do you use DNS Forwarder or Resolver with a Lan Cache Server?

comet424

hi so i have a Lancache server on my unraid server.. and i use vpn and non vpn clients try to connect to it but it buggers up..

through the discord for Lancache one person replied with a dnsmaq for like pihole.. but i not sure how to set it up in pfsense?

i did play with the host override for dns forwarder and resolver.. adding like epicgames download address, steams, blizzard,orgin... but when you look at the traffic it seems to only use the steam dns resolver link but it doesnt write to the lancache server.. seems to just go directly to the computer ..

how do you properly set it up.. or does pfsense offer a LanCache server for reinstalling games faster and Windows updates.. if pfsense has it built in then id add a hard drive in my pfsense box

but just doesnt seem to work 100% way i was hoping so far

and i been using this link to add the urls for each
https://github.com/uklans/cache-domains

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

one person replied with a dnsmaq for like pihole..

What exactly did they say?

You can run Squid to cache things in pfSense directly but it's not the same thing. I wouldn't recommend that.

Steve

comet424

the one person that replied on the discord told me to follow this linux version
https://github.com/uklans/cache-domains/tree/master/scripts
you use it to point to your lan cache server... uses unbound and dnsmasq so i tried to fiddle with it in pfsense

his exact qoute was "you could manually add the entries for the cache into the VPN DNS
e.g. using one of the scripts from https://github.com/uklans/cache-domains/tree/master/scripts

are you worried only about DNS leaking from VPN clients, or game CDN download traffic also?"

and then you add the specific server web addresses like epicgames has 3 servers so that needs to go directly to my cache server.. but it not writting it to it..

so i i do a host override domain name STEAM and put it all the servers to it.. and epic games both in dns resolve and forwarder.. as i trully dont know... but if i use epic games launcher and resume a download.. if i look in the Traffic Logs under status.. it shows STEAM bein accessed.. which should be "EPICGAMES" but also its not writting to the lancache server drive..

and here is the other link where you get the server ip's
https://github.com/uklans/cache-domains

so not 100% sure how to configure it.. i guess that guy didnt say pihole i think i read it off google search off like reddit cuz i couldnt figure it out

stephenw10

Ok, so when you ran the script what did it generate?

It looks like it's probably a like of hosts rather than domain overrides. If it was domain overrides the cache server would have to be able to resolve the individual hosts to itself.

Steve

comet424

i never ran it.. as i not running pihole or a linux router etc..... as i run unraid i installed it and set it up as 192.168.0.33

but when i set it the dns resolver and dns forwarder and set override to say hostname steam and then add all the additonal server ips.. and do the same for epic... etc... it seems to only access "Steam" it says in the traffic display... even when steam isnt running.. so its not taking the address's right and its not going to the 192.168.0.33 to cache it.. as i dont see any writes.. just seems to skip it

because if i use 192.168.0.33 in the dhcp scope and use VPN and Non-VPN clients... and use the upstream as 192.168.0.1 it doesnt always work websites like amazon will not display pictures u only see list of text links... certain websites cant be found.. if i change then upstream to 1.1.1.1 then the VPN clients leak so no longer secure...

so been trying the resolver and forwarder... so i dont need to change address on my windows machine dns 192.168.0.1 for regular and 192.168.0.33 for updating games ...

so i been trying to get it to work through pfsense.. cuz when i googled dnsmasq and unbound that you would configure in pihole is in pfsense under the forwarder or resolver just doesnt seem to work... i deleted all the hosts over rides at moment.. as i dont know if there is a certain check box u need to check off.. been playing with..

i know im sure i doing something wrong... cuz if you leave windows to 192.168.0.33 as the dns on a vpn client client... and upstream on the cache server is 192.168.0.1 that works fine

i going to re try entering the stuff in

as what i wanted was

vpn and non vpn clients use 192.168.0.1 as DNS but when game updates or windows updates come in then pfsense redirects to 192.168.0.33 (lancache) and then it goes back out the 192.168.0.1 as upstream and vpn goes out vpn and the non vpn goes out the WAN

but maybe its too complicated to be done.. i dunno i was just trying

and im sure i have miss understood how some things work too

comet424

and if its not possible to do then its not possible.. i figured id ask before trying to figure it out on my own for hours only to find cant be done

stephenw10

You should be able to use the output from that script (but you have to run it to create that) in Unbound in pfSense if that's what you want.

