flush dns after wan ip change

gregor4711

I have an owncloud and mail server behind pfsense FW.
It is connected to an dyndns service since. My ISP change all 24h the IP, which is my WAN IP.

1. after the change of IP from ISP, the update of official DNS is proceed within less than 30 sec.
2. If I call my email server from outside (via mobile etc.) the mail server is up and working.
3. If I call from inside (behind pfsense ) the domain name is not more aviable since it route to the old ip.
4. If I flush pfsense dns resolver & DNS Server manually all is fine again:)
5. Therefore I would like to have automatic restart of DNS resolver an DNS server in pfsense after wan IP change

viragomann

A better solution would be to setup DNS overrides for your hostnames.

gregor4711

How this can work, wegen the IP is changed all 24 hours?

Gertjan

The DNS host override declares the IP of your mail host.
On the Internet , your DDNS service will resolver your domain to your WAN IP.
Locally, a host override (same URL) will resolve to a local LAN IP (and that one never changes).

Using host overrides, you do not use the WAN IP, but the LAN IP.

gregor4711

Gertjan, many thanks for your exelent explanation of how it works.
I'll try next days and will come back with the result

viragomann

Of course, this requires that your clients use an internal DNS service like the Resolver of pfSense.
So in the Resolver settings go down to host overrides and add your hosts by entering its FQDN and its local IP.

gregor4711

ok, now I got it. That means, the resolver will not ask the outside dns, but will deliver lokal IP when client ask for the dns www.xxxxx.yy, right?

What is with the cert? It is linked to dns (https://www.xxxxx.yy) name but not do local ip, will it still work, if the resolver provide lokal ip?

Grimson

https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html#method-2-split-dns yes certs issued for a domain name don't care about the IP address.

Gertjan

Exact.
Certs are host + domain based. The IP is a don't care.

gregor4711

Thank you all for you valuable support, I'll try and come back later (maby with new questions :))