PfSense and public DNS



  • Hi there

    I am a quite new user in pfsense, so sorry if this topic has been discussed before. I tried to search, to see if I could find something similar, but I didn't.

    I have been working with pfsense in a small test environment, and become very happy for the system. It is surprisingly easy to setup, and very intuitive to get up and running. Although, I struggle a bit with my DNS.

    What i want to achieve:
    I have a domain, registered at dk-hostmaster (authorities in Denmark), lets call it domain.dk. It is currently directed to a one.com server, and i would like to administer it my self. I know there isn't really a financial win in doing so, but the purpose of this, is to learn a bit about network, and server structure. I really enjoy teaching my self new stuff.

    So i went to dk-hostmaster and registered my servers (currently up on two redundant servers, on different IP addresses), as ns1.domain.dk and ns2.domain.dk. Whenever i try to point my domain.dk to my nameserver, i get an error at dk-hostmaster, saying i don't have any NS records. So i have been trying to figure out, how to be able to host my own, and other stuff. I havn't been able to, and now i need help.

    My servers are running Xeon E3-1245-v5 CPU's, virtualizing 2 cores, and 2gb ram, with dual nics for pfSense. I have achieved to get the network up and running, with DNS forwarding inside the local network, to my services on the network. Lets say i have a service on IP address 10.0.0.50, running a restfull service, I can inside the network create a host override, and access the service by service1.domain.dk. But i really wan't to access the service outside the network as well.

    I have tried to port forward the DNS, and all kind of stuff, but the only way, i can access the service, is by port forwarding to the IP, and let one.com DNS handle the host override, to lets say the IIS server on 10.0.0.50 inside the network. I really want to use my own DNS resolver, to handle all DNS, as i would like to have different services running, on lets say both apache, tomcat, and IIS servers.

    Is this even possible? Is this an okay way to do it? I really want to try, to host everything myself, just because i want to learn it. Where do i start.. As i mentioned, i have the basic up and running, i just need to make it public to the world.

    Thanks


  • Rebel Alliance Global Moderator

    I highly suggest against such thing.. It rarely makes any sense to host your own DNS to the public..  I mean RARELY!!!

    I have been managing DNS for like 20+ years.. For some some fortune 500 companies, and even for a company with 3000+ domains..  You don't host it your self! Just makes NO SENSE to do so.. Not when there are companies that do it for their bread and butter with anycast servers all over the globe, that can do it for pennies really!!

    If you want to play to lean - then play and learn with a local dns servers.. Your not going to learn anything with using unbound or dnsmaq in pfsense. They are not meant to be authoritative name servers.  If you want to run authoritative then you would want to install the BIND package at a min.  If your running authoritative servers on servers inside your network.. Sure pfsense can forward 53 tcp and udp too them..

    If you want to run NS that fqdn is inside the domain they are authoritative for then yes you need to create NS records at the registrar you have the domain with.. So lets call it domain.dk..  You would need to create NS records at this registrar lets call them ns1 and ns2.domain.dk with the IP address these servers are at.

    If you do not want or can not create NS records at the registrar then you would need to point to NS that already resolve and point to the IP address of your wan connections.  Lets call these boxes ns1.otherdomain.com and ns2.otherdomain.com

    You would have to edit these records on where their dns is hosted at to point to your wan IPs of pfsense.

    But again – if your just wanting to learn and play.. Then do so just on your local network... You can run an authoritative nameserver(s) for any domain you want.  Simple domain override in pfsense can point to these ns(s) when your clients look up something in dns that are using pfsense as their dns.. Pfsense will just go ask the ns you list in the domain override.

    I can tell you once you get up to speed on how it all works - you will understand that there is almost zero reason to ever host it yourself.  If you want more control over the dns records than say your webhost or registrar gives you.. Just point your domain to the free dns over at Hurricane electric.. They will host like 50 domains for you for FREE..  And pretty much give you full control over any sort of record you would like to create, etc..

    I run NS for a public play domain of mine.. I really the one one that queries it.. I run 2 different vps for this... The only reason I have these servers is to play with signing dnssec, etc.  I host only play records in them for testing.. But even then I don't host them inside my own network ;)



  • @johnpoz:

    I highly suggest against such thing.. It rarely makes any sense to host your own DNS to the public..  I mean RARELY!!!

    I have been managing DNS for like 20+ years.. For some some fortune 500 companies, and even for a company with 3000+ domains..  You don't host it your self! Just makes NO SENSE to do so.. Not when there are companies that do it for their bread and butter with anycast servers all over the globe, that can do it for pennies really!!

    If you want to play to lean - then play and learn with a local dns servers.. Your not going to learn anything with using unbound or dnsmaq in pfsense. They are not meant to be authoritative name servers.  If you want to run authoritative then you would want to install the BIND package at a min.  If your running authoritative servers on servers inside your network.. Sure pfsense can forward 53 tcp and udp too them..

