Split DNS problem with local web-server
-
Hi guys!
I have the following network:
WAN IP XXX.XXX.XXX.XXX psSense (192.168.1.1) >> web server on 80 and 443 ports Ubuntu (192.168.1.11).
I need LAN users to be able to access websites by domain name located on the Ubuntu web-server.
I have created follow rules to NAT:
How I need to create Split DNS? I think these LAN rules are not entirely good for security. DNS Resolver is switched on.
-
What are the point of those source wan address to 80 and 443? They make zero sense.
Setup a host override for whatever fqdn you want to point 192.168.1.12.. in the dns resolver host overrides.
-
@johnpoz said in Split DNS problem with local web-server:
What are the point of those source wan address to 80 and 443? They make zero sense.
Yes, because without this rules LAN users don't have an access to domain names (local http server nginx).
-
I think you are looking for NAT reflection, where LAN users can access the WAN address and have NAT apply. https://docs.netgate.com/pfsense/en/latest/book/nat/nat-reflection.html
With Split DNS generally users on the WAN resolve the hostname to the WAN IP and users on the LAN resolve the hostname to the private IP of the web server and don't use the router at all.
-
@maxyca said in Split DNS problem with local web-server:
Yes, because without this rules LAN users don't have an access to domain names (local http server nginx).
No... There is never a point where source into lan would be your wan IP, never ever ever! So those rules would never do anything.
-
@teamits many thanks!
I have checked - Enable automatic outbound NAT for Reflection in System > Advanced and now I can go to the website located on a local web server using a domain name. Is it uses the resources of the pfSense?
I mean, what else do I need to do to properly configure split dns? -
You need DNS servers that inside hosts query that give inside answers and DNS servers that outside hosts query that give outside answers.
bash-3.2# dig +short @8.8.8.8 nc.mydomain.com cox-dyn.mydomain.com. 198.51.100.147 bash-3.2# dig +short @192.168.223.1 nc.mydomain.com 192.168.225.1
-
I have created rule like this - https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html
And I have created Host overrides in DNS Resolves. And UNchecked - Enable automatic outbound NAT for Reflection in System > Advanced.
Now all is working very good :)
-
You don't need to redirect, unless your clients are not using pfsense for dns..
-
@johnpoz said in Split DNS problem with local web-server:
using pfsense for dns..
All users use pfSense for DNS in our LAN network.