DNS forwarding not working properly



  • I want the DNS resolver to forward queries it cannot server to my internal DNS server so that it can pick up names defined on my DNS server.
    I have the System/General/DNS Servers set to my internal IP address which it can get to.
    I tried a machine under DHCP and it could not see any of my local names on the DNS server. Setting the DNS manually on the machine it could.
    Reset it it to DHCP and set Services/DNS Resolver and set DNS Query Forwarding on and same result.

    I want it to try pfSense first and then if not found forward to my internal DNS. I don't want it trying the top level servers.

    What am I doing incorrectly?



  • Maybe try it like this. Replace 1.1.1.1 etc with your preferred DNS. If you only want to forward to your internal DNS for a certain domain use domain overrides in the resolver instead.

    0_1546204879002_dns1.PNG

    0_1546204889712_dns2.PNG



  • That is basically what I have but it is not working. It does not go to the internal DNS server at all and instead goes outside and grabs stuff there instead of my internal DNS.



  • IIRC for me, the "Disable DNS Forwarder" was selected by default and the behavior was exactly like yours. And by deselecting that, resolving started to work as expected (ie. resolving from the servers you define, not the root servers).



  • Okay this DNS is still not working for me. If I turn off DNS Query Forwarding I get name resolution but it won't see anything my local DNS server has. If I turn it on I get what the pfSense knows about but nothing else at all. Wont even find google.com. I have attached my general page which shows the IP I want it to query and the DNS Resolver setup.
    I have tried turning off/on the DNSSEC. No difference. Forwarding mode should use the IP in the General page but doesn't. I can ping the IP from pfSense so it is visible and there are no LAN rules that should be blocking it. Only extra running is pfBlockerNG.
    Obviously I am doing something wrong but can't figure what.

    0_1546410478057_pfGeneral.JPG

    0_1546410497079_pfResolver.JPG



  • Generally in this type of setup (usually a Windows network domain) I set the DHCP server to hand out the internal DNS server IPs and let those resolve the public DNS via forwarding and/or root server lookup. Is there a reason not to do that?

    I get that it seems like it is supposed to work, but usually that is an easy workaround.

    Perhaps there is something in the DNS Forwarder that doesn't forward to LAN IPs (it says "upstream"...)



  • Yes, I have internal servers that have internal names (Windows Server 2016) and using external DNS means these names are not found. Under my Unifi I had the DNS look at my internal DNS server and if that could not find it then it would forward out to to the internet. I can't see why pfSense can't do the same as I have told it what IP to forwad requests to that it can't serve. I checked the log file for the Resolver and it looks to me like it is trying but not working. Never used ubound before so is all new to me.

    0_1546455432197_pfLog.JPG


  • LAYER 8 Global Moderator

    So out of the box pfsense resolves, from root down.. So if your clients are asking pfsense for dns they will be able to "resolve" any public listed domains.. This is big difference from forwarding..

    If you have some local DNS running for your local.tld domains, then you will want to setup a domain forward in unbound that says hey if client asking for xxx.domainlocal.tld go ask NS 1.2.3.4

    If this NS for this local domain is via say your lan interface then you will need to make sure unbound can do outbound queries via your LAN interface.. This should not be an issue since out of the box it does ALL interfaces.

    So now your client asks unbound running on pfsense for publicdomain.tld - it will resolve this via roots down to the authoritative NS for publicdomain.tld, when client asks unbound for xxx.domainlocal.tld unbound will say oh got to go ask 1.2.3.4 for it.

    Keep in mind that if IPs being returned from your domain override NS are rfc1918, then that would be from unbounds point of view a rebind... So you will need to setup this local domain as private, or turn off rebind protection completely. Pretty sure all of this info in the doc's or the book.



  • Thanks. That was more than a little over my head at present and I will need to do some reading. I did notice the domain over-ride section. It says this is used for over-riding a specific domain. If I point this at my DNS server for the domain would that work? I just basically need to cover stuff in my local domain only.


  • LAYER 8 Global Moderator

    Yes.. That is what the domain overrides are for..