What exactly did you enter and where?

How did you test that?

comet424

i do not know if unbound was "forwarder" or "resolver"

here in this pic.. i reset it up for just epic and Orgin games so far this is under "DNS Forwarder"

the script i dont think i can run that in pfsense.. as i guessing its ment for PiHole... and for unraid there is no need to run a script it has it all built in i guess you just set the DNS Bind ip and upstream IP and Host IP witch is the same as Bind IP.. and ur done.. so i would set it to 192.168.0.33 and upstream 192.168.0.3

so here is the screen shot... and when i had steam ip address's too... Traffic Graph would show "Steam" host even though Epic or Orgin games were being updated.. and i test it by resuming a download in Epic Games Launcher or Origin Games Launcher
i did try also domain override but it didnt work either really... pic below those are the Origin Games servers

and the only check box i checked off in DNS Forwarder was Enable Forwarder... the other boxes i really didnt understand them

comet424

so when i test those i look on unraid and nothing is being written to lancache drive... its just like skipping those links and going straight to the computer and bypassing the lancache

and i not sure do i use Forwarder or Resolver.. as they have both Host Override and Domain Override

does pfsense offer to import these text files of hosts for each server... so you dont need to type them in and just import... like import host overrides

stephenw10

Use the resolver (Unbound) unless you have a really good reason to DNSMasq.

Ok, those host entries look wrong. Epic_Games.download2.epicgames.com is not a valid host.

That should almost certainly be:

Host		Domain
download2	epicgames.com

'Epic_Games' is just the entry name.

You almost certainly need to run that script and then insert the output in the Unbound custom conf.

Domain overrides have to point at another DNS server that will resolve them. Is the Cache server also a DNS server?

Steve

comet424

ok so i never typed in Epic_Games.download2.epicgames.com as host name.. guess pfsense does it... host name is "Epic_Games" it seems to attach it?? here is a pic
and a pic of the servers i added from the github

unraid runs a Docker of lancache server which itself is a DNS Server.. so it does work partially if i point dhcp server dns to 192.168.0.33 and the clients work.. but if i use the non vpn clients then i find pages cant be found amazon pages dont load properly.. as i tried to get both Non VPN and VPN clients to connect to this dns server the lancache as it also hosts Windows Updates.. caches those too. as you dont have to add any ips.. its all built in.. u just point to 192.168.0.33 and all the games are cached to it..

and running the script file i forget which file since ibouncing back and forth couple pages.. do you then import this custom.conf into pfsense to load into the Dns Resolver Host Overrides (Unbond)

ill have to re go over it. and look

so should have changed it then where i did "host" not use epic_games
but should it been

host              ip
cdn3             unrealengine.com
cdn2             unrealengine.com

was that how its supposed to be entered?

update:
so it should look like this right?

comet424

so by having those host names like that above i did in the resolver... i not longer to download the game update.. its stopped it... so something is working in part to block it lol..

rest of internet works..

i re read about the script never done it.. cuz i not sure if it runs under unraid.. but going to copy the files to unraid and see if it does work

i re read it a few times i think i cant use that script
that script is for maybe a
raspberry pi thats running lancache server and unbound and dnsmasq as it talks in the end about re starting those 2 services which i cant do.. for unraid its all in one dns server...

never easy lol ill keep fiddlinglol

stephenw10

Yes, that's the correct format for a host override. The FQDN = hostname.domain.

See: https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-host-overrides.html

If the lancache server is also a dns server then you could just use domain overrides and point to it for the whole domain. E.g. epicgames.com
Assuming the server will override the hosts for cached content and resolve them as itself that should work.

Adding host or domain overrides in the pfSense GUI is actually creating Unbound conf lines that are added in the background. When you run that script it creates raw Unbound conf intended to be used with Unbound directly. pfSense has a field for entering conf lines directly if you need to use advanced Unbound features so that's where I would expect to enter it if you are doing it that way.

It shouldn't matter where you run the script since you are manually using it's output anyway.

