Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    One pfsense DNS resolver to use another pfsense as DNS server???

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 2 Posters 693 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CadilLACi
      last edited by

      Hi there!

      I got 2 pfsense VM-s, one in the main office(192.168.12.1) , one in the branch office(10.0.0.1). they are connected via openvpn tunnel.

      I got DNS resolver(unbound) set up in both locations. In the main office, I got a lot of host overrides, that I use to mask global DNS entries when connecting to the network.

      I would like to set up the branch office DNS resolver to query the main office for DNS lookups, so that I don't have to mirror my host overrides.

      In the branch office, if I run "dig hostoverride.mydomain.etc @192.168.12.1", it returns the CORRECT A record just fine. So i can query the main office DNs server from there just fine, and the host overrides work.

      In the branch office, the topmost DNS server in system/general setup is 192.168.12.1, the main office pfsense box. If i run diagnostics/DNS lookup, and query
      hostoverride.mydomain.local, it returns the CORRECT A record just fine. In system/genereal_setup, disable dns forwarder is clicked, so the branch office pfsense box itself does not usse it's own DNS resolver. So the branch office pfsense box can query the DNS server of the main office pfsense box just fine.

      However, if in the branch office I run a command prompt "dig hostoverride.mydomain.etc @10.0.0.1", so I query it's own DNS resolver, I get no answers.
      Global DNS resolutions work, host overrides work, but I just CAN'T GET the branch office DNS resolver to use the main office DNS resolver as an upstream server.

      I could give out the IP of the main office pfsense box as a DNs server DHCP option, but that seems too crude.  can't the 2 dens forwarders handle it between eachother?

      I am sure I am doing something fundamentally wrong, but i just can'tget my head around it.

      Please enlighten me!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Resolvers do not use upstream dns, other than the roots walking down to the authoritative servers for the domain in question.

        You could setup a domain override on the downstream to point to the upstream for specific domains.  But if you really just want the downstream to go ask the upstream, then set that unbound to just forward or use the forwarder.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          CadilLACi
          last edited by

          Hi!

          Doesn't the Enable forwarding Mode checkbox do the same for th DNS resolver?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Yes if you enable forwarder mode in unbound, the check then it will no longer resolve but forward.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • C
              CadilLACi
              last edited by

              Okay, I managed to solve this!!!

              After turning up the log level to 5 and filtering the messages correctly, I ran into this:

              sanitize: "removing public name with private address"

              Turns out, the DNs query was made, the right address was returned and then thrown out the window, becouse it was a private address!!!!

              Check out this post: https://blog.jenningsga.com/pfsense-dns-resolver-and-private-domains/

              so adding this to the custom options solved the problems:

              server:
              private-domain: mydomain.net    ;D ;D ;D ;D ;D

              Hope it helps someone other than me!

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yes out of the box pfsense uses rebinding protection

                https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.