Forward "domain.com" requests from Public interface to external DNS

nunnt

We have a LAN and a PUBLIC network interfaces setup in pfsense. The LAN network is our corporate network, and a public network on a VLAN for wireless guest traffic. pfsense takes care of DHCP for our LAN. We have DNS resolver enabled and a host override set to direct our "domain.com" to our internal domain controller. We have this set for all our interfaces since we are using pfblocker. We just need to point "domain.com" requests coming from our public interface to our external facing IP (website) for "domain.com" requests. What's the best way to accomplish this?

nunnt

Correction. pfsense takes care of DHCP for our Public network.

KOM

@nunnt said in Forward "domain.com" requests from Public interface to external DNS:

We just need to point "domain.com" requests coming from our public interface to our external facing IP (website) for "domain.com" requests. What's the best way to accomplish this?

I had to edit my answer because my tiny brain got confused by PUBLIC to mean WAN...

What is your PUBLIC network using for DNS? That's where you make the change to point your FQDN to your LAN IP address.

nunnt

Just to clarify in case I wasn't clear:

• LAN user goes to "domain.com", it looks to the domain override from the DNS resolver that points internally
  PUB user goes to "domain.com", it should look to our external IP for the website

Unfortunately our internal and external domain is named "domain.com".

KOM

That doesn't make sense. Why would you want your PUBLIC users to go out and then back in WAN to get to a LAN server?? Put the same override on PUBLIC's DNS and then craft your firewall rules to allow PUBLIC to access that one specific server on LAN.

Also, this is a lesson in not using a public domain for LAN or AD; you should use a subdomain instead like lan.yourdomain.com.

nunnt

You are so right, lesson learned for sure.
We currently have a split DNS configured so that LAN users have a host override for "domain.com" that points to our internal DC to resolve DNS requests first. "http://domain.com" and "https://domain.com" resolves externally from the DC DNS for LAN users. We don't allow LAN access to public connections so they can't take advantage of the split DNS to resolve. We want public connections to be able to resolve "http://domain.com" and "https://domain.com" to point externally. Public connections going to "www.domain.com" have no issues resolving externally. It's when the browser doesn't auto fill in the "www" that we are having the issue.

KOM

OK, that's actually called a domain override, not a host override. Host overrides translate a FQDN to a custom IP address. Domain overrides point you to another DNS that handles resolution for that domain.

What is PUBLIC using for DNS? pfSense's resolver? If so, I'm not aware of any method to dynamically resolve based on source network. BIND may have something like that with its Views feature but not resolver.

You could try turning on NAT Reflection, but it's all or nothing. You can't just limit it to PUBLIC.

https://docs.netgate.com/pfsense/en/latest/nat/accessing-port-forwards-from-local-networks.html

At the end of the day, you might be forced to allow PUBLIC acess to DNS only from your AD server on LAN, and web access from PUBLIC to the web server on LAN.

conor

Am i right in saying you just want the guest wifi network to go to the external IP for say your website?

In that case under DHCP Server for the guest wifi set the DNS entry for the DHCP to say the OpenDNS values. That way the guests aren't quering your DNS at all.

nunnt

Thanks for the thought Conor. The issue is we want to use pfsense to resolve DNS in order to use pfblocker for content filtering. I'm having hard time understanding how to accomplish this while resolving our "domain.com" requests externally.

conor

This is a mad idea but how about using DNS Forwarder and DNS Resolver, one for each subnet, make sure they are both running on different port numbers and set up a port forward on the guest wifi interface from port 53 to the correct port. Haven't tested it, but my understanding is DNS forwarder is DNSMASQ and Resolver is Bind. Might be worth a try. You'll need to have strict interface bindings though.