? I was unable to replicate the issue as it still works fine this morning.
In pfSense, I did a Diagnostic DNS lookup on the url and it resolves correctly to 192.168.1.1 and it shows the query times with 0ms for 127.0.1.1 (which is the host override) but also shows the Google and ISP DNS servers with much higher query times. In pfSense General Settings, I do have the Google DNS servers in there as well as the option to allow the list to be overridden by DHCP/PPP on Wan. But as far as I read, the localhost should always take precedence as long as DNS resolver is enabled. Is my output in the Diagnostic DNS lookup correct in that it still shows timings for all of those servers, despite that the host override should always take precedence?
-
And another thing was I just realized that the Host Override in DNS Resolver is unnecessary? I took deleted it and it still works even after rebooting the clients. I think pointing client DNS servers to the pfSense firewall was all I needed and the hostname and domain in General Settings takes care of it for me. I tried the Host override in DNS resolver only because at first I neglected to point client DNS to pfSense.
