DNS Resolver - Host Overrides - ability to choose record types?

  • Hi folks,

    I am running pfsense 2.3.3 in a small office (single pfsense box, three network cards, wan, lan, dmz).  Not doing anything terribly fancy - but do host a couple of websites (blog, that kind of thing) on a box in the DMZ.

    I have been using the DNS resolver for a while (maybe 8 months?) and have a couple of host overrides defined.  That configuration works perfectly for me - lookups in the lan/dmz get sent to a local address and not to the public address of the WAN on my pfsense box.  I just noticed (yup - took me months to notice!) that the Host Overrides are affecting not just 'A' records (which i expected) but also MX records.

    The email for the websites I host is all handled by google servers.  So… I don't want the MX records overridden.  I had a look around here and found pretty quickly that I can add some custom configuration to override the MX records locally.  This guy here https://forum.pfsense.org/index.php?topic=110447.msg614848#msg614848 seems to have hit exactly the same problem as me.  So I've already worked around the problem.  It's a little hacky - I now have my MX records defined twice (once on my hosting control panel and once in pfsense).

    Would it be possible to add something to the GUI to get the DNS resolver to 'just override' certain classes of records?  The default could be 'all types' but tick-boxes etc. to allow a user choose if required.  Yes - this is a ?hopeful? feature request!  Am a big pfsense fan - don't know enough to guess how big an ask this is - just thought I would ask/highlight an end-user experience,

    Meas Mór!

  • LAYER 8 Global Moderator

    This would only be a problem if your not actually using a host in your fqdn.

    So I have a host on the internet.. so its fqdn would be host.domain.tld – lets say its www.gmail.com..  Now the MX record for gmail.com domain could point to smtp.gmail.com or or it might even point to same host www.gmail.com doesn't really matter its MX record that has the fqdn of the mail server(s)..

    Your only problem is if your putting a record in unbound that is only 2 labels ie if you point gmail.com to an IP then your going to have an issue.. when you try to look up the mx for gmail.com - but if you had host override that was to www.gmail.com you would be fine.

    So you can see I created a host override for www.gmail.com and that returns what I gave for its ip, if ask for MX record for gmail.com that returns fine..

    Also are you using the domain as pfsense domain?  If your using the same domain for pfsense local domain, than you might need to set your type to type transparent vs transparent for unbound..

  • @Johnpz -  ahh - I begin to understand.  Thank you (genuinely) for taking the time to reply.

    I had been using both:
    -> a host in my fqdn
    -> not using a host in my fqdn

    I've attached a screenshot of what I had.  I did that without thinking, if I'm honest.  For the public DNS I nearly always have 'domain.com' and 'www.domain.com' pointing to my public IP.  And then on apache I had a 'server alias' from domain.com to www.domain.com (which seemed fairly common practice).  So I just blindly mimicked that setup when configuring DNS resolver - without understanding the implications.

    So I now understand what I was doing wrong.  I have tweaked my apache config a little and updated my DNS resolver settings (to remove the 'domain.com' entries) and everything works perfectly.  I can nslookup all my mx records etc..  I really appreciate the input - I'm much happier having a working pfsense box with less configuration than having it working, but for all the wrong reasons.

    Meas mór!

    ![DNS Resolver.JPG](/public/imported_attachments/1/DNS Resolver.JPG)
    ![DNS Resolver.JPG_thumb](/public/imported_attachments/1/DNS Resolver.JPG_thumb)

Log in to reply