Can I add manual entries to pfSense's DNS resolver that include specific ports?

darrenavid

pfSense works great at adding DHCP entries into local DNS and resolving <machinename.localdomain>. Now that I'm standing more and more apps up with Docker, I've got many "machines" running on the same IP, but with different ports. Is there a way to manually add entries to pfSense's DNS resolver for entries that include a specific port, i.e. <machinename.localdomain:PORT>?

FWIW, I'm using NGINX to handle this already to applications I want accessible outside of my firewall at servername.publicdomain/servicename, but I want a solution for applications that are only to be accessed internally.

bmeeks

DNS does not understand the concept of ports. There is no way to make that work.

You can configure a split DNS and have internal hosts use that to connect to the NGINX process.

darrenavid

@bmeeks said in Can I add manual entries to pfSense's DNS resolver that include specific ports?:

You can configure a split DNS and have internal hosts use that to connect to the NGINX process.

Reply

I figured split DNS was the answer. Can you point me in the direction of a relevant guide I can RTFM?

SteveITS

@darrenavid try https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html

bmeeks

@darrenavid said in Can I add manual entries to pfSense's DNS resolver that include specific ports?:

I figured split DNS was the answer. Can you point me in the direction of a relevant guide I can RTFM?

Here is a link to Split DNS configuration in the official pfSense documentation: https://docs.netgate.com/pfsense/en/latest/recipes/port-forwards-from-local-networks.html#method-2-split-dns.

And here is a link to a short discussion thread from Lawrence Systems on configuring Split DNS on pfSense: https://forums.lawrencesystems.com/t/split-dns-tutorial/9060.

Using Split DNS is recommended over NAT Reflection. Using your example URL, servername.publicdomain would get the private local IP of your NGINX box in
a host override in unbound.

johnpoz

@darrenavid said in Can I add manual entries to pfSense's DNS resolver that include specific ports?:

FWIW, I'm using NGINX to handle this already to applications

While I agree split dns is normally the best solution. I take it your using some internal nginx as a proxy.. Have you looked at the haproxy package?

If you want to send to different ports, or have ssl offload done the haproxy can be used to get to your internal services. I host a couple of services to the public via haproxy. But my internal hosts can use the same fqdn to access, which resolves to the public IP.

So for example https://host.mypublicdomain.tld resolves to pfsense wan IP. But this gets sent to a backend that is not doing ssl, that is handled by haproxy and goes to a odd ball port that the actual service is listening on.