Is it possible to override the automatically created firewall hostname dns entry?

cony · Jan 29, 2021, 8:08 PM

Hello,

In pfSense General Setup you can set a hostname and domain for the firewall (Reference). For example:

Hostname: pfsense
Domain: mynet.localdomain
pfSense seems to automatically add a line to /etc/hosts which maps this hostname + domain combination to the ip address of the LAN interface (specifically the interface pfsense considers to be LAN).

Example of the line it adds after the loopback entries:

10.1.1.1 pfsense.mynet.localdomain pfsense

Additionally, for Unbound specifically, /var/unbound/host_entries.conf gets two lines which expresses the same association:

local-data-ptr: "10.1.1.1 pfsense.mynet.localdomain"
local-data: "pfsense.mynet.localdomain. A 10.1.1.1"

As a consequence of this, when trying to resolve pfsense.mynet.localdomain with the pfSense as the DNS server, the ip address which is returned is 10.1.1.1, as expected.

My issue is that I want to override this to a different ip address. For example, I have a VLAN on another interface which is used for network device management. It has the subnet 10.2.1.0/24 and the IP address of the interface itself is 10.2.1.1

It seems not possible to override the default entry that pfSense sets up with respect to the hostname+domain of the firewall. Adding a DNS Resolver host override for pfsense.mynet.localdomain to resolve to 10.2.1.1 just adds another item to the aforementioned files.

The result of that is that when resolving pfsense.mynet.localdomain, both 10.1.1.1 and 10.2.1.1 are returned as answers (at which point the client system may decide to use the former, which I don't want).

Is it possible to force the firewall's registered hostname+domain to resolve to something other than the LAN interface ip address? Is the only solution to this to edit the files by hand?

Thanks for any advice that you have.

NogBadTheBad · Jan 30, 2021, 8:58 AM

https://forum.netgate.com/topic/158427/solved-multi-homed-host-question

FWIW I use a VIP / loop back for this type of thing.

cony · Jan 31, 2021, 7:17 PM

I see, thanks for sharing I guess I'll give it a shot. Perhaps future versions of pfSense will have more flexibility as well.

giminik · Feb 8, 2021, 1:56 PM

Hello,

I have exactly the same issue.
I have several interfaces, LAN, LAN_APP, DMZ_RP, DMZ_PS4.

When I ping firewall.home, the IP returned is the interface of LAN_APP (10.0.7.254). How is this IP chosen by pfsense?
I tried to rename interfaces, but this doesn't change.

jahonix · Feb 9, 2021, 3:01 AM

@giminik You can assign subdomains at the interface's DHCP server tab.

Domain name: "The default is to use the domain name of this system as the default domain name provided by DHCP. An alternate domain name may be specified here."

So you can end up with
-firewall.home or firewall.lan.home
-firewall.lan2.home
-firewall.dmz1.home
-firewall.dmz2.home