DNS Doctoring in pfsense

yakatz

Live configuration from one site:

A Former User

@yakatz
under system > advanced> network address translation -

would NAT reflection options be useful for this?

yakatz

@sparkyMcpenguin We have tried it, but we could never get it to work reliably, possibly because of our multi-WAN, multi-LAN and VPN configuration.

A Former User

@yakatz
out of curiousity how many different DNS resolvers (for system use, not what is given to clients) are set up? also is there a dynamic dns configuration?

yakatz

@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.

A Former User

@yakatz only unbound (and assuming the Root servers)?

so in general settings there's no added dns, what about 'allow override on wan' allowing the ISP to override the dns (i personally didn't want this option - in order for me to get my cell phone carrier MMS and wifi calling to work, i had to add extra dns. i started with just unbound and cloudflare. no go on picture messages etc. added google, and those features started working. added quad9 for a third cause i like redundancy

getting to the rest of my thought, when was the last time a reboot, or states reset? pfblockerng packet counter clear (if applicable - this affected me on certain things)

A Former User

@yakatz said in DNS Doctoring in pfsense:

@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.

my logic with redundancy in my dns resolver choices is "i dont trust just one source". if that source gets corrupted or altered (lol sorta like what youre trying to do, but you're doing it for a legitimate thing) then im sure there's billions more ip addresses out there to tell everyone else that your IP result is incorrect(?)

when i added more than one DNS i also changed my ASN check settings to 1 hour (just cause i want it to update faster - i assume the default 24 hours would cause ... 24 hours wait time for the change to take effect, for verifying the cache in unbound)

yakatz

@sparkyMcpenguin Currently 31 days uptime, was about 600 days until a recent reboot. Never had any problems with DNS using unbound in resolver mode.

A Former User

@yakatz said in DNS Doctoring in pfsense:

@sparkyMcpenguin Currently 31 days uptime, was about 600 days until a recent reboot. Never had any problems with DNS using unbound in resolver mode.

31 days, is that when the problems started?

A Former User

@yakatz said in DNS Doctoring in pfsense:

@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.

my bad i misread this. when i said dynamic dns i meant an external dyn dns service to resolve your isp given ip address, not dhcp from pfsense

yakatz

@sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or alias as dnsmasq calls it) allows Split DNS to work with no additional configuration.

A Former User

@yakatz
are you using the forwarder on the wan? or am i mixing the functionality of that up

A Former User

@sparkyMcpenguin said in DNS Doctoring in pfsense:

@yakatz said in DNS Doctoring in pfsense:

@sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.

my logic with redundancy in my dns resolver choices is "i dont trust just one source". if that source gets corrupted or altered (lol sorta like what youre trying to do, but you're doing it for a legitimate thing) then im sure there's billions more ip addresses out there to tell everyone else that your IP result is incorrect(?)

when i added more than one DNS i also changed my ASN check settings to 1 hour (just cause i want it to update faster - i assume the default 24 hours would cause ... 24 hours wait time for the change to take effect, for verifying the cache in unbound)

in regards to my 'redundancy' comment, the further logic being maybe helping to prevent ARP poisoning? just two cents

A Former User

@yakatz said in DNS Doctoring in pfsense:

@sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or alias as dnsmasq calls it) allows Split DNS to work with no additional configuration.

what about a 'Proxy ARP' VIP under firewall for east host? wikipedia page for reference Proxy ARP

this and (maybe needed not quite sure - but u did say 'dnsmasq') having the forwarder (i see it say dnsmasq a lot on there i just dont use it) on the wan