Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS forwarding not working properly

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 4 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      veldthui
      last edited by

      I want the DNS resolver to forward queries it cannot server to my internal DNS server so that it can pick up names defined on my DNS server.
      I have the System/General/DNS Servers set to my internal IP address which it can get to.
      I tried a machine under DHCP and it could not see any of my local names on the DNS server. Setting the DNS manually on the machine it could.
      Reset it it to DHCP and set Services/DNS Resolver and set DNS Query Forwarding on and same result.

      I want it to try pfSense first and then if not found forward to my internal DNS. I don't want it trying the top level servers.

      What am I doing incorrectly?

      1 Reply Last reply Reply Quote 0
      • T
        tsmalmbe
        last edited by

        Maybe try it like this. Replace 1.1.1.1 etc with your preferred DNS. If you only want to forward to your internal DNS for a certain domain use domain overrides in the resolver instead.

        0_1546204879002_dns1.PNG

        0_1546204889712_dns2.PNG

        Security Consultant at Mint Security Ltd - www.mintsecurity.fi

        V 1 Reply Last reply Reply Quote 0
        • V
          veldthui
          last edited by

          That is basically what I have but it is not working. It does not go to the internal DNS server at all and instead goes outside and grabs stuff there instead of my internal DNS.

          1 Reply Last reply Reply Quote 0
          • T
            tsmalmbe
            last edited by

            IIRC for me, the "Disable DNS Forwarder" was selected by default and the behavior was exactly like yours. And by deselecting that, resolving started to work as expected (ie. resolving from the servers you define, not the root servers).

            Security Consultant at Mint Security Ltd - www.mintsecurity.fi

            1 Reply Last reply Reply Quote 0
            • V
              veldthui @tsmalmbe
              last edited by

              Okay this DNS is still not working for me. If I turn off DNS Query Forwarding I get name resolution but it won't see anything my local DNS server has. If I turn it on I get what the pfSense knows about but nothing else at all. Wont even find google.com. I have attached my general page which shows the IP I want it to query and the DNS Resolver setup.
              I have tried turning off/on the DNSSEC. No difference. Forwarding mode should use the IP in the General page but doesn't. I can ping the IP from pfSense so it is visible and there are no LAN rules that should be blocking it. Only extra running is pfBlockerNG.
              Obviously I am doing something wrong but can't figure what.

              0_1546410478057_pfGeneral.JPG

              0_1546410497079_pfResolver.JPG

              1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire
                last edited by

                Generally in this type of setup (usually a Windows network domain) I set the DHCP server to hand out the internal DNS server IPs and let those resolve the public DNS via forwarding and/or root server lookup. Is there a reason not to do that?

                I get that it seems like it is supposed to work, but usually that is an easy workaround.

                Perhaps there is something in the DNS Forwarder that doesn't forward to LAN IPs (it says "upstream"...)

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                1 Reply Last reply Reply Quote 0
                • V
                  veldthui
                  last edited by

                  Yes, I have internal servers that have internal names (Windows Server 2016) and using external DNS means these names are not found. Under my Unifi I had the DNS look at my internal DNS server and if that could not find it then it would forward out to to the internet. I can't see why pfSense can't do the same as I have told it what IP to forwad requests to that it can't serve. I checked the log file for the Resolver and it looks to me like it is trying but not working. Never used ubound before so is all new to me.

                  0_1546455432197_pfLog.JPG

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    So out of the box pfsense resolves, from root down.. So if your clients are asking pfsense for dns they will be able to "resolve" any public listed domains.. This is big difference from forwarding..

                    If you have some local DNS running for your local.tld domains, then you will want to setup a domain forward in unbound that says hey if client asking for xxx.domainlocal.tld go ask NS 1.2.3.4

                    If this NS for this local domain is via say your lan interface then you will need to make sure unbound can do outbound queries via your LAN interface.. This should not be an issue since out of the box it does ALL interfaces.

                    So now your client asks unbound running on pfsense for publicdomain.tld - it will resolve this via roots down to the authoritative NS for publicdomain.tld, when client asks unbound for xxx.domainlocal.tld unbound will say oh got to go ask 1.2.3.4 for it.

                    Keep in mind that if IPs being returned from your domain override NS are rfc1918, then that would be from unbounds point of view a rebind... So you will need to setup this local domain as private, or turn off rebind protection completely. Pretty sure all of this info in the doc's or the book.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • V
                      veldthui
                      last edited by

                      Thanks. That was more than a little over my head at present and I will need to do some reading. I did notice the domain over-ride section. It says this is used for over-riding a specific domain. If I point this at my DNS server for the domain would that work? I just basically need to cover stuff in my local domain only.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Yes.. That is what the domain overrides are for..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.