DNS resolver host override, DNS server is not hosted by pfSense
-
I have the following configuration for mydomain.com:
- LAN addresses are 10.10.10.x onwards
- pfSense gateway is at 10.10.10.1
- Windows Server is at 10.10.10.2 with integrated DHCP and DNS servers for all LAN devices
- The windows DNS server at 10.10.10.2 points to a single forwarder on pfSense (10.10.10.1) and no alternative DNS servers
- Port 443 is NAT-translated to 10.10.10.6 which is a web server (nginx).
- in the pfSense gateway, the DNS server is disabled and the DNS resolver is configured to do a host override, such that mydomain.com will return the address 10.10.10.6 (which is a nginx web server, as mentioned above).
From outside of the perimeter, everything works well. Also RDP to mydomain.com from the LAN results in the correct server being addressed However, pointing a browser to https://mydomain.com from a LAN device gets me nowhere. I conclude that the DNS services are not properly configured, but I cannot figure out what's wrong and it's driving me crazy. Might anybody help?
-
@aagaag said in DNS resolver host override, DNS server is not hosted by pfSense:
pointing a browser to https://mydomain.com from a LAN device gets me nowhere
If I had to guess your browser is using doh, and not asking your local dns.
If your windows server is providing dns, why would you not just create the A record there, a little confused why the host override is wanted or needed on the pfsense box?
But with browsers loves knowing more than the user user them - so doh has become default on many of them.. They need to be able to serve those ads ;)
On this box your running your browser on, if you go to cmd line and just do a nslookup, or dig or host (whatever your fav dns tool is) what does it return for mydomain.com?
-
nslookup says:
nslookup mydomain.com
Server: server2022.lan
Address: 10.10.10.2Name: mydomain.com
Addresses: 10.10.10.2
148.60.57.113
[the last line is the WAN address of the pfSense, redacted) -
I should add that the WAN address is dynamic (though it rarely changes), which I am afraid introduces yet another level of complexity...
-
@aagaag so why would you be pulling both addresses - I would think you would just pull the address you created with host override.
-
@johnpoz thanks a million! I made a "mydomain.com" forward lookup zone in the windows2022 server, placed an A record resolving mydomain.com to the current WAN ip, and a wildcard A record for *.mydomain.com. 90% of the whole site is now working both inside and outside the LAN using the same outside URLs.
I am still frightened by what will happen once the WAN IP will be rotated by the provider. Is there any way to provision for that? -
@aagaag said in DNS resolver host override, DNS server is not hosted by pfSense:
WAN IP will be rotated by the provider. Is there any way to provision for that?
This is what ddns is for, setup a ddns to point to whatever your public IP is..