Set Darkstat to use internal DNS server, but still use DNSBL on pfSense



  • So DNSBL uses rules to point all DNS queries to itself so it can reject known ad domains and such.  This is good, this is what I want.

    Darkstat gives some useful information on what hosts are consuming bandwidth, but uses the internal DNS settings of pfSense to resolve hostnames.  This is where my problem is.  I want to point Darkstat to my internal DNS without changing the pfSense DNS settings so that I can resolve those hosts.

    With the current setup I either need to scrap DNSBL to make it work, or keep DNSBL and forget about resolving hostnames on darkstat.  This is not ideal.

    Is there any way to force Darkstat to use a different DNS server than what is defined in the general setup of pfSense?


  • Rebel Alliance Global Moderator

    Why can you not create a domain override in unbound to know what domains to use via your internal dns?



  • No idea how that would work.  I don't really understand it.  This is my home network and there isn't anything like an active directory domain.  A lot of stuff is static and not on DHCP, so I assumed that those would not be considered as part of that domain.


  • Rebel Alliance Global Moderator

    So why do you want to point pfsense to some internal dns?  Are you running a pihole or something.. What domains does this other dns resolve that pfsense can not?

    If your wanting to run pihole..  This is what I do..

    I point all clients on the pihole box running on a pi3, 192.168.3.10.. I then setup the pihole to forward traffic to pfsense running unbound 192.168.3.253.  I have set pihole to forward rfc1918 by unchecking the never.

    So client asks pfsense for say pfsense.local.lan - this gets forward to pfsense, which that is local host and gets resolved to the rfc1918 address back to the client.
    If client asks for say www.google.com, pihole forwards to pfsense - pfsense resolves that as normal and returns it to pihole which returns it to the client.
    If client asks for something that pihole is blocking - then pfsense never gets asked.
    If client asks for say www.domain.com, pihole forwards to pfsense - if you were blocking that via say pfblocker then pihole would either get back what you have setup pfblocker to return and pihole would return that to client.
    if client asks for something say www.otherdomain.com, pihole forwards to pfsense - maybe dnssec is broken on this domain then nothing would get returned and it wouldn't resolve, etc.

    This sort of setup allows you to use pihole, and also have pfsense resolve anything either local or nonlocal, etc.  Once things are cached by pihole - client asks pihole for something that is cached then pihole returns the cache.

    You could do it this way for any internal nameservers you might be running say AD.  Or another way you could do it is say you had an internal nameserver that was authoritative for yourdomain.tld, you could setup a domain override in the resolver (unbound) that says hey client looking for something.yourdomain.tld ask ns a.b.c.d, etc..

    Hope that helps!  If what exactly are you wanting to use an internal NS to resolve?




  • Thanks, that's kind of the setup I have going on.

    I have a FreeNAS server that I've been using for a long time that has a jail set up with dnsmasq and it's been doing my DHCP and DNS for a long time.  I have configuration in place, ad blocking, etc, and it's all bee working great.  I realize pfSense can do all of this, but I don't want to simply move everything over.  If one day I decide to change my firewall I lose that configuration.

    my dnsmasq setup forwards requests to the firewall, which forwards out as needed.

    I am only after getting my local LAN hostnames from my local LAN dnsmasq server on pfsense so I can see darstat/ntopng data with resolved hostnames.  I would have thought there'd be a specific setting in one of these to use a different DNS server to resolve names.

    I'm still a little lost on how your pfsense box knows to resolve names through pihole (or in my case, freenas dnsmasq).  I'm using pfBlocker so that overrides my DNS settings to tell pfSense to use itself as a name server, which in turn makes it so it can't resolve local LAN addresses with my local DNS server on freenas.


  • Rebel Alliance Global Moderator

    Yours is a bit different, you have your internal dns/dhcp.  In my case pfsense is what does local names/dhcp.

    In your case you should just set pfsense to use your freenas box for its dns, and then have your clients just use your freenas as well.

    I don't really see the point in your setup of forwarding to pfsense - since your not doing anything on pfsense really related to dns.  Unless your wanting to leverage it for pfblocker and or dnssec that your current freenas isn't doing if its just forwarding vs resolving.

    If so just setup the resolver on pfsense with domain overrides for whatever you using for you local domain.  I use local.lan for example.  And then setup domain override for whatever reverse zones you have.. So for example darkstat sees IP address 192.168.1.100, and you want to resolve that IP to host.yourdomain.tld.

    So in the domain override setup your 168.192.in-addr.arpa zone to forward to your freenas.  That way pfsense can just use the resolver locally for itself, and it can resolve stuff it needs to if public, or if PTR it will know to go ask your freenas for the reverse zone.

    What domain are you using local and whats your freenas IP and I can post a picture for example.



  • Thank you, this is the answer I was looking for.

    Not 100% sure on the syntax for the 168.192.addr.arpa is though.  I'm using a 10.0.0.0/24 network.  Do I need to define all octets in that?  EG: 0.0.0.10.in-addr.arpa?


  • Moderator

    @ninjai:

    I don't want to simply move everything over.  If one day I decide to change my firewall I lose that configuration.

    If you setup the DNS and DHCP roles in pfSense, you can still do that and park your FreeNAS setup without deleting it. This will leverage more functionality then piecemealing over all those devices. Should you decide to change firewalls (hopefully you want to stay with pfSense in the long run) it shouldn't be too difficult to re-enable your previous solution as all LAN devices are already DHCP.

    Also keep in mind that pfBlockerNG is more than an ADBlocker and having those roles enabled in pfSense will allow the package to be utilized to its fullest potential. Should you need further help, please post in the pfBlockerNG forum threads. The next version of the package is expected soon. Lots of new features to play with.


  • Rebel Alliance Global Moderator

    BBcan is right I really would just switch over to pfsense for your dns and dhcp..

    But no you don't really need the full zone forwarded, 10.in-addr.arpa would be fine.