I would be testing this be simply trying to resolve one of the hosts and seeing what IP it returns.

Steve

comet424

so i did the domain host override.. it wasnt working and i read somewhere you cant use 192.168.0.1 as upstream as it never download it goes into a round robin.. i did try 1.1.1.1 for its up stream.. i dunno if that leaks vpn or not but that part is working at moment

so for unbound.conf then thats a universal.. its not like if you were to run in windows the formatting be different if it was in linux.. you all use the same way to read a unbound config file then? no matter what platform all the spaces or fields are all the same..?

ill give it a try... too bad pfsense doesnt have a package in the install packages that updates or imports these text files from that github site..
but ill try in a bit as i gotta do some runnining around but going to try then the config i not 100% sure how do do it
output/{dnsmasq,unbound}/*

with that folder.. but probably im wrong
but i think it makes a file in an output folder
a file called dnsmasq and unbound
and which ever one u use dnsmasq or unbound is what you use

thats my understanding.. with my dislexia i have to re read things 10 times to try to understand things sometimes so it takes me a bit to learn....

stephenw10

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

so i did the domain host override.. it wasnt working and i read somewhere you cant use 192.168.0.1 as upstream as it never download it goes into a round robin.. i did try 1.1.1.1 for its up stream.. i dunno if that leaks vpn or not but that part is working at moment

Um...not following you there at all.

so for unbound.conf then thats a universal.. its not like if you were to run in windows the formatting be different if it was in linux.. you all use the same way to read a unbound config file then? no matter what platform all the spaces or fields are all the same..?

Maybe not in Windows but I can't imagine anyone is running Unbound in Windows. Linux and FreeBSD are largely similar in many ways. Most of the Unbound config file will be the same and you are only adding parts to it.

ill give it a try... too bad pfsense doesnt have a package in the install packages that updates or imports these text files from that github site..

pfBlocker-NG can import text files with lists of domains and hosts but not to that import as overrides like that. It will block them entirely.

but i think it makes a file in an output folder
a file called dnsmasq and unbound
and which ever one u use dnsmasq or unbound is what you use

That's what it looks like it does, yes.

Steve

comet424

ok ran the script.. made several json files and in it like for blizzard it did

address=/cdn.blizzard.com/192.168.0.33
address=/blizzard.vo.llnwd.net/192.168.0.33
address=/blzddist1-a.akamaihd.net/192.168.0.33
address=/blzddist2-a.akamaihd.net/192.168.0.33
address=/blzddist3-a.akamaihd.net/192.168.0.33
address=/blzddist4-a.akamaihd.net/192.168.0.33
address=/dist.blizzard.com/192.168.0.33
address=/dist.blizzard.com.edgesuite.net/192.168.0.33
address=/edge.blizzard.top.comcast.net/192.168.0.33
address=/edgecast.blizzard.com/192.168.0.33
address=/level3.blizzard.com/192.168.0.33
address=/llnw.blizzard.com/192.168.0.33
address=/nydus.battle.net/192.168.0.33

so how do i import it into pfsense then and i guess it seperates the host and domain?

and what i ment with host override wasnt working is... in Lancache server... i set my upstream to be 192.168.0.1 well apparently people had issues doing it because it never reach the interent... it says goto 192.168.0.1 and then the router says go back to 192.168.0.33 and continous loop.. ppl said to use 1.1.1.1 as the upstream server to get out of the endless loop..

so you mentioned pfBlocker-NG can import text files.. but it only imports to block them you mean.. so i guess no way to import these files now into the DNS Resolver section? or is there another script that will import it into pfsense so i wouldnt need to type just run script and boom i done?

always learning so i appreciate you help so far (:

oh and is the pfBlocker-NG what i need to block ads on the computer either pop ups or youtube or what not?

comet424

i must done something wrong... with the address's i added.. i not longer have access cant long into my epic of blizzard or orgin.
i must done something dumb somewhere
and does the host /domain override only apply to network outgoing? or all as i have it set for nordvpn out... not for WAN for non vpns

but here is the screen shots doesnt seem to be working

for some reason its like blocked it now instead of allowed it.. i fixed couple things where i had domain.. but epic and blizzard used teh same servers so i added them to host override.. fixed the dup and conflicts but didnt fix it ...

stephenw10

Ok so the script made a list of host overrides but not in the Unbound format. That looks like the DNSMasq format.

