Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver - Host Overrides - ability to choose record types?

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TailWagsTheDog
      last edited by

      Hi folks,

      I am running pfsense 2.3.3 in a small office (single pfsense box, three network cards, wan, lan, dmz).  Not doing anything terribly fancy - but do host a couple of websites (blog, that kind of thing) on a box in the DMZ.

      I have been using the DNS resolver for a while (maybe 8 months?) and have a couple of host overrides defined.  That configuration works perfectly for me - lookups in the lan/dmz get sent to a local address and not to the public address of the WAN on my pfsense box.  I just noticed (yup - took me months to notice!) that the Host Overrides are affecting not just 'A' records (which i expected) but also MX records.

      The email for the websites I host is all handled by google servers.  So… I don't want the MX records overridden.  I had a look around here and found pretty quickly that I can add some custom configuration to override the MX records locally.  This guy here https://forum.pfsense.org/index.php?topic=110447.msg614848#msg614848 seems to have hit exactly the same problem as me.  So I've already worked around the problem.  It's a little hacky - I now have my MX records defined twice (once on my hosting control panel and once in pfsense).

      Would it be possible to add something to the GUI to get the DNS resolver to 'just override' certain classes of records?  The default could be 'all types' but tick-boxes etc. to allow a user choose if required.  Yes - this is a ?hopeful? feature request!  Am a big pfsense fan - don't know enough to guess how big an ask this is - just thought I would ask/highlight an end-user experience,

      Meas Mór!

      Suzooomki.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        This would only be a problem if your not actually using a host in your fqdn.

        So I have a host on the internet.. so its fqdn would be host.domain.tld – lets say its www.gmail.com..  Now the MX record for gmail.com domain could point to smtp.gmail.com or or it might even point to same host www.gmail.com doesn't really matter its MX record that has the fqdn of the mail server(s)..

        Your only problem is if your putting a record in unbound that is only 2 labels ie if you point gmail.com to an IP then your going to have an issue.. when you try to look up the mx for gmail.com - but if you had host override that was to www.gmail.com you would be fine.

        So you can see I created a host override for www.gmail.com and that returns what I gave for its ip 192.168.100.100, if ask for MX record for gmail.com that returns fine..

        Also are you using the domain as pfsense domain?  If your using the same domain for pfsense local domain, than you might need to set your type to type transparent vs transparent for unbound..

        resolv_mx_fine.png
        resolv_mx_fine.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • T Offline
          TailWagsTheDog
          last edited by

          @Johnpz -  ahh - I begin to understand.  Thank you (genuinely) for taking the time to reply.

          I had been using both:
          -> a host in my fqdn
          AND
          -> not using a host in my fqdn

          I've attached a screenshot of what I had.  I did that without thinking, if I'm honest.  For the public DNS I nearly always have 'domain.com' and 'www.domain.com' pointing to my public IP.  And then on apache I had a 'server alias' from domain.com to www.domain.com (which seemed fairly common practice).  So I just blindly mimicked that setup when configuring DNS resolver - without understanding the implications.

          So I now understand what I was doing wrong.  I have tweaked my apache config a little and updated my DNS resolver settings (to remove the 'domain.com' entries) and everything works perfectly.  I can nslookup all my mx records etc..  I really appreciate the input - I'm much happier having a working pfsense box with less configuration than having it working, but for all the wrong reasons.

          Meas mór!
          T.

          ![DNS Resolver.JPG](/public/imported_attachments/1/DNS Resolver.JPG)
          ![DNS Resolver.JPG_thumb](/public/imported_attachments/1/DNS Resolver.JPG_thumb)

          Suzooomki.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.