DNS Resolution Behavior under 23.01 appears to ignore setting

kesawi

I've just upgraded from 22.05 and 23.01 and noticed that the DNS Resolution Behavior setting under System\General Setup appears to ignore the setting Use remote DNS Servers, ignore local DNS when I have the DNS Forwarder service enabled.

Regardless of what I set the DNS Resolution Behavior setting to it still includes 127.0.0.1 as a name server in /etc/resolve.conf. If I disable the DNS forwarder service then it removes 127.0.0.1 as a name server in /etc/resolve.conf, however enabling the service adds the entry bakc in despite the DNS Resolution Behavior setting.

Manually editing /etc/resolve.conf fixes it until I make configuration changes.

jimp

I can't reproduce this. When I set it to "use remote, ignore local" then only the name servers listed on System > General are present even when using the DNS forwarder.

Do you maybe have 127.0.0.1 in that list?

Or if you have allowed overrides to DNS servers, it's possible it's coming from DHCP or similar, but that seems unlikely.

Looking at the code there isn't any way that setting is remote in the config which would result in it being added that way, so it has to be coming from something else.

kesawi

I don't have 127.0.0.1 specified as a DNS server anywhere that I can see.

DNS override is disabled.

When I try setting use local DNS, ignore remote it still lists the remote DNS in the system information on the dashboard.

I think I've fixed it by removing localhost from the selected interfaces in the DNS Forwarder settings.

Perhaps there's something in the code in the DNS Forwarder settings that overrides the general settings?

JasonAU

@kesawi Slightly off topic, I'm interested to understand why you want this setting?

What in your environment etc needs this config or how do expect the behavior to change.

Personally, I am using Cloudflare 1.1.1.2 /1.0.0.2 in my General setup /DNS

I can see 127.0.0.1 also listed in the DNS Servers on the main status page, due to the setting 'Use Local DNS (127.0.0.1) fall back to remote DNS servers.

Inside my DHCP I set the pfsense box as DNS server and have experimented with FW rules on the LAN to block other DNS going out

kesawi

@jasonau good to see another Brisbane local on the forums.

I use Active Directory on my primary LAN for DNS and DHCP to my clients. I have a guest network and a DMZ with some public facing servers which are served by pfSense for DNS Forwarder and DHCP. I also have several internal DNS based aliases for firewall rules.

I need pfSense to be able to resolve local addresses for the firewall alias rules, but don't want the guest or DMZ network to be able to query any of the DNS entries for my LAN. I figure if clients of my guest or DMZ networks get pwned I don't want them to be able to start reverse resolving my private IP addresses to potentially map my LAN network. I have specific rules in the DNS Forwarder settings blocking lookup for my internal LAN domains.