Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Does pfsense support natting DNS glue records

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jpgator
      last edited by

      My pfsense has several private subnets, including one for my DMZ which contains web and dns servers.

      I noticed when doing some DNS testing that I'm now having an issue where the glue records provided by the TLD and by my own nameservers don't match, because the nameservers are returning their private ip's.  I ran several dns tests previously and didn't notice this issue, so I'm not sure if I just overlooked it in the report or if it's a new problem.

      Anyhow, I've been searching all over the place but haven't been able to figure out if this is a config issue, or if I might have to move the dns servers out of the private subnet (which I would really like to avoid).

      Any advice?

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        I believe you speak of Services -> DNS Forwarder -> Register DHCP leases in DNS forwarder

        1 Reply Last reply Reply Quote 0
        • J
          jpgator
          last edited by

          I'll take a look at that, although I'm not sure if it will be applicable since I'm not using DHCP.

          I found a link which seems to describe the problem I'm facing, but it's pretty vague about solving it.  It says:

          ..if you set up a public-facing DNS server behind a NAT firewall and the server has glue records that reference private IP addresses. A typical NAT firewall doesn’t translate the IP address in glue records, so the DNS server passes out referrals to servers that can’t be touched from outside the firewall.

          I've tried changing the glue records (A) to use the public ip's, but unfortunately the DNS is running on windows active directory which automatically changes them back.

          Right now the TLD is showing a public ip of: 199.44.17.121 (which is correct).
          However, when the nameserver itself is queried at that ip it identifies itself as coming from 192.168.x.x

          All the servers in the DMZ are setup using virtual ip's (in the public range) and are then 1:1 natted to addresses in the DMZ private subnet.  All of the typical nat'ing works properly for these machines, except for these nameserver glue records.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            Search the forum for NAT Reflection.

            You will not be able to do reflection for 1:1 hosts but you can port forward on the WAN interface on top of the 1:1 items for the needed ports.

            Alternatively setup another DNS server on the internal network and point the internal hosts to it which overrides the DNS IP address to the internal address.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.