Add DNS in DHCP Server Settings: Required?

1ntr0v3rt3ch · Sep 26, 2021, 5:41 AM

Just freshly installed 2.5.2 version of pfsense. I just noticed that to be able to have an internet connectivity, I have to set a DNS (ex: 8.8.8.8) in DHCP Server Settings first. AFAIK. by default it will use the DNS in General Setup. In my previous setup of pfsense, I didn't put anything in the DNS in DHCP Server and have an internet connection by default.

Is this a new requirements or did I miss something in settings that I should setup first?

And in Captive Portal also, before I just use the interface IP of the captive portal and set it as DNS in DHCP Server of my WiFi Interface, internet is connected but now I have to use other DNS to be able to connect to internet.

mer · Sep 26, 2021, 7:14 AM

@1ntr0v3rt3ch
To the best of my knowledge you shouldn't have to.
This is help text on the DHCP server page for DNS servers:
"Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page."

Then on the System, General Setup page:
"Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled."

Then a couple of check boxes, one for "override this by dhcp on WAN" and "Do not use DNS Forwarder/Resolver for this firewall".

Based on that, my understanding is that if you leave them blank in the DHCP server config for say LAN interface, a DHCP client should get the pfSense box as the DNS server if you are running local DNS forwarder/resolver, otherwise the list from the System, General Setup or if your WAN link is DHCP, hands you DNS servers and then you have the "allow override from DHCP on WAN" checked.

1ntr0v3rt3ch · Sep 26, 2021, 7:47 AM

@mer that's what I know also.I just fresh installed pfsense again, all default settings but problem still persist. I have to put a DNS (8.8.8.8) in the dhcp server settings first or add DNS manually in my windows 10 lan network configuration to be able to be connected to internet.

I don't know what's happening and this is weird for me.

mer · Sep 26, 2021, 10:15 AM

@1ntr0v3rt3ch
Well, that's interesting. Not sure where it could be going wrong, so I guess wait for someone who knows more than us to chime in.

bingo600 · Sep 26, 2021, 10:55 AM

@1ntr0v3rt3ch
What does a Windows commandline ipconfig /all show:
WIth the 8.8.8.8 enabled , and without it enabled ?

Ohh you have to renew/refresh your Windows DHCP lease before these tests.

/Bingo

1ntr0v3rt3ch · Sep 26, 2021, 3:15 PM

@bingo600 if not enabled (no dns input in dhcp server settings), default gateway,dhcp server and dns server received in client pc is the lan interface ip, result is no internet but I can ping sites.

If it's enabled default gateway and dhcp server use lan interface ip and for the dns server it use the google dns (dns I input in dhcp server settings), result is I can ping sites and browse with no problem at all.

bingo600 · Sep 26, 2021, 3:15 PM

@1ntr0v3rt3ch

You say that you have the DNS server set to either "pfsense lan interface" or "8.8.8.8" , depending on your DNS setting in DHCP.

Then i would think your pfsense resolver has an issue or a rule denying dns to enter the lan interface is present.

What resolver do you use ? - Unbound ?
Is it running ?

What do you have in system -> general , the DNS Settings section ?

And your Services -> DNS Resolver (Unbound) ?

/Bingo

1ntr0v3rt3ch · Sep 26, 2021, 10:58 PM

@bingo600

rules used in lan interface is default. I am using unbound and it is running well. no issues in services. in my general setup, i just put google dns (8.8.8.8 and 8.8.4.4) only.

DNS resolver settings are defaults also..

bingo600 · Sep 28, 2021, 10:32 AM

@1ntr0v3rt3ch
I cant help anymore
Suggest some wireshark or pfSense packet traces

johnpoz · Sep 28, 2021, 10:57 AM

@1ntr0v3rt3ch said in Add DNS in DHCP Server Settings: Required?:

I am using unbound and it is running well. no issues in services.

Just because the service is running - doesn't mean its working. It needs to be able to resolve. If it can not - then no it can not answer queries from clients.

You need to validate that unbound can actually resolve what your wanting query for - say www.google.com

example:

See where only loopback 127.0.0.1 was used (unbound) and it returned an answer. Do such a test.. And post the results.

If no then no clients asking pfsense IP to look up something is not going to work.