Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    19 Posts 4 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @viragomann
      last edited by

      @viragomann said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

      I didn't see it earlier.

      +1
      It's this one.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      1 Reply Last reply Reply Quote 0
      • Mr. WasteM
        Mr. Waste @johnpoz
        last edited by

        @johnpoz

        It Worked, Thank you so much!! Now I know how to do this on my own.

        1 Reply Last reply Reply Quote 0
        • Mr. WasteM
          Mr. Waste
          last edited by

          @johnpoz it works great. I would to expand a bit more on the setup. I'm Adding on to it exactly how it is now.

          The only change is that I have a different interface/ Vlan 21 for the dns Server. (Different Subnets) I don't know how to forward the DNS packets from the user = Pfsense itself to the DNS server on a different Vlan. Pfsense can see the other network, both have normal internet from each firewalls Wan address and have Lan Address (Pfsenses). I have been playing around with all the rules and can't seem to figure it out.

          I tried the firewall rules + forwarding/ passing it the DNS to the server.
          The DNS gets to the server sometimes not all however, the DNS won't go through this interface to get out to the internet either through both firewalls or coming hitting where it came from.

          I really need some help, I have been tried to figure this out for months.

          Thanks for your Help!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Can you draw up how this is connected... You have some other DNS.. Why do you want to forward to this DNS? Is it authoritative for some domain? If so just setup a domain override.

            Is this client trying to use something other than dns for pfsense, and you want to redirect say their query to 8.8.8.8 to this other NS elsewhere on your network?

            I am not getting what your trying to do exactly.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • Mr. WasteM
              Mr. Waste
              last edited by Mr. Waste

              @johnpoz Here you go, hope this helps

              Its Internet Dns to Pfsense to PiHole to Internet.

              Thank You so MUCH!

              Untitled Diagram.png

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by johnpoz

                Didn't we already go over this.. This server at 10.0.9.69 is different than you previous pihole?

                How is that any different than your pihole 192.1.1.5?

                Do you want to send your query to 10.x or 192., btw is that a typo - why and the hell would you pihole be on a non rfc1918 address? You sure don't own 192.1.1 (BBN Communications (BBNP))

                You can not send traffic hitting pfsense wan on port 53 to both.. of these NS on your network.

                Who do you want to send to this 10.x server? And who do you want to send to this 192 (pihole) box? What are they looking for, just internet stuff - local domains? what?

                You have 1 dns server, pihole? Doesn't really matter what its running.

                And you want other vlans on your network to use it? Or what? You can for sure port forward on your lan something that might be trying to query for example 8.8.8.8 and send it to pfsense, which forwards to this other dns..

                Maybe I'm tired - but not understanding what exactly you want to happen... Who do you want to query this server? Why do you not just point them directly to what you want them to use for dns?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • Mr. WasteM
                  Mr. Waste
                  last edited by

                  @johnpoz

                  I have normal DNS queries coming from a house or small business that needs to be sent respond of a website page or loading YouTube videos. - (Normal Everyday DNS)
                  I want Pfsense to use Pfblocker then forward the next query to Pi Hole to do more filtering. Pi Hole is on a different network then on Normal Lan Side. Add another Interface on Pfsense, Example. I want to make a rule to allow and pass the DNS to the other network while giving a response back. Pihole can go through the Normal Lan side of the other network or just go right threw the internet from the WAN of the Pfsense.

                  I don't know how to use a rule and pass the DNS to the other network while ONLY letting that device have access to port 53 on the other network. - (From the Pfsense's Rules)

                  Does this make any sense? or not explaining it enough.

                  Thank You for your Help

                  johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @Mr. Waste
                    last edited by johnpoz

                    @Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                    Pi Hole is on a different network then on Normal Lan Side

                    Doesn't matter what network your pihole is on.. be it lan or your 100th vlan.. Pfsense can still talk it right? No port forwarded needed on your lan side networks.

                    So you want wan side client to use unbound on pfsense (with pfblocker).. Then for that to go to pihole..

                    But you want lan side clients to just use unbound of pfsense, but not get forwarded to pihole??

                    So you only have the 1 dns on your local lan side network.. You changed the pihole IP from the 192 address to the 10 address? Or you have 2 different nameservers? The pihole and this other one on the 10 address?

                    Or do you want wan to use unbound, forward to pihole? And then lan side clients to use unbound but get forwarded to some other name server? Which is not pihole? Or not use unbound at all and just get forwarded to this other NS?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @Mr. Waste
                      last edited by Gertjan

                      @Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                      I want Pfsense to use Pfblocker then forward the next query to Pi Hole to do more filtering

                      Just keep in mind :when you use pfBlockerNg-devel, it will need unbound to work as a resolver (== not forwarder).
                      It's stated up front in the settings when you activate the DNSBL part.

                      I can't say that you can't forward unbound, the 'resolver' but it will influence 'DNS' behaviour.
                      What about keeping things simpler ?

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        @Gertjan said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                        it will need unbound to work as a resolver (== not forwarder).