Ok, yes if you used a domain override in pfSense to point at Lancache and that was itself using pfSense then you would create a loop for anything Lancache didn't override.

Yes, pfBlocker can serve to block ads etc. Like PiHole.

Those host and domain overrides you have added look correct. If you try to resolve one of them from a host using pfSense for DNS does it return 192.168.0.33?
If so then it's probably failing because Lancache is not answering the queries.

Steve

comet424

@stephenw10
so i got the unbound script... i didnt know there was another file to create it.. as i dont do much linux.. not anymore 20 yrs ago yes

here is the unbound for blizzard

server:
  local-zone: "cdn.blizzard.com" redirect
  local-data: "cdn.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "blizzard.vo.llnwd.net" redirect
  local-data: "blizzard.vo.llnwd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist1-a.akamaihd.net" redirect
  local-data: "blzddist1-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist2-a.akamaihd.net" redirect
  local-data: "blzddist2-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist3-a.akamaihd.net" redirect
  local-data: "blzddist3-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "blzddist4-a.akamaihd.net" redirect
  local-data: "blzddist4-a.akamaihd.net 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com" redirect
  local-data: "dist.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "dist.blizzard.com.edgesuite.net" redirect
  local-data: "dist.blizzard.com.edgesuite.net 30 IN A 192.168.0.33"
  local-zone: "edge.blizzard.top.comcast.net" redirect
  local-data: "edge.blizzard.top.comcast.net 30 IN A 192.168.0.33"
  local-zone: "edgecast.blizzard.com" redirect
  local-data: "edgecast.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "level3.blizzard.com" redirect
  local-data: "level3.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "llnw.blizzard.com" redirect
  local-data: "llnw.blizzard.com 30 IN A 192.168.0.33"
  local-zone: "nydus.battle.net" redirect
  local-data: "nydus.battle.net 30 IN A 192.168.0.33"

how can i import that though into resolver overrides.. but they dont break it down by host and domain though

ya so my i testing on my 1 comp
gateway and dns points to 192.168.0.1
and i fixed a couple of the domain host overrides so they not conflicting and they all point to 192.168.0.33

and i set the upstream dns to 1.1.1.1 so it wouldnt run in circles not getting internet by pointing to 192.168.0.1 on the lancache dns... but its also not working.. its like now i have those... now all internet access for blizzard launcher orgin launcher and epic launcher have no internet.. is there another check box i need to set to enable it.. and resolver is enabled.. as i use it for NordVPN

ive never used pihole and i was going to but from some videos they said pfsense is better then pihole and why use a raspberry pi if you got pfsense so never tried pihole...

so i not sure what you mean if i resolve from a host using pfsense for dns does it return 192.168.0.33...

if you mean if i try to use epic blizzard or orgin launcher.. no it doesnt... it actually seems to not allow it.. traffic graph shows nothing..

but if i set the computer ethernet connection from 192.168.0.1 dns to 192.168.0.33 then it goes back to working..

as im sure when you add those overrides... you set your computers to 192.168.0.1 as the dns like normally and redirection happens at pfsense level and goes to 192.168.0.33

thats what i guess..

so right now only way its working is like before i set up these over rides.. 192.168.0.33 in the windows ethernet dns...

stephenw10

Ok, great. So you can add those to Unbound in the custom config field like:

Screenshot from 2022-07-06 23-24-38.png

From your laptop that is using pfSense (192.168.0.1) as it's DNS server if you run nslookup cdn.blizzard.com it should return 192.168.0.33. If it does that means Unbound is working as expected.

The DNS lookup loop can only happen for domain overrides. For host overrides, like the example above, pfSense doesn't query the Lancache server.

@comet424 said in do you use DNS Forwarder or Resolver with a Lan Cache Server?:

if i set the computer ethernet connection from 192.168.0.1 dns to 192.168.0.33 then it goes back to working..

Ok, that implies DNS queries must go via Lancache for it to do whatever it does and that means host overides will not work. Only domain overrides will forward queries to Lancache.

Steve