DNS required for pfSense/Netgate functionality
-
For security reasons, we use pfSense's DNS Forwarding for all DNS on our network. Nothing onn the network can get to public DNS. However, because of that, we can't get features like Update, Package Manager, and Auto Config Backup to work properly. I have been trying to add all of the DNS required for these features but haven't found a list anywhere. Is there a list of all necessary DNS for Netgate/pfSense?
Below is what we have added so far. Is there anything I can add? I know some of this is not needed but I have been trying everything that I can find in an attempt to get it to work. I also don't know if the SRV record is working properly (Custom Options). We are also okay with these IPs changing and having to update them in the future.
If there is no way to make this work, we are considering running DNS servers instead.
HOST OVERRIDES
ns1.netgate.com 208.123.73.80 ns2.netgate.com 208.123.73.90 netgate.com 199.60.103.4 acb.netgate.com 208.123.73.78 files00.netgate.com 208.123.73.207 files01.netgate.com 208.123.73.209 pkg00-atx.netgate.com 208.123.73.207 pkg01-atx.netgate.com 208.123.73.209 pfsense.org 208.123.73.69 files.pfsense.org 208.123.73.207 updates.pfsense.org 208.123.73.207
DOMAIN OVERRIDES
netgate.com 1.1.1.1 pfsense.org 1.1.1.1
CUSTOM OPTIONS
srv-host=_https._tcp.pkg.pfsense.org,pkg00-atx.netgate.com,443,10,10 srv-host=_https._tcp.pkg.pfsense.org,pkg01-atx.netgate.com,443,10,10
Thanks for your help!
-
@geminate said in DNS required for pfSense/Netgate functionality:
we can't get features like Update, Package Manager, and Auto Config Backup to work properly.
huh?
So pfsense is forwarding, why would you need to add overrides for pfsense/netgate addresses? Confused.. Did you have issues yesterday when they were running maint.
-
In System > General Setup, we are pointing the "DNS Servers" to its own public IP. It has no access to public DNS (Google, Cloudflare, etc). Because of that, we can't Update pfSense, install Packages, or see Restore points in Auto Config Backups.
We use DNS Forwarder for all of the domains that we use for our company for this firewall as well as remote firewalls that connect to this one for DNS. I am trying to determine what to add to get Update, Package Manger, and Auto Config Backups to work properly.
Is there a way to get this to work through DNS Forwarder or do we need a dedicated DNS server since the pfSense firewall isn't a true DNS provider?
-
@geminate as long as pfsense can talk to say 1.1.1.1 as you have their in its domain overrides. Then all you should need are those entries for any records you want to lookup in those domains.
Are you saying you don't want pfsense to be able to look up www.somerandomdomain.tld?
If you have your own authoritative NS for your own domains that pfsense, and any clients of pfsense want to be able to lookup need to talk to those would be domain overrides.
You should just point pfsense to its localhost 127.0.0.1, not its public IP.
-
@johnpoz said in DNS required for pfSense/Netgate functionality:
as long as pfsense can talk to say 1.1.1.1 as you have their in its domain overrides. Then all you should need are those entries for any records you want to lookup in those domains.
That's what I thought but it isn't working. I may need to look closer at the firewall rules. The weird thing is, those features worked fine in pfSense 4.5.1 but stopped after updating to 4.6.0.
Are you saying you don't want pfsense to be able to look up www.somerandomdomain.tld?
Correct
You should just point pfsense to its localhost 127.0.0.1, not its public IP.
Good call
-
My last post should read version 2.5.1 and 2.6.0 (not 4.5.1 and 4.6.0)
I kept at this and finally figured out a way to make it work. I had to add this to Domain Overrides:
in-addr.arpa 8.8.8.8
Because we use Active Directory at some locations, I may also need to check "Do not forward private reverse lookups" or add overrides for the local IPs we use for AD.
I would love to know why this fixes the problem. What IPs is pfSense doing reverse lookups on for the Update and ACB features?