Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Configuring DNS servers

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 3 Posters 557 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lewis
      last edited by lewis

      9ae640a8-e9e0-49b5-9270-08848e885939-image.png

      A connection recently changed from a static IP to a DHCP one.
      Now I see the first three DNS servers in the dashboard whereas before, I believe only the last two, the local DNS servers were showing.

      The second and third entries are from the provider.

      I've looked online and read a number of things but cannot find how I can make sure that nothing on the network is using external DNS servers. They must only use the internal ones, the last two.

      Can someone share what I need to look into so I can see about changing this. Or, can anyone confirm that only the firewall is using these for it's own resolve, say for repo updates etc.

      Thank you.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @lewis
        last edited by johnpoz

        @lewis I would guess you left dhcp override your dns set.. That would explain where some most likely your ISP dns servers got on the list.

        dns.jpg

        What you have in pfsense general is not what clients would ever use, unless you setup forwarding in pfsense, then client asking pfsense for dns, which is the default on the dhcp server - to hand out pfsense IP on that interface as the dns. Unbound would ask those server for what a client is asking for, but a client would not directly talk to those IPs.

        But if your resolving by default, those in general is what pfsense would/could use for its own lookups, checking for update to pfsense, where to grab the package list from, if you click to resolve something in the firewall log, you use the dns lookup tool under diagnostics, etc.

        Those are not what gets handed to dhcp clients of pfsense, unless you specifically set that in the dhcp server settings.

        If your concerned with your clients on your network talking to external dns - prob good idea to put in a firewall rule that only allows access to pfsense IPs for dns, and block 53 tcp/udp to anything else.

        Problem today though is stupid browsers using doh and bypassing your local dns.. Which is much harder to prevent.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 1
        • L
          lewis
          last edited by lewis

          Hi, thanks for the info.
          Yes, in this case, all dns requests should be internal only.
          ede822ec-e848-42aa-be49-c6685580ae56-image.png

          You're right, that was checked.
          It's also set to ignore remote DNS servers but I assume that means the firewall itself, not clients on the local network?

          And yes, DOH is a problem. I always set the browser to no proxy and uncheck DOH. I guess I should learn a little more about it since I'm not 100% convinced it means the browser will use internal DNS only.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @lewis
            last edited by

            @lewis see https://github.com/jpgpi250/piholemanual for DoH. A bit overly complicated and I corrected a couple of typos for it but the first part will just block DoH.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            L 1 Reply Last reply Reply Quote 1
            • L
              lewis @SteveITS
              last edited by

              @steveits Thank you. I'll take a look at that.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.