Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver Records

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 2 Posters 1.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      elenaydamonsalvatore
      last edited by

      Hello,
      I have the following doubt regarding pfsense:

      in the DNS Resolver in the Custom Options section, configure the following:

      local-zone: "dns.prueba.com." static

      local-data: "dns.prueba.com. IN A 180.10.11.47"

      And in host overrides add the host dns.rolosa.com with the internal ip 10.11.0.105.

      If I do an nslookup from a machine inside the LAN it returns both addresses, and if I do the same query from my computer or cell phone it returns neither.

      I have tried to add views or access controls in the Custom Options section.

      What can be done so that in the WAN network it returns only the public ip which would be 180.10.11.47? This in order that with the Pfsense, it is used as a DNS server, and for a host it returns one ip of the two configured according to where the request comes from.

      Thanks

      Translated with www.DeepL.com/Translator (free version)

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @elenaydamonsalvatore
        last edited by

        @elenaydamonsalvatore said in DNS Resolver Records:

        if I do the same query from my computer or cell phone it returns neither.

        Well if they are not pointed to pfsense for dns - then no its not going to return those records.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        E 1 Reply Last reply Reply Quote 0
        • E Offline
          elenaydamonsalvatore @johnpoz
          last edited by

          @johnpoz on my pc that is outside the lan I put as primary dns, enter the internal ip of the pfsense, it does not return any value, and if I enter the external ip of the pfsense, it appears:

          *** UnKnown can't find dns.prueba.com: Query refused

          What would be the correct configuration to resolve external requests with the records configured in custom options?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @elenaydamonsalvatore
            last edited by johnpoz

            @elenaydamonsalvatore said in DNS Resolver Records:

            What would be the correct configuration to resolve external requests with the records configured in custom options?

            And why would external devices be pointing to your wan IP for dns? That is a horrible horrible idea! Opening up dns to the public internet is asking to be used in a dns type of attack..

            If you allowed public internet to talk to your wan IP, and unbound is listening on that interface. You would also need to create a ACL to allow the query - which is why your being refused.. But again BAD IDEA!!

            If you want your devices to leverage your dns, then vpn in. Or at min lock down who can access your dns from the outside to the source IP your device will be coming from. I can not stress enough how bad of an idea it is to open dns to the public internet..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            E 1 Reply Last reply Reply Quote 0
            • E Offline
              elenaydamonsalvatore @johnpoz
              last edited by

              @johnpoz said in DNS Resolver Records:

              And why would external devices be pointing to your wan IP for dns? That is a horrible horrible idea! Opening up dns to the public internet is asking to be used in a dns type of attack..
              If you allowed public internet to talk to your wan IP, and unbound is listening on that interface. You would also need to create a ACL to allow the query - which is why your being refused.. But again BAD IDEA!!
              If you want your devices to leverage your dns, then vpn in. Or at min lock down who can access your dns from the outside to the source IP your device will be coming from. I can not stress enough how bad of an idea it is to open dns to the public internet..

              so the best recommendation is not to use pfsense as your own DNS server? That is to say to register the hosts with their corresponding records: A, AAA and MX in order to externally (public) resolve the external ip, and only use the hosts overrides for the internal ips inside the LA.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @elenaydamonsalvatore
                last edited by

                @elenaydamonsalvatore Unbound is not meant to be an authoritative NS.. If you want to run authoritative for a domain to the public internet you would use say bind.

                There is a huge difference between running an authoritative name server and a recursive one open to the public internet.

                Unbound is not meant to be authoritative, its meant as a recursive resolver.. For yes your local network to resolve stuff..

                Since your here with what amounts to basic dns questions - I would HIGHLY suggest against trying to run your own authoritative ns.. Use one of the 100's of possible services that do that as their bread and butter.. Some free, some pay..

                I have been doing dns for 20 some years.. Have run authoritative NS for huge domains, with hundreds of subs and multiple tlds.. I would not host my own dns to the public.. Its more cost effective, more secure and way more reliable to let one of the major players handle it - on their vast anycast networks.. As play, as test and learning experience sure ok.. But doing so does not need to be open to the public to understand how to do it.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                E 1 Reply Last reply Reply Quote 0
                • E Offline
                  elenaydamonsalvatore @johnpoz
                  last edited by

                  @johnpoz said in DNS Resolver Records:

                  Unbound is not meant to be an authoritative NS.. If you want to run authoritative for a domain to the public internet you would use say bind.
                  There is a huge difference between running an authoritative name server and a recursive one open to the public internet.
                  Unbound is not meant to be authoritative, its meant as a recursive resolver.. For yes your local network to resolve stuff..
                  Since your here with what amounts to basic dns questions - I would HIGHLY suggest against trying to run your own authoritative ns.. Use one of the 100's of possible services that do that as their bread and butter.. Some free, some pay..
                  I have been doing dns for 20 some years.. Have run authoritative NS for huge domains, with hundreds of subs and multiple tlds.. I would not host my own dns to the public.. Its more cost effective, more secure and way more reliable to let one of the major players handle it - on their vast anycast networks.. As play, as test and learning experience sure ok.. But doing so does not need to be open to the public to understand how to do it.

                  Yes, I understand.
                  I just wanted to know if that idea is feasible, and I see that the best thing to do is to keep using the current DNS server, and not migrate all the records to pfsense.
                  Thank you very much for the suggestion.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator @elenaydamonsalvatore
                    last edited by

                    @elenaydamonsalvatore Lets say you were going to run bind and be authoritative. Where is your 2nd NS going to be?

                    Yes you could run authoritative for domains on bind on pfsense. Do you have another location? For the 2nd NS? There should always be at least 2, they should be on different networks and if at all possible geographically diverse as well, etc.

                    You could run bind for your own local domain, or even multiples of them, etc. But when it becomes dns to the public space.. It doesn't make much sense to do so..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    E 1 Reply Last reply Reply Quote 0
                    • E Offline
                      elenaydamonsalvatore @johnpoz
                      last edited by

                      @johnpoz said in DNS Resolver Records:

                      Lets say you were going to run bind and be authoritative. Where is your 2nd NS going to be?
                      Yes you could run authoritative for domains on bind on pfsense. Do you have another location? For the 2nd NS? There should always be at least 2, they should be on different networks and if at all possible geographically diverse as well, etc.
                      You could run bind for your own local domain, or even multiples of them, etc. But when it becomes dns to the public space.. It doesn't make much sense to do so..

                      The setup was to use a primary dns that is on X network, and use pfsense itself as a second dns, a backup in case the primary goes down or shuts down.
                      That can be configured using the pfsense bind package?

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator @elenaydamonsalvatore
                        last edited by

                        @elenaydamonsalvatore Sure it can.. Bind runs dns on the planet ;)

                        I just wouldn't suggest you do it.. its 1 box on 1 connection.. Why not let the big boys do it, you could have 4 or 6 NS all on different services. All on global anycast networks. For pennies really..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.