Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues with DNS Resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 514 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • maverickwsM
      maverickws
      last edited by maverickws

      Hi all,

      I am having a strange issue regarding DNS resolution using pfSense.
      My network setup is as follows:

      public /28 network. 1 IP to pfSense, the remaining as IP Alias for 1:1 NAT.
      4 private networks (lan, dmz, data, mgt)

      pfSense is on domain.org

      On the DMZ I have two machines, one is a web+dns server and the other is solely a DNS server. These machines are configured with external IP 1:1 NAT internal IP.
      On my domain provider I have the glue records - that are valid and to be working from the outside.
      DNS requests from outside work.

      When I try to resolve this domain from any machine on the inside, domain.com (not domain.org) I get "connection timed out; no servers could be reached" - however if I test with dig and manually type the internal IP of the server I get the answers.

      Now what I don't get is why I am not being able to resolve this. Supposedly using DNS Resolver/unbound it would query the root DNS servers. The root DNS should inform the authoritative name servers and their IP which is correctly configured. - and since is a different domain from pfSense I'm assuming no conflict or DHCP options should need to be configured?
      I can access and resolve from outside so the firewall rules seem to be OK.

      I also have an override at Services > DNS Resolver
      Host Override
      ns1.domain.com to internal IP
      but still not working

      Someone able to shed some light? thanks.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        So when the DNS Resolver looks up for name servers for domain.com it gets one of your external WAN IPs, but it won't be able to access it, cause the NAT 1:1 doesn't work on requests from inside your network.

        Possibly it works if you enable NAT reflection.
        However, best practice would be to add a domain override for domain.com to the Resolver configuration and point it to the internal IP of your DNS server.
        Also ensure that DMZ is selected at "Outgoing Network Interfaces".

        1 Reply Last reply Reply Quote 1
        • maverickwsM
          maverickws
          last edited by maverickws

          fixed with domain override to the primary dns server.
          however I feel it would be interesting to have the possibility to add more than one dns servers to the domain override option. thanks you @viragomann for the hint

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @maverickws
            last edited by

            @maverickws said in Issues with DNS Resolver:

            however I feel it would be interesting to have the possibility to add more than one dns servers to the domain override option.

            It's on you. You may add further servers even for the same domain. Unbound then use the second if the first does not respond.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.