Two DNS issues



  • New to pfSense after using AsusWRT-Merlin on a consumer router - solved most issues but these two beating me.

    1. Resolve DNS without specifying a domain

    I used to be able to type in "server" into any machine and that would resolve to the correct IP.

    However now I need "server.domain".

    Whilst I appreciate that is how it should work, I really don't want to mess about on all the clients (which is iOS/Mac/Windows locally and via OpenVPN).

    So, now how can I set pfSense to allow me to type any hostname into any machine like it used to work on AsusWRT?

    2. Resolving website hosted locally.

    Externally website.com resolves to my WAN IP and I get to see my servers content.
    Internally website.com resolves to the pfSense IP, not my server.

    How do I resolve that?

    Many Thanks :)


  • Rebel Alliance Global Moderator

    1)  The fix is use the correct the domain, you can use search domains on your clients.  Sorry this is the FIX.. be it you have 10 machines or 10,000.. The domain an OS adds to a lazy user not putting in the domain can be handed out via dhcp, group policy, etc.

    Your issue is pure lazyness.  Wanting to put in host vs host.domain.. When does this come into play even?  If your going to something in a browser - this would need to be done exactly 1 time and then from then on can use a bookmark.  Same goes for any application where your putting in info to connect to something.  So when does this come into play - when your doing something from a cmd line.. So use the FQDN.. or even the device your looking for via just its hostname responds to broadcast like windows machines - then you could still use just host name and windows would broadcast for the name, etc.

    1. Don't use your external public domain locally..  if you use domainX.com on the public internet, use domainX.net or .lan locally - problem solved.


  • @johnpoz:

    1)  The fix is use the correct the domain, you can use search domains on your clients.  Sorry this is the FIX.. be it you have 10 machines or 10,000.. The domain an OS adds to a lazy user not putting in the domain can be handed out via dhcp, group policy, etc.

    Your issue is pure lazyness.  Wanting to put in host vs host.domain.. When does this come into play even?  If your going to something in a browser - this would need to be done exactly 1 time and then from then on can use a bookmark.  Same goes for any application where your putting in info to connect to something.  So when does this come into play - when your doing something from a cmd line.. So use the FQDN.. or even the device your looking for via just its hostname responds to broadcast like windows machines - then you could still use just host name and windows would broadcast for the name, etc.

    1. Don't use your external public domain locally..  if you use domainX.com on the public internet, use domainX.net or .lan locally - problem solved.

    1. That is rather disappointing - however, I'll shorten the domain such that it is a letter or two.

    2. This is a regularly used bookmark, such that wherever I am I get to the right webpage - your saying I need two? That would mean my history would be different too… Again, why did this work properly on AsusWRT?

    Number 1 I can live with.
    Number 2 is a PITA if I can't get it to work properly.


  • Rebel Alliance Global Moderator

    1. What??

    2. Resolving website hosted locally.

    Externally website.com resolves to my WAN IP and I get to see my servers content.
    Internally website.com resolves to the pfSense IP, not my server.

    What does that have to do with bookmarks??  your trying to go to what exactly? You state it resolves to your pfsense IP… So that tells me your using the same NAME.. Don't do that... But I think you did not explain yourself correctly.

    On the public internet you have www.domain.com that resolves to your public IP that you port forward to some IP behind pfsense.  And users on the internet work fine.  But you on your own network put in www.domain.com and you get the pfsense gui... If that is the case then put in simple host override.

    So say your forwarding 80 to 192.168.1.100, then on the host override put in www.domain.com to resolve to 192.168.1.100 - done..

    Back to 1..  Dude how exactly are you using host names??  You do understand every OS should be setup for s default domain, and or search suffix, etc..  And that info can be handed out via dhcp.. So the os will auto add that to dns.

    So 1st example -- I look for something that dns returns via pfsense.. I use local.lan as my local domain.  So all boxes are listed as that as that fqdn, and that is what they resolve too.  And that is what they use in their search suffix.. Image 1, see I ask for storage and it comes back fully qualified storage.local.lan - because that is what the client asked for view dns.

    Now 2nd pic there is no dns for this user-pc box..  The query for user-pc that is not fully qualified fails.. That does not mean the box can not be resolve via just its name.  See the broadcast that gets its IP back, see the LLMR query that returns its name.. So I can ping it but its not fully qualified.

    So what exactly is not working for you - and why is it such a hassle to setup your devices to use a search domain if your so keen on just put in host.  Also what is a use case that your only using name?  Are you trying to hit them in a browser, from cmd line - some application what??  Please show an example how your trying to access these machines via just name??  And why it would be so hard to do just use fqdn?






  • @johnpoz:

    1. What??

    2. Resolving website hosted locally.

    Externally website.com resolves to my WAN IP and I get to see my servers content.
    Internally website.com resolves to the pfSense IP, not my server.

    What does that have to do with bookmarks??  your trying to go to what exactly? You state it resolves to your pfsense IP… So that tells me your using the same NAME.. Don't do that... But I think you did not explain yourself correctly.

    On the public internet you have www.domain.com that resolves to your public IP that you port forward to some IP behind pfsense.  And users on the internet work fine.  But you on your own network put in www.domain.com and you get the pfsense gui... If that is the case then put in simple host override.

    So say your forwarding 80 to 192.168.1.100, then on the host override put in www.domain.com to resolve to 192.168.1.100 - done..

    Back to 1..  Dude how exactly are you using host names??  You do understand every OS should be setup for s default domain, and or search suffix, etc..  And that info can be handed out via dhcp.. So the os will auto add that to dns.

    So 1st example -- I look for something that dns returns via pfsense.. I use local.lan as my local domain.  So all boxes are listed as that as that fqdn, and that is what they resolve too.  And that is what they use in their search suffix.. Image 1, see I ask for storage and it comes back fully qualified storage.local.lan - because that is what the client asked for view dns.

    Now 2nd pic there is no dns for this user-pc box..  The query for user-pc that is not fully qualified fails.. That does not mean the box can not be resolve via just its name.  See the broadcast that gets its IP back, see the LLMR query that returns its name.. So I can ping it but its not fully qualified.

    So what exactly is not working for you - and why is it such a hassle to setup your devices to use a search domain if your so keen on just put in host.  Also what is a use case that your only using name?  Are you trying to hit them in a browser, from cmd line - some application what??  Please show an example how your trying to access these machines via just name??  And why it would be so hard to do just use fqdn?

    Added a host override, I think that has fixed it.

    As for the domain, I used to be able to resolve "server" correctly (be it ping, ssh, web browsers, mac, ios, windows or linux) without any special setup.

    However, I've now added "aa" as my domain such that "server.aa" resolves correctly via ios, openvpn, etc.

    All working now I think. Thanks.


  • Rebel Alliance Global Moderator

    just aa, so single label.. Yeah bad idea..

    Your domain could be thisismydomainanditsverylongsoIhatetotypeit.com and it would still be done auto if you would just setup your clients correctly in the right domain and or use suffix search..

    And you have yet really given an example of why you need it…  As I went over there are ways resolve the name locally via broadcast LLMR, etc.. that has nothing to do with dns..  So what exactly is not resolver that you need a single label domain that is really short because your too lazy to type in domain.com etc..

    Yes for dns to resolve it needs and should be Fully qualified.. not just hostname..