DNS server in pfSense 2.4



  • New to pfSense. Got it installed and running. When deciding to do this and looking at the different software choices, one of my requirements was that I need an bonafide DNS server. I have my own domain and static WAN IP addresses.

    In my research before doing this I saw that pfSense includes a DNS Resolver and and DNS Forwarder but no mention of a DNS server. I saw howto's on how to install a DNS server for/in past version of pfSense so I figured I'd give that a try.

    Then I saw posts that said pfSense had a DNS server in the packages option but it was no longer available in/after 2.3 or 2.4. Don't quote me on this, I read so much in so many places I could be off on this.

    Well when I installed pfSense 2.4 and got it running I looked in the Available Packages in Package Manager and found pfSense GUI for BIND DNS Server so I installed it. I then noticed a BIND DNS Server listed in Services. Can't say if it was there or not before I installed the package, was it?

    Being a UNIX/Linux admin by day I'm a command line kinda guy, so I was poking around command line wise and saw that there were 2 named daemons running. I didn't think that was good. So in Services -> BIND DNS Server I unchecked Enable BIND DNS Server. Mind you Enable DNS forwarder and Enable DNS resolver are also unchecked. Now when ever I reboot I only have one named daemon running and the DNS server is operating as I need it to.

    So is this correct? I don't need to Enable BIND DNS Server for the BIND DNS server to run? If I do enable it then I get 2 named daemons running?

    My other question, is the BIND DNS server package going to go away in future versions of pfSense? In my research the fact that I saw it was no longer available in 2.3/2.4 but it is there has me worried.

    One another note, I configured BIND DNS server for the most part by using Services -> BIND DNS Server, added some options in Custom Options and the required references/pointers to my zone files in Global Options, but I had to put the zone files in /cf/named/etc/namedb/ manually via command line. I found no way to do that using WebConfiguator.



  • @BlankMan:

    …. one of my requirements was that I need an bonafide DNS server. I have my own domain ...

    Every registry on planet earth gives you (access to) two DNS server, where you can maintain the zone info related to your domain.
    For several reasons, I would not advice you to use bind, the package that exists for pfSense, to be a name server for your domain.

    If you need another secondary dns, go for (example) afraid.org
    If you do not want to use the name servers offered by your domain host, go for a full bind install on a (mini) VPS server, as the primary server, and some other secondary DNS servers(s) elsewhere.

    One reason : pfSense is often situated behind a line from an ISP - not the best place to put a name server for a domain visible on the net. It's "not done".
    You'll be needing to open up TCP/UDP port 53 (at least) for the outside (WAN), some ISP do not even allow that, they don't want their clients having the possibility to shoot themselves in the foot ….

    If you insist on using bind on pfSense, you should probably do not want to use build in Resolver (unbound) and the build in Forwarder. bind can handle it all. Your local LAN resolution, and the works as a primary DNS for your domain. Or, also possible, make a mixture of bind and the Resolver.

    bind exists as a package for pfSense because bind can do useful things on a lan. Not for global domain name resolution.

    Btw : I'm using bind myself for my domain names. But not on my pfSense.



  • You can also serve DNS requests from any of several free DNS providers (e.g. Cloudflare) rather than host BIND on your firewall. A few sub-domains, unbound host/domain overrides, means you can have the best of both worlds. With Cloudflare you can also set up your dynamic DNS.



  • @BlankMan:

    … I need an bonafide DNS server. I have my own domain and static WAN IP addresses.

    Do you need a DNS server locally or public for your domain and available on WAN?



  • Gertjan: I've been doing my own DNS for my domain on my Linux server for 16 years now which also did my subnet & VLAN routing and was my edge router. For performance reasons I want a box, my Protectli FW6B and pfSense to now be my edge router and as such my DNS server since it is on my edge.

    Gertjan & Yellowbrick: I know there are places that will do my DNS for me, however, that is not what I asked.

    johnix: Publicly.

    The issue at hand that I need help with is that if I Enable the DNS BIND server via it's check box I was landing up with two named daemons running. I do that think that is right but I could be wrong on that.

    I did not ask for advice on how or where I should set up my DNS.



  • In that case, after installing bind, I advise you to shut down the Forwarder and Resolver, and use bind for everything.
    One thing for sure : bind can handle it all, you be feeling @home right away.

    The default Resolver (unbound) is a DNS server. Check [ur=https://www.google.com/search?q=difference+between+bind+and+unbound&ie=utf-8&oe=utf-8&client=firefox-bl]difference between bind and unbound - so, in theory, what unbound can do, can be done with bind, and the other way around.

    As said, I never used bind on pfSense so I can't tell about the integration off this package into the GUI.
    In a worse case, leave the GUI part for what it is - do not start it from the GUI, but make it start on boot 'manually'.
    When done and checked that that pfSense will not overwrite YOUR settings with the ones that pfSense kept into his master config file when the serveice restarts or pfSense boots, you can take full control over all the config files, as you used to do.

    I admit that I wait for the day that 'bind' becomes the pfSense DNS server  ;)

    Btw :

    Then I saw posts that said pfSense had a DNS server in the packages option but it was no longer available in/after 2.3 or 2.4. Don't quote me on this, I read so much in so many places I could be off on this.

    There is only one source : System => Package Manager => Available Packages : bind is listed as a package when you use pfSense 2.4 - it always was if memory serves me well.
    bind isn't installed by default.



  • Gertjan: Thanks for the reply. As I stated in my OP enable resolver and enable forward are unchecked, they are not running, never were.

    Thanks I will check out that link don't have time at the moment.

    How do I set it to start manually? I think it is set to start manually though. If i uncheck enable DNS BIND server, uncheck resolver (which it also has been) and uncheck forwarder (which it also has been) a named daemon starts and runs on boot.

    The problem there is that when configuring (add a config) to OpenVPN when saving the config it appears it stops and restarts named probably because it updated something. However because I have all 3 DNS choices unchecked i.e. not enabled no name daemon then starts up. So named isn't running and my complete network can't connect because everything losses its resolver.

    If I have enable DNS BIND server checked and 2 named daemons start on boot then when OpenVPN does the above a named daemon restarts OR one of the two remain.

    So that's my problem, if I don't enable DNS BIND server and let 2 run on boot I can land up with none running at some point. This happens with OpenVPN but I'm worried it could happen with other things too.

    I know it's weird but that's what it is



  • A bit late here, so I read quickly.

    How do I set it to start manually? I think it is set to start manually though. If i uncheck enable DNS BIND server, uncheck resolver (which it also has been) and uncheck forwarder (which it also has been) a named daemon starts and runs on boot.

    This is strange. Probably manually starting isn't a good idea.
    So, unbound (Resolver) and dnsmasq (the forwader) should be shut down - and bind enabled.

    Also, if one of the packages changes the config (by you in the GUI) it's oftens seen that most services restart.
    If bind didn't get restarted, install "Service Watchdog", he will take care f it.

    If you want to used bind for internal and external resolution - as a name server for a public domain - it better be always up.