DNS Server Settings
Looking for the best way to set this up:
Within pfSense I have two always connected OpenVPN sessions established: VPN1 & VPN2
My VPN provider gives me two DNS servers I can use (if I want to - not mandatory). I want to use them.
So in System -> General Setup, I see there are four spaces for DNS servers with the WAN you wish to use them on selectable to the right of the DNS fields.
I have three WANS: VPN1, VPN2 and WAN.
I want all three "WANs" to use both DNS servers.. but can't do this.
First of all, there are only four spots, I would need six spots to do this.
Secondly, I cannot use the same DNS server for more than one WAN. I get an error saying, "Each configured DNS server must have a unique IP address. Remove the duplicated IP."
So I have to choose one of the DNS servers for VPN1, the other DNS server for VPN2, but then I can't set one up for WAN.
I've looked in the DNS Forwarder area, but I'm not sure how those settings affect the ones I'm describing above… which ones take precedence?
So, basically, I want all three "WANs" to use both DNS servers given to me by my VPN provider.
How may I do this?
Why? What exactly do you think this accomplishes? Can you even access dns from vpn provider 1 when using vpn 2?
Why not just let the resolver resolver and be done with it?
I would think this accomplishes allowing me to have a DNS configured and a backup DNS configued.
Is that outside the realm of possibilities? I would hope not…
Yes, I can access both DNS addresses from both VPN connections... It's one VPN provider. I have two active connections, one to a server in the States, and one in Canada.
I think I said that above.. maybe not clear enough, I don't know.
Anyways... then what about this, I have one DNS server, forget about the other one. I want to use it for two WANs.. let's say I had two physical WAN connections.
The settings would not allow me to do this, I would get the same error as above.
So, same question applies.
Why do you need a backup dns if you just use the resolver, that actual resolves from root down to the authoritative servers for each domain.
It would do this via whatever connection is working, etc..
I'm not using the Resolver, nor do I know what it is.
I see it in the Services menu but don't have it turned on.
What version of pfsense are you using? The resolver was default starting with 2.2, so you turned it off and are using the forwarder?
You do understand that if you point pfsense to itself, it will forward to whatever dns servers you have listed. Using the forwarder (dnsmasq) it will query ALL of them at the same time by default, and use the one that answer it gets first.
So as long as pfsense can talk to what you have listed, be it you have 1 wan or 4 wan connections..
Your clients using pfsense get the same benefit.. Setting specific dns for specific dns connections is only for when you can not talk to a specific dns via another connection. Like using an ISP dns that only allows queries from its users.
I'm on pfSense 2.3.1, but I've upgraded all along the way since before version 2.
I was just reading about DNS resolver, it's disabled because I've never done a new install since it became part of the core. I've been using dnsmasq all along.
I'm still not entirely sure how to use Resolver though, where do I put in my DNS servers? In the Systems -> General settings?
If so, what WAN do I set them to?
So if I want to use unbound, I have to disable dnsmasq and enable unbound?
That's how much I understand so far.
resolver does not need dns.. It talks to roots, it knows where the root servers are. It asks root, hey who is ns for .com, thanks - hey .com ns would is ns for domainX.com ok thanks, ns for domainX.com what is A record for www.domainX.com
Yes if you want to use unbound, turn off the forwarder and enable resolver. Only thing in pfrsense should be 127.0.0.1 (itself)
There you go done.. Now you get your dns direct from authoritative server for the domain your looking for, dnssec should be enabled out of the box. You might want to turn on prefetch not sure if that is default or not?
Unbound will use what connection it has open to the internet, on how you configure that to work, can be specific interface or all/any of them..
Oh, ok. Thanks.
So the 127.0.0.1 address is added to the DNS server list in Settings -> General?
I guess in the DHCP settings, I'd have to have the DNS server as 192.168.1.1 to hand out to hosts on the LAN?
How do these settings affect this setup (see attached).
Also, what if I wanted to use a DNS service like Getflix? How would I set that up?
you would want those unchecked. And you don't have to put 127.0.0.1 anywhere pfsense will do that by default. That 1st one says hey if you get dns from your wan dhcp user those. The 2nd says don't let pfsense use itself to resolve.
Ok, awesome. Thanks for your help.
I've got it all setup and working no
Although, now I'm not using my VPNs DNS servers at all… the point to using those were for DNS leak protection.
I did a leak test and the DNS servers I seem to be using are theirs anyways... they might be listening for DNS requests on their side of things and sending them through their servers.
One last thing, if I did want to send certain traffic through a DNS that I specify, how would I do that? In Domain / Host overrides?
I looked at those settings briefly in the DNS Resolver section but haven't used them yet.
If I use a "smart" DNS for geoblocking, etc... I could force Netflix traffic to use a different DNS server there?
" they might be listening for DNS requests on their side of things and sending them through their servers"
that would be a horrific thing to do.. I wouldn't use a service that did such a thing. If they do such a thing then it would be impossible to use say specific dns for your netflix boxes.
As to dns leak, as long as your dns queries go through your vpn connection you are not letting your ISP know what your looking up. So that is dns leak protection. You can still use the resolver and talk to authoritative, or sure use a dns override for specific domains to ask specific ns for those domains you have overrides for. But to the leak protection as long as that traffic flows through your tunnel then you don't have a leak.
A leak wold be when your dns queries don't go through the tunnel.
Right, I didn't think of that.
Thanks for all your help. Much Appreciated.