Pfsense default DNS entry



  • Quick question that's been bothering me for a while

    I have pfsense set up with many different VLANs, with the firewall set up so it blocks access to the webinterface over all VLANs except management (192.168.10.1/24).
    For pfsense I have a DNS entry set up so 'pfsense.local.x' goes to 192.168.10.1.

    However, pfsense also automatically has a record at 192.168.42.1. I do not want it to return this entry!

    $ host pfsense.local.x
    pfsense.local.x has address 192.168.42.1
    pfsense.local.x has address 192.168.10.1
    

    I have tried many different settings; disabling DHCP leases being added, static mappings, etc. But no success.

    Where does this default entry come from, and how can I disable it?


  • LAYER 8 Global Moderator

    so 42.1 is your lan entry I take it..

    Why do you need this 10.1 for management?  Why not just hit the lan IP to manage from whatever vlan you want to allow it.  Or normally the lan interface is made the management network.. This is where the anti-lockout rule is placed, etc.

    You can create views in unbound now to return specific IPs for fqdn depending on where the query came from, etc.

    Or normally you just use a different fqdn for the different IPs you might want to call up in pfsense other than lan.  For example I have pfsense.dmz.local.lan and pfsense.wlan.local.lan to reflect the IPs of those interfaces, etc. etc..



  • Thanks for the reply!

    As I didn't set it up, I wasn't aware of the LAN interface, but indeed, 42.1 is the LAN interface. Is there any way I can easily switch which interface pfsense sees as the LAN? This would actually be the proper solution right now.

    I don't want to use the LAN IP for management, as 42.1/24 is a testing network, and I'd rather not use it there. Never know who's going to over-allow something there.

    The DNS entry for pfsense is only used over the management VLAN, so I'd rather not specify different FQDN's for it.


  • LAYER 8 Global Moderator

    You can change the network used on lan to anything you want, whatever IP range you want to use - and then connect it to the correct network.  You can modify what interface it uses in pfsense on the interface assignment tab or the console.

    Keep in mind if your trying to do it via gui make sure your access pfsense gui via some other interface and IP while you change that around or your going to loose connectivity.



  • If you're worried about the exposure of the management interface you can dedicate the interface that is now marked as LAN solely as the management interface and use an OPT interface for the real "LAN" network where the untrusted clients are. Of course you have to add proper filter rules on the OPT interface to block any attempts to access the LAN interface or anything connected to it and also the pfSense webgui and other services running on pfSense.


Log in to reply