Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Server Settings

    Scheduled Pinned Locked Moved DHCP and DNS
    13 Posts 2 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      killerb81
      last edited by

      Looking for the best way to set this up:
      Within pfSense I have two always connected OpenVPN sessions established:  VPN1 & VPN2
      My VPN provider gives me two DNS servers I can use (if I want to - not mandatory). I want to use them.
      So in System -> General Setup, I see there are four spaces for DNS servers with the WAN you wish to use them on selectable to the right of the DNS fields.
      I have three WANS:  VPN1, VPN2 and WAN.
      I want all three "WANs" to use both DNS servers.. but can't do this.

      First of all, there are only four spots, I would need six spots to do this.
      Secondly, I cannot use the same DNS server for more than one WAN.  I get an error saying, "Each configured DNS server must have a unique IP address. Remove the duplicated IP."

      So I have to choose one of the DNS servers for VPN1, the other DNS server for VPN2, but then I can't set one up for WAN.

      I've looked in the DNS Forwarder area, but I'm not sure how those settings affect the ones I'm describing above…  which ones take precedence?

      So, basically, I want all three "WANs" to use both DNS servers given to me by my VPN provider.
      How may I do this?

      Thank you,
      KB

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why?  What exactly do you think this accomplishes?  Can you even access dns from vpn provider 1 when using vpn 2?

        Why not just let the resolver resolver and be done with it?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • K
          killerb81
          last edited by

          I would think this accomplishes allowing me to have a DNS configured and a backup DNS configued.
          Is that outside the realm of possibilities?  I would hope not…

          Yes, I can access both DNS addresses from both VPN connections... It's one VPN provider. I have two active connections, one to a server in the States, and one in Canada.
          I think I said that above.. maybe not clear enough, I don't know.

          Anyways...  then what about this, I have one DNS server, forget about the other one. I want to use it for two WANs.. let's say I had two physical WAN connections.
          The settings would not allow me to do this, I would get the same error as above.

          So, same question applies.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Why do you need a backup dns if you just use the resolver, that actual resolves from root down to the authoritative servers for each domain.

            It would do this via whatever connection is working, etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • K
              killerb81
              last edited by

              I'm not using the Resolver, nor do I know what it is.
              I see it in the Services menu but don't have it turned on.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                What version of pfsense are you using?  The resolver was default starting with 2.2, so you turned it off and are using the forwarder?

                You do understand that if you point pfsense to itself, it will forward to whatever dns servers you have listed.  Using the forwarder (dnsmasq) it will query ALL of them at the same time by default, and use the one that answer it gets first.

                So as long as pfsense can talk to what you have listed, be it you have 1 wan or 4 wan connections..

                Your clients using pfsense get the same benefit..  Setting specific dns for specific dns connections is only for when you can not talk to a specific dns via another connection. Like using an ISP dns that only allows queries from its users.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • K
                  killerb81
                  last edited by

                  I'm on pfSense 2.3.1, but I've upgraded all along the way since before version 2.
                  I was just reading about DNS resolver, it's disabled because I've never done a new install since it became part of the core. I've been using dnsmasq all along.
                  I'm still not entirely sure how to use Resolver though, where do I put in my DNS servers?  In the Systems -> General settings?
                  If so, what WAN do I set them to?

                  So if I want to use unbound, I have to disable dnsmasq and enable unbound?

                  That's how much I understand so far.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    resolver does not need dns.. It talks to roots, it knows where the root servers are.  It asks root, hey who is ns for .com, thanks - hey .com ns would is ns for domainX.com ok thanks, ns for domainX.com what is A record for www.domainX.com

                    Yes if you want to use unbound, turn off the forwarder and enable resolver.  Only thing in pfrsense should be 127.0.0.1 (itself)

                    There you go done..  Now you get your dns direct from authoritative server for the domain your looking for, dnssec should be enabled out of the box.  You might want to turn on prefetch not sure if that is default or not?

                    Unbound will use what connection it has open to the internet, on how you configure that to work, can be specific interface or all/any of them..

                    dnsservers.jpg
                    dnsservers.jpg_thumb
                    prefetch.jpg
                    prefetch.jpg_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • K
                      killerb81
                      last edited by

                      Oh, ok.  Thanks.
                      So the 127.0.0.1 address is added to the DNS server list in Settings -> General?
                      I guess in the DHCP settings, I'd have to have the DNS server as 192.168.1.1 to hand out to hosts on the LAN?

                      How do these settings affect this setup (see attached).

                      Also, what if I wanted to use a DNS service like Getflix?  How would I set that up?

                      question.png
                      question.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        you would want those unchecked.  And you don't have to put 127.0.0.1 anywhere pfsense will do that by default.  That 1st one says hey if you get dns from your wan dhcp user those.  The 2nd says don't let pfsense use itself to resolve.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • K
                          killerb81
                          last edited by

                          Ok, awesome.  Thanks for your help.
                          I've got it all setup and working no
                          Although, now I'm not using my VPNs DNS servers at all… the point to using those were for DNS leak protection.
                          I did a leak test and the DNS servers I seem to be using are theirs anyways... they might be listening for DNS requests on their side of things and sending them through their servers.

                          One last thing, if I did want to send certain traffic through a DNS that I specify, how would I do that?  In Domain / Host overrides?
                          I looked at those settings briefly in the DNS Resolver section but haven't used them yet.

                          If I use a "smart" DNS for geoblocking, etc... I could force Netflix traffic to use a different DNS server there?

                          Thanks again!

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            " they might be listening for DNS requests on their side of things and sending them through their servers"

                            that would be a horrific thing to do..  I wouldn't use a service that did such a thing.  If they do such a thing then it would be impossible to use say specific dns for your netflix boxes.

                            As to dns leak, as long as your dns queries go through your vpn connection you are not letting your ISP know what your looking up.  So that is dns leak protection.  You can still use the resolver and talk to authoritative, or sure use a dns override for specific domains to ask specific ns for those domains you have overrides for.  But to the leak protection as long as that traffic flows through your tunnel then you don't have a leak.

                            A leak wold be when your dns queries don't go through the tunnel.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • K
                              killerb81
                              last edited by

                              Right, I didn't think of that.

                              Thanks for all your help.  Much Appreciated.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.