DNS REsolver and Ipv6



  • I'm trying to configure IPv6 on a network that has no IPv6 DNS Servers only IPv4 so I tried Switching on "DNS Resolver" and set a few records, These work as expected using the IPv6 Address for the firewall.

    I have a two Windows server Running as DNS servers with a ton of records internal records I cant shift to Pfsense yet so I enabled "DNS Query Forwarding" and then configured in System /General Setup the two IPv4 Addresses.

    These don't appear to work though as i'm not getting the records back. Is this setup Possible or do these Windows DNS server also require a IPv6 address for the "DNS Resolver" to try and use them ?


  • LAYER 8 Global Moderator

    IPv6 as the transfer protocol has nothing to with AAAA record, which would be the ipv6 address for a host..

    But if your trying to fire up ipv6 on your network, then yeah you should have your dns listen on ipv6… Really one of the first boxes that should come up on ipv6 in your add ipv6 plan ;)

    If you are running AD and have members of your AD - they really should point directly to your AD dns, not pfsense.  And yeah if your going to be running ipv6 on your network, you should name servers for your network to use that are on IPv6..  But that doesn't mean you can not lookup AAAA via ipv4..



  • We are planning to switch DHCP and DNS over to pfsense and get rid of AD completely but so far have only managed to do the DHCP bit with IPv4 addresses.

    I'm pointing Clients at my pfsense Box which has "DNS resolver" running on IPv6 address but it doesn't appear to be trying to request the records from the 2 servers I have configured in "system/General" at all. If I use nslookup and request them directly from either of the two windows boxes it works. Requesting from the pfsense box does not on either ipv4 or ipv6.

    Any suggestions ?


  • LAYER 8 Global Moderator

    "which has "DNS resolver"
    "but it doesn't appear to be trying to request the records from the 2 servers"

    It wouldn't - its a RESOLVER not a forwarder ;)

    Take it you don't understand the difference…

    A resolver walks down from root to the authoritative server for what domain your looking for..

    Hey roots (.) who is the NS (nameserver) for .com - great thanks
    Hey NS for .com who is the NS for domain.com - great thanks
    Hey NS for domain.com what is the A record for www.domain.com

    That is how a resolver works..

    Forwarder is

    Hey 1.2.3.4 what is A for www.domain.com
    Forwarder - then either has it cached already, is a resolver itself or forwards it on -- at the end you will always hit a "resolver"

    Running it on pfsense just cuts out the middle man ;)

    If your going to run resolver then you have zero reason for any other NS to be listed or gotten from your isp.  Pfsense should just point itself for dns 127.0.0.1..  If the resolver is not working then you would have to look to why.. What is in its log?



  • Switched to the forwarder and it now works as expected. Thanks for the help.


  • LAYER 8 Global Moderator

    Using the resolver is better choice.. but whatever..



  • I switched back to the resolver and added a domain override for internal.<compnayname>.com to point at our internal DNS server and it works.

    Really need to start migrating everything over the the DNS then i can get rid of that.</compnayname>



  • Also needed to add this to the custom option textbox otherwise I was getting this in the logs 'sanitize: "removing public name with private address"  '

    server:
    private-domain: internal.<companyname>.com</companyname>


Log in to reply