Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to use multiple DNS Servers within Separate Private Networks

    Scheduled Pinned Locked Moved DHCP and DNS
    8 Posts 4 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      glego
      last edited by

      So for my home-lab, I've set-up multiple networks (VLANS) to separate my environments. In one network I do not want to use the DNS Resolver from pfSense but a Windows DNS Server. Also I want to make sure that all request on this subdomain are never queried outside of the private network.

      Example

      • Public Network
        example.com
        github.example.com
        redmine.example.com

      • Private Network
        intra.example.com
        winlab.example.com

      • Private Hosts (intra)
        pfsense.intra.example.com
        laptop.intra.example.com

      • Private Hosts (winlab)
        ad.winlab.example.com
        win10.winlab.example.com

      Because the ad.winlab.* is using the pfsense as DNS Server, I can reach hosts .intra. from the .winlab. network. But because pfsense is not aware of ad.winlab.example.com as a DNS Server, I cannot query any hosts under .winlab..

      So I could add .winlab. as a DNS Server under pfsense but it will also send the queries to the other DNS Servers (like google).

      How can I set this up properly?

      Thanks allot!

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        With DNS resolver, you can specify which interfaces it listens on.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • G
          glego
          last edited by

          @JKnott:

          With DNS resolver, you can specify which interfaces it listens on.

          I'm not sure how this will help me to query winlab hosts from the intra DNS Server?

          When I enable winlab DNS Resolver to listen on the winlab interface. I can only query intra DNS Server from winlab hosts.

          I'm trying to achieve that laptop.intra.example.com can resolve win10.winlab.example.com using the ad.winlab.example.com DNS Server.

          1 Reply Last reply Reply Quote 0
          • G
            glego
            last edited by

            Anyway, I found out it's a bug in pfsense. So far I think it's not possible to have multiple DNS Servers, but you can have multiple sub domains on each DHCP Server. So it kinda has the same outcome as I want.

            The only thing is I will have to change my naming convention to something more like lan.intra.example.com, lab.intra.example.com and winlab.intra.example.com.

            My global Domain Name will be intra.example.com and my DNS Resolver System Domain Local Zone Type will be refused

            This will keep all the queries above intra.example.com private.

            https://redmine.pfsense.org/issues/1819

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              Why do you think it's a bug?  Why would you need separate DNS servers, when you can configure one to handle multiple ranges?

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • H
                hbauer
                last edited by

                If you want to be able to resolve host names on one subnet that are not possible to be resolved on a different subnet that might be a use case.

                I have not found a way to do this with one resolver. Or did I miss something?

                1 Reply Last reply Reply Quote 0
                • F
                  Finger79
                  last edited by

                  Maybe look at modifying this article to meet your needs:  Redirecting all DNS Requests to pfSense

                  So maybe something like:
                  Interface: [Whatever your Winlab interface is]
                  Protocol: TCP/UDP
                  Destination: Invert Match checked, Winlab Address
                  Destination Port Range: 53 (DNS)
                  Redirect Target IP: [IP address of Active Directory domain controller that does DNS]
                  Redirect Target Port: 53 (DNS)
                  Description: Redirect Winlab DNS
                  NAT Reflection: Disable

                  1 Reply Last reply Reply Quote 0
                  • F
                    Finger79
                    last edited by

                    Also, can't you just set up DHCP to give the IP address of your AD Domain Controller for DNS?  This way all Windows clients in your Winlab will send all DNS traffic to the domain controller instead of to pfSense.  This is simpler than the port forward option above.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.