Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why does resolver require ALL network interfaces?

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 526 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      ken.teh
      last edited by

      I tried to set the DNS resolver to listen to queries on the LAN but it doesn't like it. It wants either ALL or localhost.

      Doesn't ALL mean the resolver will bind to the WAN? Shouldn't I avoid this if I already have a DNS server on the WAN net?

      What does localhost mean? It only accepts queries from itself?

      Is this explained somewhere in the docs? I don't find it.

      I'm using pfsense CE 2.5.2. Thanks!

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        SteveITS Rebel Alliance @ken.teh
        last edited by

        @ken-teh The default is all I assume in case you add an interface later.

        Localhost is the pfSense itself, by default it queries itself for DNS. On page System/General Setup, see option "DNS Resolution Behavior."

        Unless you create a rule allowing connections to WANIP:53, the Internet/WAN devices can't connect to that port anyway.

        Having another DNS server on the WAN doesn't matter...you may be thinking of DHCP? For DHCP you want only one DHCP server per network. (unless there's a failover or something, but in general one so they don't give out conflicting info)

        Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to reboot, or more depending on packages, and device or disk speed.
        Upvote ๐Ÿ‘ helpful posts!

        K 1 Reply Last reply Reply Quote 1
        • K Offline
          ken.teh @SteveITS
          last edited by

          @steveits The wan:53 firewall rule clarifies it for me. Thanks!

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            In addition to the firewall rules the DNS Resolver also has strict internal ACLs which only allow queries from known local networks. So unless you've done something silly like add an ACL for 0.0.0.0/0 to allow queries, unbound would just toss them out anyhow.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.