    If you want to run NS that fqdn is inside the domain they are authoritative for then yes you need to create NS records at the registrar you have the domain with.. So lets call it domain.dk..  You would need to create NS records at this registrar lets call them ns1 and ns2.domain.dk with the IP address these servers are at.

    If you do not want or can not create NS records at the registrar then you would need to point to NS that already resolve and point to the IP address of your wan connections.  Lets call these boxes ns1.otherdomain.com and ns2.otherdomain.com

    You would have to edit these records on where their dns is hosted at to point to your wan IPs of pfsense.

    But again – if your just wanting to learn and play.. Then do so just on your local network... You can run an authoritative nameserver(s) for any domain you want.  Simple domain override in pfsense can point to these ns(s) when your clients look up something in dns that are using pfsense as their dns.. Pfsense will just go ask the ns you list in the domain override.

    I can tell you once you get up to speed on how it all works - you will understand that there is almost zero reason to ever host it yourself.  If you want more control over the dns records than say your webhost or registrar gives you.. Just point your domain to the free dns over at Hurricane electric.. They will host like 50 domains for you for FREE..  And pretty much give you full control over any sort of record you would like to create, etc..

    I run NS for a public play domain of mine.. I really the one one that queries it.. I run 2 different vps for this... The only reason I have these servers is to play with signing dnssec, etc.  I host only play records in them for testing.. But even then I don't host them inside my own network ;)

    Hi there,

    Thanks for your reply! It was something like that i was looking for! Maybe i don't need to host a DNS server then. But how would you then achieve my goal of hosting my services, under my domain?

    Trust me, its not because i want to save money. It's simply because i have some hardware (which i think is pretty decent to play with), some domains (5 totally, all registed at dk-hostmaster and one.com), and thought it could be funny to have it all under one roof, so to say. Also one.com is only a small apache server, and i would like to expand, so i can deploy my small applications, which isn't able to run under apache.

    As i mentioned i would like to have, lets say service 1 and 2, running from my server, under domain1.dk and service 3 and 4, under domain2.dk. How do i achieve this? Lets say i don't need to host the DNS part my self, but the applications, i would like to run from my own server?

    How would you do that?

    Hope you understand my question.

    Thanks again..



  • Maybe i don't need to host a DNS server then. But how would you then achieve my goal of hosting my services, under my domain?

    There are plenty of commercial DNS servers available.  You arrange to have them provide your DNS service.  For example, I use one, through Google, called "enom.  It costs $10/year and I create the records I need.


  • Rebel Alliance Global Moderator

    So you want to forward to your different servers behind pfsense based upon FQDN used to get there.  Do you only have 1 public IP or multiple IPS?

    If you have more than 1 you can forward stuff that hits IP1 to server X, if they hit IP2 they get forwarded to server Y.

    Or you can call out fqdn:port so that portX gets forwarded to server1 and portY gets forwarded to server2.

    If you only have 1 IP and want to forward based upon the fqdn used then you would have to run reverse proxy on pfsense or behind pfsense to know which server should serve up the fqdn that is accessed.  This has nothing to do be you hosted your own dns or not.



  • @johnpoz:

    So you want to forward to your different servers behind pfsense based upon FQDN used to get there.  Do you only have 1 public IP or multiple IPS?

    If you have more than 1 you can forward stuff that hits IP1 to server X, if they hit IP2 they get forwarded to server Y.

    Or you can call out fqdn:port so that portX gets forwarded to server1 and portY gets forwarded to server2.

    If you only have 1 IP and want to forward based upon the fqdn used then you would have to run reverse proxy on pfsense or behind pfsense to know which server should serve up the fqdn that is accessed.  This has nothing to do be you hosted your own dns or not.

    I have a total of 2 public static IPs. One for each network. So i should probably read on reverse proxy? But then i would be able to have multiple fqdn consume services on 1 server?


  • Rebel Alliance Global Moderator

    Yes with a reverse proxy.. Which couple packages on pfsense can do that..

    But you do not need that to have multiple FQDN on 1 server.. You need that if you want that on more than 1 server..

    You have IP 1.2.3.4 on your public wan..

    you could send
    www.domain.tld
    ftp.domain.tld
    host.otherdomain.tld
    www.something.tld

    All to 1.2.3.4, you forward 80 and 443 to 192.168.1.100 for example.. The server would know what page to serve up.  You could have hundreds of FQDN that resolve to 1.2.3.4 and get sent to .100 and have it serve up them all.

    You only need a reverse proxy if you want to send say
    host.otherdomain.tld
    www.something.tld

    Of that listing to 192.168.1.101… vs the .100

    Pfsense just knows to send 80/443 to .100.. It can not read the FQDN part it just sees traffic to a port.. To know to send to different machines behind your public IP you need a reverse proxy to read the FQDN trying go to.. And then make a call to what rfc1918 address to send it to..