dns resolver

Diego de Santis · Mar 18, 2019, 3:20 PM

Dear.

I'm like a problem where I'm trying to solve it in 3 days but I do not succeed.

My company hired the opendns (umbrella) cisco service.
My pfsense has the service of the captive portal and dhcp
After setting the DNS servers 208.67.222.222 and 208.67.220.220 and setting the DISABLE DNS FORWARD option, pfsense queries all the DNS queries configured on the machines that are connected via DHCP where the default gateway and dns and pfsense are not using DNS configured pfsens is directly resolving the domain where it is registered. ex.

Pfsense Conf
[2.4.3-RELEASE] [admin@xxxx.localdomain] / root: cat /etc/resolv.conf
search localdomain
nameserver 208.67.222.222
nameserver 208.67.220.220

Navigating the stations I can observe that pfsense performs the DNS lookup query by the domain and not by the configured dns.

11: 46: 07.657672 IP xxx.xxx.xxx.xxx.11225> 69.55.52.220.53: 64935% [1au] A? www.xvideos.com. (44)
11: 46: 07.789036 IP 69.55.52.220.53> xxx.xxx.xxx.xxx.11225: 64935 * - 11/0/1 CNAME xvideos.com., A 185.88.181.5, A 185.88.181.6, A 185.88.181.7 , A 185.88.181.8, A 185.88.181.9, A 185.88.181.10, A 185.88.181.11, A 185.88.181.2, A 185.88.181.3, A 185.88.181.4 (218)

If anyone has passed through this please give me a hint there ..

johnpoz · Mar 18, 2019, 3:29 PM

You understand out of the box pfsense RESOLVES via unbound... If you want pfsense to forward to opendns, then you should setup forward mode in unbound, or use the forwarder and not unbound.

Diego de Santis · Mar 18, 2019, 3:52 PM

johnpoz

Thank you for your help.

I did this exactly and all the access was just for configured DNS

The problem is that I have some entries in DSN Resolver and when I enable the forward I have to disable the resolver because it does not allow me to use the same interface

follow the error

The DNS Forwarder is enabled using this port. Choose a non-conflicting port, or disable the DNS Forwarder.

johnpoz · Mar 18, 2019, 3:59 PM

You need to choose what your going to use.. Be it the forwarder or the resolver, you can not use both..

As I stated you can use the "forwarder" mode in unbound.. Which is just a check box in the settings of unbound (resolver)... Or you can turn off unbound and just use the forwarder (dnsmasq).

No you can not use both at the same time, on the same port its an either or.. Its up to use which one you use.. If all your going to do forwarder prob be fine, and can be set to forward to all of your listed NS at the same time and use the fastest response, etc.

Diego de Santis · Mar 18, 2019, 5:14 PM

OK..Tks..

johnpoz · Mar 18, 2019, 5:38 PM

For some strange reason I don't think its "ok" do you understand the difference between forwarding and resolving?

Diego de Santis · Mar 18, 2019, 5:46 PM

Yes, I understood

I was already wary of this but the manual entries I have inside the DNS Resolve squid is still reading.

Thank you for your help

abs

Diego

johnpoz · Mar 18, 2019, 5:50 PM

So you enabled forwarder mode in unbound... When you ask unbound, if it has it locally or cached its not going to go ask anything be it forward or resolve.

So if you create a host override - that will be returned when that is asked for.. Its the whole point of "override".. You could return 10.10.10.10 for www.google.com if you wanted too.