Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Per interface DNS Forwarder configuration

    Scheduled Pinned Locked Moved DHCP and DNS
    22 Posts 4 Posters 908 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      All true ;) I jumped on the Forwarder and domain overrides statements.

      And correct unbound does not balk at entries in the views for a forward.. Never validated that it wouldn't actual use them or not ;)

      The problem comes down to the same thing when you are in forwarder mode and forward to different NS.. Say one that filters and one that doesn't - because the cache is shared.. Which is why when you forward - you have to make sure where you forward those NS will return the data in the same way.. And has access to the same data set, be it the public internet dns, or local internal dns or filtered or not filtered - they need to use the same filtering, etc.

      Glad that is all sorted out ;)

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • G
        gvecchi
        last edited by

        Hi guys,

        thanks for your interest in my question and I'm really sorry if I hadn't use the terminology in a correct way (also sorry for my bed english).
        First of all, I'm running pfSense 2.4.2-RELEASE-p1.
        As previously said, the goal is that clients from different OpenVPN connection will be able to resolve internal root domain, subdomains and hosts or part of them; currently, to achieve that goal (only on one OpenVPN connection, that's the reason of this post), I'm using DNS Forwarder and Host/Domains overrides in this way:

        • DNS Query Forwarding - Query DNS servers sequentially -> flagged, in order to forward every query to internal DNS servers (they all are authoritative ones for internal domains/sudomains)
        • for hosts and subdomains that clients are allowed to resolve, no override is configured
        • for subdomains and their "children" hosts that clients are NOT allowed to resolve, Domain override is in place for subdomain only and destination ip is set to "!"
        • for hosts that clients are allowed to resolve even when a domain override is in place for their "parent" subdomains, Host override is in place with local data (manually "mirroring" internal DNS data) -> this is a very special configuration and I'm going to configure it only for few hosts.

        Why I need this configuration? Because most of OpenVPN clients are not "people" but "machine" and I need to ensure as little data exfiltration as possible in case of their compromisation.

        I can consider using DNS Resolver if the final scenario is not supported by DNS Forwarder or if it will do a better job.

        Thanks again!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.