                        Ummm - no, why would you think that? You can use pfblocker while unbound forwards..

                        It states.. "To Utilize, Unbound DNS Resolver must be enabled." be it unbound is set to resolve or forward has nothing to with it..

                        I can see how the wording could be confusing.. But unbound is meant to be a resolver, that is its default state. But how unbound finds out something this is not local record, be it resolves or forwards has nothing to do with the workings of pfblocker.

                        Unbound is the resolver for pfsense, pfblocker doesn't work with dnsmasq (the forwarder) in pfsense. But you can for sure use unbound in forwarder mode, and still use pfblocker.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @johnpoz
                          last edited by

                          @johnpoz said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                          why would you think that?

                          I was reading :

                          8069a674-92f7-42e3-93b4-f5f3844fa54e-image.png

                          and agree (now) : the forwarding or resolver mode could be used.
                          I guess I mixed up resolver, Resolver and resolving.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Yeah.. to be honest the wording should take out the resolver part of the unbound name.. Yes unbound is a "resolver" but you can set it to forward. While the forwarder (dnsmasq) can not resolve - only forward.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • Mr. WasteM
                              Mr. Waste
                              last edited by Mr. Waste

                              @johnpoz said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                              do you want wan to use unbound, forward to pihole? And then lan side clients to use unbound but get forwarded to some other name server?

                              @johnpoz

                              "So you only have the 1 dns on your local lan side network.. You changed the pihole IP from the 192 address to the 10 address?"

                              To be clear the 10 addresses are ONLY local on that subnet range. I decide to use the 10 network then 192 or others. Easier to remember. - Local ONLY

                              "Or you have 2 different nameservers? The pihole and this other one on the 10 address?"

                              Both network will only be using the 1 Pi Hole for Dns.
                              I need to know how to get a response back from the Pfsense being on a different network.

                              Example network for Pi Hole ONLY:
                              Pfsense Extra Interface Lan2: IP:10.0.9.2 (Getting a IP address from the other Router on this network)
                              Pi Hole: 10.0.9.69

                              Remember we have this too, but don't confuse your self here.
                              Pfsense Lan Interface: 10.0.8.1/24

                              Pfsense is being the Unbound Resolver for the 10.0.8.1/24 (Lan) network. (Samething-Pfblocker for block lists) Then, Passing the Traffic to Lan2 network. Pi Hole gets the request and sends it out threw either Network. I would think the network 10.0.9.1/24 (Lan2) because the 10.0.8.1/24 (Lan) it doesn't know there is a Gateway for the Internet traffic to get out. + thinking of normal device just requesting Normal DNS queries.

                              "Or do you want wan to use unbound, forward to pihole? And then lan side clients to use unbound but get forwarded to some other name server?"

                              Talking about Pfsense ONLY: 10.0.8.1/24 LAN
                              I will explain more, I want every device either threw the WAN of Pfsense itself or threw the Lan to send the requests to Pfsense Resolver then forward them to the other network Lan2 Pi Hole.

                              Lan2 10.0.9.1/24:
                              This other network will use Pi Hole for their requests of DNS.

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by johnpoz

                                @Mr-Waste said in How to get Pfsense to resolve a DNS Queries from a Home on the Wan interface to pfsense DNS Resolver:

                                I need to know how to get a response back from the Pfsense being on a different network

                                Huh?? Doesn't even make sense.. Pfsense is connected to both networks or all networks question right?? Do you have drawings of some other downstream routers in your network??

                                Lets say you have this...

                                setup.png

                                Forget the network IPs - there could be 3 there could be 3000 of them... Doesn't matter..

                                Your devices on each network.. Would point to pfsense IP on that network, in my drawing .1 on each network for DNS. Unless you want to point them direct to DNS like on the 10.10.10 I show..

                                The only thing that has to be allowed for is that 172.16.0 interface that network can talk 53 udp/tcp on that pfsense interface.. Whatever that vlan is called would be listed as vlanX address, on other network it would be vlanY address.

                                Now all you devices ask pfsense for DNS.. To the respective IPs of pfsense on that network - this is default what is handed out via dhcp..

                                Pfsense forwards this to your DNS..

                                To be honest all you have to do for your remote is allow that remote IP to your wan IP on 53 udp/tcp as well.. Unbound listening on your wan address.. Will also forward this traffic to your dns..

                                The only time you ever have to do any sort of port forwarding is if say a client on vlan X 192.168.0 in my drawing is trying to talk to 8.8.8.8 for dns.. This is when you would do a redirect (port forward).. Anything going to anything other than pfsense IP for dns, port forward it to loopback so unbound will see it and pretend its googledns..

                                I have no idea what you got into your head... But unless your wanting to intercept dns not set to talk to pfsense (default dhcp settings) then this works out of the box.. Nothing to do for any of it.. Other than set unbound to forward to your pihole/dns..

                                Do you have more routers in your network other than pfsense? Or is my drawing a representation of what you have? Forget what IP ranges I have on networks, or how many they are even... You could have 2, or 2000 - doesn't matter all works the same!!

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.