how to set up split-dns to access internal server via external ip and port from inside the network??

hsssslaa · Apr 4, 2023, 8:30 PM

I'm trying to access my internal server that I have port forwarding set up for. If I am outside of my home network, it works, but from my internal network by the use of external ip and port it does not. Can someone please explain how to set this up? I have Host overrides set up under DNS Resolver but it still does not work.

lets say that i access my server externally by typing https://myserver.example.com:3847 (which works externally)

Under host override in DNS Resolver settings I have it set as follows:

For host I have myserver

for domain I have example.com

for IP to return for host I have local ip of my server

I am using 1.1.1.1 as my dns under System - General set up. I'm not sure if that is a problem or not.
also my pfsense is behind a wireguard vpn so that all my home hosts are always behind a vpn. but i cant see how that should matter in this case.

thanks!!!

johnpoz · Apr 4, 2023, 9:11 PM

@hsssslaa said in how to set up split-dns to access internal server via external ip and port from inside the network??:

for IP to return for host I have local ip of my server

and does this work.. simple query from your client will tell you that or not..

So for example I setup myserver.example.com to resolve to 192.168.1.100.. When I do a dns lookup on my client that is what gets returned.

if that is not working then you either didn't setup the host override correctly, maybe you did it in forwarder vs resolver (unbound)?

Or you client is not actually asking pfsense for dns? Or your browser is using maybe doh for dns and not your local dns.

hsssslaa · Apr 4, 2023, 9:24 PM

@johnpoz said in how to set up split-dns to access internal server via external ip and port from inside the network??:

@hsssslaa said in how to set up split-dns to access internal server via external ip and port from inside the network??:

for IP to return for host I have local ip of my server

and does this work.. simple query from your client will tell you that or not..

So for example I setup myserver.example.com to resolve to 192.168.1.100.. When I do a dns lookup on my client that is what gets returned.

if that is not working then you either didn't setup the host override correctly, maybe you did it in forwarder vs resolver (unbound)?

Or you client is not actually asking pfsense for dns? Or your browser is using maybe doh for dns and not your local dns.

Thank you for your reply. I have host override set up in DNS Resolver exactly as per your screenshot.

When I

nslookup myserver.example.com
the DNS gets listed as 1.1.1.1 (which is Cloudflare and it is what I have configured in pFsense under System - General setup.)

This is followed by
Non-authoritative answer:
Name: myserver.example.com
Address: my-external-ip

external IP being my vpn provider(AirVPN) server IP.

any idea what is going on here?

johnpoz · Apr 4, 2023, 9:25 PM

@hsssslaa said in how to set up split-dns to access internal server via external ip and port from inside the network??:

(which is Cloudflare and it is what I have configured in pFsense.)

what you have in pfsense for dns has little to do with what a client uses for dns. If your client is asking 1.1.1.1 for dns then no your host override would never work.. Your client has to ask pfsense (unbound or dnsmasq) for dns.. Which then can forward to 1.1.1.1 if you want. But a client directly asking 1.1.1.1 or 8.8.8.8 or 9.9.9.9 is never going to get your host override answer.

hsssslaa · Apr 4, 2023, 9:27 PM

That makes sense, thank you for the explanation

@johnpoz said in how to set up split-dns to access internal server via external ip and port from inside the network??:

Your client has to ask pfsense (unbound or dnsmasq) for dns.. Which then can forward to 1.1.1.1 if you want.

This sounds like exactly what I am trying to achieve. Can you please tell me how I can set this up in pfSense?

Thanks!

johnpoz · Apr 4, 2023, 9:30 PM

@hsssslaa that is how pfsense works out of the box to be honest.. Did you disable unbound?

Out of the box pfsense hands its IP to dhcp clients.. Unless you turned them off?

Or changed it - see how mine points to 192.168.3.10, but 192.168.3.10 asks pfsense - which is why my host overrides work..

But if your client with nslookup returns 1.1.1.1 then no your overrides would never work.

hsssslaa · Apr 4, 2023, 9:38 PM

@johnpoz
This is perfect, it works. Thank you!

Now I understand how it works. The way I see it is In essence, DHCP DNS settings should be set to the IP of pfsense box, while System -General setup can be set to something like 1.1.1.1 or 9.9.9.9. The client gets given pfsense ip as its DNS and when DNS query gets made and override is in place, the query will hit the override, otherwise it will get handed over to the dns configured under General Setup.

johnpoz · Apr 5, 2023, 8:01 PM

@hsssslaa said in how to set up split-dns to access internal server via external ip and port from inside the network??:

it will get handed over to the dns configured under General Setup.

only if you setup forwarding.. By default unbound resolves, it doesn't forward - if you want your dns to come from say 1.1.1.1 you have to setup that up in general and then turn on forwarding in unbound.

hsssslaa · Apr 5, 2023, 8:01 PM

@johnpoz said in how to set up split-dns to access internal server via external ip and port from inside the network??:

@hsssslaa said in how to set up split-dns to access internal server via external ip and port from inside the network??:

it will get handed over to the dns configured under General Setup.

only if you setup forwarding.. By default unbound resolves, it doesn't forward - if you want your dns to come from say 1.1.1.1 you have to setup that up in general and then turn on forwarding in unbound.

Thanks for your explanation, it all makes sense. Yes, I do have the forwaring turned on so all is working as it should.