DNS Resolver Records

elenaydamonsalvatore

Hello,
I have the following doubt regarding pfsense:

in the DNS Resolver in the Custom Options section, configure the following:

local-zone: "dns.prueba.com." static

local-data: "dns.prueba.com. IN A 180.10.11.47"

And in host overrides add the host dns.rolosa.com with the internal ip 10.11.0.105.

If I do an nslookup from a machine inside the LAN it returns both addresses, and if I do the same query from my computer or cell phone it returns neither.

I have tried to add views or access controls in the Custom Options section.

What can be done so that in the WAN network it returns only the public ip which would be 180.10.11.47? This in order that with the Pfsense, it is used as a DNS server, and for a host it returns one ip of the two configured according to where the request comes from.

Thanks

Translated with www.DeepL.com/Translator (free version)

johnpoz

@elenaydamonsalvatore said in DNS Resolver Records:

if I do the same query from my computer or cell phone it returns neither.

Well if they are not pointed to pfsense for dns - then no its not going to return those records.

elenaydamonsalvatore

@johnpoz on my pc that is outside the lan I put as primary dns, enter the internal ip of the pfsense, it does not return any value, and if I enter the external ip of the pfsense, it appears:

*** UnKnown can't find dns.prueba.com: Query refused

What would be the correct configuration to resolve external requests with the records configured in custom options?

johnpoz

@elenaydamonsalvatore said in DNS Resolver Records:

What would be the correct configuration to resolve external requests with the records configured in custom options?

And why would external devices be pointing to your wan IP for dns? That is a horrible horrible idea! Opening up dns to the public internet is asking to be used in a dns type of attack..

If you allowed public internet to talk to your wan IP, and unbound is listening on that interface. You would also need to create a ACL to allow the query - which is why your being refused.. But again BAD IDEA!!

If you want your devices to leverage your dns, then vpn in. Or at min lock down who can access your dns from the outside to the source IP your device will be coming from. I can not stress enough how bad of an idea it is to open dns to the public internet..

elenaydamonsalvatore

@johnpoz said in DNS Resolver Records:

And why would external devices be pointing to your wan IP for dns? That is a horrible horrible idea! Opening up dns to the public internet is asking to be used in a dns type of attack..
If you allowed public internet to talk to your wan IP, and unbound is listening on that interface. You would also need to create a ACL to allow the query - which is why your being refused.. But again BAD IDEA!!
If you want your devices to leverage your dns, then vpn in. Or at min lock down who can access your dns from the outside to the source IP your device will be coming from. I can not stress enough how bad of an idea it is to open dns to the public internet..

so the best recommendation is not to use pfsense as your own DNS server? That is to say to register the hosts with their corresponding records: A, AAA and MX in order to externally (public) resolve the external ip, and only use the hosts overrides for the internal ips inside the LA.

johnpoz

@elenaydamonsalvatore Unbound is not meant to be an authoritative NS.. If you want to run authoritative for a domain to the public internet you would use say bind.

There is a huge difference between running an authoritative name server and a recursive one open to the public internet.

Unbound is not meant to be authoritative, its meant as a recursive resolver.. For yes your local network to resolve stuff..

Since your here with what amounts to basic dns questions - I would HIGHLY suggest against trying to run your own authoritative ns.. Use one of the 100's of possible services that do that as their bread and butter.. Some free, some pay..

I have been doing dns for 20 some years.. Have run authoritative NS for huge domains, with hundreds of subs and multiple tlds.. I would not host my own dns to the public.. Its more cost effective, more secure and way more reliable to let one of the major players handle it - on their vast anycast networks.. As play, as test and learning experience sure ok.. But doing so does not need to be open to the public to understand how to do it.

elenaydamonsalvatore

@johnpoz said in DNS Resolver Records:

Unbound is not meant to be an authoritative NS.. If you want to run authoritative for a domain to the public internet you would use say bind.
There is a huge difference between running an authoritative name server and a recursive one open to the public internet.
Unbound is not meant to be authoritative, its meant as a recursive resolver.. For yes your local network to resolve stuff..
Since your here with what amounts to basic dns questions - I would HIGHLY suggest against trying to run your own authoritative ns.. Use one of the 100's of possible services that do that as their bread and butter.. Some free, some pay..
I have been doing dns for 20 some years.. Have run authoritative NS for huge domains, with hundreds of subs and multiple tlds.. I would not host my own dns to the public.. Its more cost effective, more secure and way more reliable to let one of the major players handle it - on their vast anycast networks.. As play, as test and learning experience sure ok.. But doing so does not need to be open to the public to understand how to do it.

Yes, I understand.
I just wanted to know if that idea is feasible, and I see that the best thing to do is to keep using the current DNS server, and not migrate all the records to pfsense.
Thank you very much for the suggestion.

johnpoz

@elenaydamonsalvatore Lets say you were going to run bind and be authoritative. Where is your 2nd NS going to be?

Yes you could run authoritative for domains on bind on pfsense. Do you have another location? For the 2nd NS? There should always be at least 2, they should be on different networks and if at all possible geographically diverse as well, etc.

You could run bind for your own local domain, or even multiples of them, etc. But when it becomes dns to the public space.. It doesn't make much sense to do so..

elenaydamonsalvatore

@johnpoz said in DNS Resolver Records:

Lets say you were going to run bind and be authoritative. Where is your 2nd NS going to be?
Yes you could run authoritative for domains on bind on pfsense. Do you have another location? For the 2nd NS? There should always be at least 2, they should be on different networks and if at all possible geographically diverse as well, etc.
You could run bind for your own local domain, or even multiples of them, etc. But when it becomes dns to the public space.. It doesn't make much sense to do so..

The setup was to use a primary dns that is on X network, and use pfsense itself as a second dns, a backup in case the primary goes down or shuts down.
That can be configured using the pfsense bind package?

johnpoz

@elenaydamonsalvatore Sure it can.. Bind runs dns on the planet ;)

I just wouldn't suggest you do it.. its 1 box on 1 connection.. Why not let the big boys do it, you could have 4 or 6 NS all on different services. All on global anycast networks. For pennies really..