Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Resolvolving LAN hosts names - help

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chudakC
      chudak
      last edited by

      Trying to understand better how to manage ability to resolve LAN hosts by names.

      It used to work fine and alas I touched something, so maybe it's time to clarify it once and for all (for me of cause, all other smart people here know this by heart  :D )

      Here is what I have

      What am I not doing right?

      System/General Setup

      Services/DHCP Server/LAN

      Services/DNS Resolver/General Settings

      1 Reply Last reply Reply Quote 0
      • chudakC
        chudak
        last edited by

        I think I made it work again, but still comment, I like to learn more about this…

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          single label domain - bad idea

          Your in resolver mode - so what dns serves you put there are pointless and never used.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • chudakC
            chudak
            last edited by

            @johnpoz:

            single label domain - bad idea

            Your in resolver mode - so what dns serves you put there are pointless and never used.

            @johnpoz
            can you please elaborate?  what would you do ?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Use a domain with a tld vs just a tld… put something on the end of that domain, say whatever.lan or whatever.something

              Don't waste your time putting in dns that would never get asked since out of the box pfsense resolves.

              How is it in this day and age people so worried about dns leaks don't understand the difference between a forwarder and a resolver?  Google it!!!

              Are you pointing your clients to something other than pfsense for dns?  There is no reason to put something into dhcp server unless your going to point to something other than pfsense lan IP for your clients.  Since if you leave it blank it auto hands out pfsense IP on that interface..  It says so right there in the note.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • chudakC
                chudak
                last edited by

                ok removed values from DNS/General and Resolver

                I am not using DNS Forwarder, but will read more about it vs Resolver

                Wondering  why "single label domain - bad idea" ?

                Thx !

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  From a DNS point of view its not a good idea..

                  This is a windows based reason list

                  https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configur

                  There just is no point to it.. Any devices should have a fqdn, this would include the host, the second level domain and the top level domain… With just using single label like that, that is not possible for your host names.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • chudakC
                    chudak
                    last edited by

                    @johnpoz

                    I've made changes you suggested and everything seems working fine

                    Specifically:
                    Domain as 'something.lan'
                    no DNS servers set in System/General Setup and DNS Server Override
                    no DNS set in Services/DHCP Server/LAN

                    Where pfSense getting DNS now ?  From my ISP ?

                    Thx

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      "Where pfSense getting DNS now ?  From my ISP ?"

                      So you didn't look up the difference of forwarder and resolver ;)

                      A resolver walks down from the root servers to the authoritative name server for the domain you are wanting to know the resource from.

                      Your looking for www.domain.com it asks one of the root servers - google those ;)

                      Hey root server who is the nameserver for .com domains, ok thanks
                      Hey .com nameserver who is nameserver for domain.com, ok thanks
                      Hey domain.com NS who what is the A record for www.domain.com, ok thanks

                      Your ISP has nothing to do with this other than connectivity to the internet to allow you to talk to the authoritative NS.

                      edit:  Since you prob wont google it https://en.wikipedia.org/wiki/Root_name_server

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • chudakC
                        chudak
                        last edited by

                        @johnpoz:

                        "Where pfSense getting DNS now ?  From my ISP ?"

                        So you didn't look up the difference of forwarder and resolver ;)

                        A resolver walks down from the root servers to the authoritative name server for the domain you are wanting to know the resource from.

                        Your looking for www.domain.com it asks one of the root servers - google those ;)

                        Hey root server who is the nameserver for .com domains, ok thanks
                        Hey .com nameserver who is nameserver for domain.com, ok thanks
                        Hey domain.com NS who what is the A record for www.domain.com, ok thanks

                        Your ISP has nothing to do with this other than connectivity to the internet to allow you to talk to the authoritative NS.

                        edit:  Since you prob wont google it https://en.wikipedia.org/wiki/Root_name_server

                        I won't lie to you that "oh yeah I knew all of this"  :)

                        This is something I had no clue about and why I started using pfSense last year.
                        I can't say that I get all of this but it makes sense now.

                        Thanks a million for explaining and patience!

                        1 Reply Last reply Reply Quote 0
                        • chudakC
                          chudak
                          last edited by

                          @johnpoz

                          I think the last question here is - do you think that using DNS names in  System/General Setup may/will improve performance ?

                          And if yes, how do you suggest doing this?

                          I tried running benchmark and selecting best performing servers, but found that sometime when DBS server got slow or unavailable all system is slow (as expected) and was not sure how to solve this issue without manual intervention.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode.  And unless your on some HIGH latency ISP, like sat or something.  Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.

                            This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • chudakC
                              chudak
                              last edited by

                              @johnpoz:

                              There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode.  And unless your on some HIGH latency ISP, like sat or something.  Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.

                              This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.

                              Very clear, thx !

                              I guess people doing what I was doing is because when started they look for available resources, I used youtube and apparently not all of them trustworthy, which is as expected.

                              1 Reply Last reply Reply Quote 0
                              • chudakC
                                chudak
                                last edited by

                                @johnpoz:

                                There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode.  And unless your on some HIGH latency ISP, like sat or something.  Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.

                                This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.

                                @johnpoz I followed your suggestions and happy so far.

                                However I see some DNS quires to IPs addressed that I can not explain  https://pastebin.com/zwa92uZe, can you help me understand this ?

                                I wonder if I have something mis-configured.

                                Thx!

                                1 Reply Last reply Reply Quote 0
                                • GertjanG
                                  Gertjan
                                  last edited by

                                  @chudak:

                                  However I see some DNS quires to IPs addressed that I can not explain  https://pastebin.com/zwa92uZe, can you help me understand this ?

                                  You're not the only one that uses Youtube as a manual. Inspect the devices on your LAN(s).
                                  PC's and other devices could have 'static' DSN addresses set up, so they will contact for example  "8.8.8.8", bypassing completely the local DNS authority (your pfSense).
                                  That explains also why local resolution, like "Resolvolving LAN hosts names" doesn't work any more. 8.8.8.8 doesn't know nothing about that network printer in your pool house.

                                  Leave the network settings of any device you unpack with its original settings, and all will work just fine.

                                  Handing over all your requests to 6.6.6… sorry 8.8.8.8 is ok, but first make up the full list with consequences ...
                                  8.8.8.8 and Youtube are the same house  ;)

                                  Note : I'm not against 8.8.8.8. But why should I learn to use that one if my pfSense already does everything I need ?

                                  Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  • chudakC
                                    chudak
                                    last edited by

                                    @Gertjan:

                                    PC's and other devices could have 'static' DSN addresses set up, so they will contact for example  "8.8.8.8", bypassing completely the local DNS authority (your pfSense).

                                    That makes sense and explains those queries, thx!

                                    @Gertjan:

                                    Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.

                                    I do force all DNS requests to use pfsense only!

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.