DNS Behavior and setup questions



  • Behavioral question:  In the general DNS resolver options: Network Interfaces, the default is All.  Does this mean that someone other than my local clients could query the resolver on the WAN interface? If so, then would a better configuration be to select the LAN and localhost interfaces only to prevent the outside world from using the WAN interface on my pfsense device as a DNS resolver?

    Setup Question:
    I am wanting to setup the system such that all my local clients are resolvable internally to my network but not to the world. Also I am wanting to restrict where they query. So far I have done the following but I am stumped on one part.

    1. General Setup: entered OpenDNS and Google DNS servers
    2. Firewall: Created an AllowedDNS Alias with the IPs for OpenDNS and Google
    3. Firewall Rules: One to allow the AllowedDNS alias on the LAN interface on UDP 53 followed by a block rule for any other UDP 53 traffic with a log option so i can find broken clients.
    4. DHCP Server: Populate the DNS Servers setting for OpenDNS and Google DNS
    5. DHCP Static Mappings and Pool: All my documented internal clients have a reserved static address with a hostname. Guest clients coming from the Wireless AP get a specific dhcp scope. Anything else is denied.

    How do i setup the resolver such that i can resolve the DHCP statically mapped hosts on my internal devices? I am thinking that checking off 'DHCP Registration' would work but would this also allow the outside world to resolve them (back to question 1)?


  • Rebel Alliance Global Moderator

    "1. General Setup: entered OpenDNS and Google DNS servers"

    Why??  Thought you said you were using the resolver..  What is the point of putting in forwarders if your going to resolve?

    "Does this mean that someone other than my local clients could query the resolver on the WAN interface? I"

    Not unless you create firewall rule on your lan that would allow it.  But sure it prob a good idea not to listen on interfaces you don't want/need to listen on.  Its just the default setting because your typical user is stupid ;)

    "4. DHCP Server: Populate the DNS Servers setting for OpenDNS and Google DNS"
    "How do i setup the resolver such that i can resolve the DHCP statically mapped hosts on my internal devices?"

    Who exactly would be talking to your resolver if your going to tell dhcp clients to use outside dns??

    Are you saying you just want your guests to be able to use google and opendns?  While your other networks use pfsense resolver?  I don't get the logic to be honest of limiting "guests" to specific dns..  Why should you care?  Sure hand them opendns or googledns so hey internet works from your dhcp scope.  But what if they like to use 4.2.2.2 and have that hardcoded why should you prevent that?  If you use outside dns, your wifi guest not going to be able to resolve any of your hosts??  Do you want them too?

    "I am thinking that checking off 'DHCP Registration' would work but would this also allow the outside world to resolve them (back to question 1)?

    Huh??  Out of the box nobody can do anything from the internet to pfsense unless you have forwarded it or allowed it on the firewall.  The default wan rules are block ANY..  Just because something listens on a port does not mean its open to the internet until you allow it via a firewall rule.



  • "Why??  Thought you said you were using the resolver..  What is the point of putting in forwarders if your going to resolve?" - good point. my initial thought was that having a backup destination is good (just like having more than one ntp server).  I take it that if the resolver cannot reach root hints doing this will not make the resolver go elsewhere?

    "Who exactly would be talking to your resolver if your going to tell dhcp clients to use outside dns??" - internal clients.  For example, PC1, PC2, Switch1, PRN1, etc. etc.  I would like to be able to resolve PC1 from PC2 or vice-versa.  The bigger thing is being able to have my syslog VM resolve all the internal IPs to names during log post processing.

    "Are you saying you just want your guests to be able to use google and opendns?  While your other networks use pfsense resolver?" - no. I just want to be able to resolve internal hostnames. So if I was on PC1 and needed to poll or connect to say PRN1 i could just use the FQHN or if the syslog data has IP addressing i could do a reverse lookup on the ip and get the hostname.  If PC1 or the syslog box were looking up something on the internet then the end result we be they go to OpenDNS or Google DNS.

    thanks!