Issues with DNS Resolver



  • Hi all,

    I am having a strange issue regarding DNS resolution using pfSense.
    My network setup is as follows:

    public /28 network. 1 IP to pfSense, the remaining as IP Alias for 1:1 NAT.
    4 private networks (lan, dmz, data, mgt)

    pfSense is on domain.org

    On the DMZ I have two machines, one is a web+dns server and the other is solely a DNS server. These machines are configured with external IP 1:1 NAT internal IP.
    On my domain provider I have the glue records - that are valid and to be working from the outside.
    DNS requests from outside work.

    When I try to resolve this domain from any machine on the inside, domain.com (not domain.org) I get "connection timed out; no servers could be reached" - however if I test with dig and manually type the internal IP of the server I get the answers.

    Now what I don't get is why I am not being able to resolve this. Supposedly using DNS Resolver/unbound it would query the root DNS servers. The root DNS should inform the authoritative name servers and their IP which is correctly configured. - and since is a different domain from pfSense I'm assuming no conflict or DHCP options should need to be configured?
    I can access and resolve from outside so the firewall rules seem to be OK.

    I also have an override at Services > DNS Resolver
    Host Override
    ns1.domain.com to internal IP
    but still not working

    Someone able to shed some light? thanks.



  • So when the DNS Resolver looks up for name servers for domain.com it gets one of your external WAN IPs, but it won't be able to access it, cause the NAT 1:1 doesn't work on requests from inside your network.

    Possibly it works if you enable NAT reflection.
    However, best practice would be to add a domain override for domain.com to the Resolver configuration and point it to the internal IP of your DNS server.
    Also ensure that DMZ is selected at "Outgoing Network Interfaces".



  • fixed with domain override to the primary dns server.
    however I feel it would be interesting to have the possibility to add more than one dns servers to the domain override option. thanks you @viragomann for the hint



  • @maverickws said in Issues with DNS Resolver:

    however I feel it would be interesting to have the possibility to add more than one dns servers to the domain override option.

    It's on you. You may add further servers even for the same domain. Unbound then use the second if the first does not respond.


Log in to reply