BIND to provide DNS over wan



  • hi
    i need to do some testing with exchange server.
    so i need to publish my A,MX,SPF records for this test envirnoment using pfsense..
    i installed bind , while i dont have any clue on how to do above .. but will google it and hopefully find it.
    my main issue as of now is that the dns services are working from lan but not from wan.

    i disabled pfsense dns forwarder and resolver .
    enabled bind. and selected the option to listen on all interfaces.

    allowed port 53 from any wan ip to pfsense in pfsense firewall and now if i telnet from internet to my pfsense ip using port 53 its accessible.
    but when i check for any dns resolution using my pfsense wan ip it gives me Request time out;


  • LAYER 8 Global Moderator

    check your wan IP from where?  Did you edit the ACL to allow query from anywhere?


  • Rebel Alliance Developer Netgate

    A word of caution: If you are unfamiliar with BIND and maintaining BIND, do not run BIND facing the Internet in that way.

    Setup your domain with somewhere that will host DNS for you and let you manage it using a GUI outside of your structure. Not only will it be easier, it will be more secure, and it won't potentially compromise your firewall if/when a new BIND vulnerability is discovered.

    For example, if your domain is registered via Namecheap, you can have them handle your DNS for free and it's very easy to manage. Hurricane Electric also has DNS services you can utilize in a similar fashion.


  • LAYER 8 Global Moderator

    ^ this is spot on advice..  I really can not stress it enough, unless your very familiar with bind and keep it updated.  And even then its going to be very rare that its just not better to host dns elsewhere.  There are plenty of places you can get FREE service if your registrars dns is lacking features.  HE comes to mind for sure, and for low cost $29 a year sort of price dnsmadeeasy is just top notch choice.

    For starters hosting off your own connection, do you have another connection/location to provide your 2nd ns?  this really should be on completely different netblock and isp and completely different geographic location, etc.

    I have been in this field for many years, and dns is a passion/hobby/work for me and I just really can not think of when you would want to do this on your own connection/gear.. Its just not cost/effort effective to provide your public dns off your own stuff when there are companies that all they do is dns and they do it very very well!!!  Anycast, ddos protection, instant updates, great reporting on queries, etc. etc.

    If your just needing to test something, ok - why can you not just do that in house and not available to internet?  If your wanting to use pfsense downstream and need a downstream ns in your network ok pfsense can do that off its wan, etc.  But when it comes to production public dns I don't hosting that yourself as a good idea.


Log in to reply