DNS Forwarder and DNS Resolver in parallel?

  • Hi,

    I have a network connected to my pfSense 2.3.2 box which hosts loads of unsecure devices (mobile phones and so on).

    I have an internal domain for my other networks.

    I have configured DNS resolver to listen on all local interfaces. I use a "Domain Override" to get my internal hostnames resolved.
    So far everything is working fine.

    But there is now a security issue. I do not want the devices on the unsecure network to be able to resolve my internal hostnames. They should only get the official (external) hostnames.

    So I tried to configure DNS-Forwarder in parallel, told my DNS resolver not to bind on the unsecure interface and tell the DNS forwarde to bind ONLY to the unsecure interface.
    But DNS Forwarder refuses to work and tells me the port is already in use by DNS Resolver. Which is only partically right (it is in use, bot not on this interface).

    Do you have any clue how I can configure pfSense to forward my internal domain for my internal networks to the internal DNS server while serving the external domain to the unsecure network devices only?



  • Banned

    This would be much more elegantly handled by BIND and the views feature. Other than that, just create a NAT rule on the insecure network redirecting queries to port 53 to another port on the interface address.

  • Yeah, I am aware of bind. I would just prefer to use the build-in modules instead of relying on external packages beeing slowly updated…

    I think I will use the suggested forwarding rule.

    It's just kind of a bug about DNS forwarder complaining about a used port even though it is not on the same interface....

  • LAYER 8 Global Moderator

    You will notice that the forwarder you can pick the interface to respond to queries on - but its still listening on that interface, it just wont answer queries..

    Simple solution if you ask me if you don't want these devices resolving any of your internal stuff would be just hand them public dns in the first place..  Why do they they need to query pfsense IP for dns, which you don't want them to resolve your internal stuff only public - so let them use a public dns, hand them your isp, or google or open or, etc. etc..

  • Well, this is a possibility- but if I use an external DNS server I give up on all local caching stuff…

    I configured the Unbound resolver (resolving internal domains) now to use port 153 and create NAT rules forwarding port 53 UDP/TCP requests  to 153 on the secure interfaces.

    The insecure interfaces have DNS forwarder listening on port 53 who queries itself the external DNS servers.

    All test are fine so far.

    There is just one thing I am not sure (or which I would like to optimize):

    As far as I understand both (Undbound and forwarder) query the configured external DNS servers. Can I tell Unbound to query only localhost:53 instead? Then all caching would be perfect....

  • How are things working for you knebb? Any issues with this setup?

    So I actually tried this exact setup back in June of 2016 and things broke. I used dnsmasq (forwarder) for the internal network and then unbound (resolver) for the guests. But with my setup I actually had a couple of host overrides I needed for the quest side (access to a printer) and we have a ton of host overrides on the internal network.

    Problems came about because, at least back then, dnsmasq and unbound BOTH stored their host overrides in /etc/hosts. So I could start unbound first and things worked on guest. Then I could start dnsmasq and things worked on the internal network. But give it several hours (12-48) and they both start trampling on /etc/hosts and things break on one or both networks.

Log in to reply