Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive portal with dns forwarder - do not resolve internal IPs?

    Scheduled Pinned Locked Moved Captive Portal
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      slu
      last edited by

      Hi,

      my captive portal use the internal dns forwarder which know all my local IP <-> FQDN.

      • is there a option to not answer local FQDN requests of the captive portal interface?
      • is it better to push a external DNS server and open the firewall to this server (IP/53/UDP)?

      pfSense Gold subscription

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        Hi,

        IF you use a dedicated interface for your captuve portal, I guess you could try this :

        Deactivate the "internal dns forwarder" for your Captive Portal.
        Instruct the DHCP server that serves the Captive Portal with your (example) ISP DNS servers, or Google DNS servers, or whatever.

        Like this, portal visitors can not resolve your internal LAN FQDN's anymore.

        BUT : why do you care anyway ? Normally, portal visitors can go (only !) "out" to the net, and your firewall rules for the captive portal interface won't let them into your LAN …. so even if they 'know' that a FQDN exists on your ... what ? LAN ? they can't do nothing with it.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • S
          slu
          last edited by

          @Gertjan:

          Deactivate the "internal dns forwarder" for your Captive Portal.
          Instruct the DHCP server that serves the Captive Portal with your (example) ISP DNS servers, or Google DNS servers, or whatever.

          Like this, portal visitors can not resolve your internal LAN FQDN's anymore.

          […]Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work.

          Not possible, because the unauthenticated clients can never resolve a dns.
          @Gertjan:

          BUT : why do you care anyway ? Normally, portal visitors can go (only !) "out" to the net, and your firewall rules for the captive portal interface won't let them into your LAN …. so even if they 'know' that a FQDN exists on your ... what ? LAN ? they can't do nothing with it.

          Yes, you are right my visitors can only go out into the internet.

          pfSense Gold subscription

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.