DNS authoritative zone



  • Hi, I don't think I have a bug to report but a specific question to ask, as I can't find anything useful.
    Here's what I've done: I bought a domain, and instead of adding it on some cloud platform, I want to manage it in house.
    I delegated it on nic.ar, the RIR for where I live, to my public IP that also is the pfsense WAN address. Then I made a rule to listen on port 53. I also made sure that on DNS resolver, under interfaces, WAN is selected. But if I want to resolve my domain, I see the queries logged as packets under system logs -> firewall, but I only receive refuses. I don't see any query on system logs -> DNS resolver (I use the custom option "log-queries: yes" on DNS resolver). A packet capture on the WAN shows as I query pfsense, it refuses everything as "server is not authoritative for domain."
    I also created host overrides for ns1 and ns2, the domains that the RIR made me create. But those are A records, right?
    That domain is also under system->general setup
    How do I configure pfsense to be authoritative server for a zone, and answer queries? How do I create NS or SOA records? I didn't find a way to create them neither on pfsense nor unbound.
    Thank you so much!


  • LAYER 8 Global Moderator

    @fedesoundsystem said in DNS authoritative zone:

    and instead of adding it on some cloud platform, I want to manage it in house.

    Let me stop you right there - this is a HORRIBLE idea!!!

    There is zero reason to ever host your own dns.. Other then local shit... If it is public - host it somewhere.. be it your registrar dns if it does what you need it to do.. Or some dns service - which are really just freaking dirt cheap.. Somewhere free even, or fire up your some vps somewhere and host them there..

    There is is NO REASON ever to host your dns off your own single internet connection - NONE!!!

    And then even if you were going to do such a thing - your sure and the F wouldn't do it off your firewall.. Even if you were running BIND package.. Unbound is not meant to be an authoritative ns, even if can actually do it..

    So your going down the wrong path no matter how you look at this!! That is from my heart and 30+ years experience in this field and dns being my favorite thing to play with!!!

    And pfsense being my fav firewall distro, and 10+ years using it.. And being very active here.. Do not think that hosting a public dns off your own connection or pfsense make any sort of sense at all!

    If you want to play with dns - so so for your own local shit.. Or get a couple of vps somewhere and play with it there for your domain.. I have a couple of domains I do that with.. But even if this was billy bob my firends accessing this domain, I wouldn't host it off my own connection or my own devices.. It just makes no sense to do it..

    Please just do not think that you should host public dns off pfsense.. It is not designed to do that, even if it actually can do it (which it can with bind).. Its not the right direction!!!

    If what your after is running authoritative local dns - then sure be happy to help.. But if your wanting to actually serve some public domain to the public - sorry but its a bad idea!!!



  • Thank you for the advice, I realy do appreciate it.
    I live in Argentina and the US dollar is really expensive and it gets more and more expensive month by month.
    Then, because of costs, in my country we have cheap services that are not reliable at all, that was why I thought that I could have an in house cheaper and more reliable DNS service than what I could find in my country, or buy in some other country.
    Also, as I am learning and do not have any business nor mission critical service, tought that was a good idea.
    I didn't know that thing you said, that unbound or bind weren't designed for that. I tought that they were for any case use.
    Thank you so much!


  • LAYER 8 Global Moderator

    Bind is designed to be an authoritative NS, unbound is not..

    There are plenty of places to get FREE dns services.. Hurricane electric is one of them, cloudflare is another.. Pretty much every registrar will provide you with free dns as well. Depends on what features are needed, etc. Maybe they don't support CAA records or something, or dnssec (even though its a requirement to be an accredited registrar)..


Log in to reply