DNS/DHCP strategy
-
This question is admittedly only peripherally related to pfSense. I have a Netgate 4100 acting as a gateway/firewall whose WAN interface is attached to a fiber modem, whereas the LAN interface provides DHCP services for the local network (approx. 20 devices), and thus far no internal DNS. I haven't specified any DNS servers on pfSense, and things seems to work well; it apparently uses automatically the DNS servers of the Internet provider.
Now I would like to have both DHCP and internal DNS served by a Linux virtual ,machine, whereas the DNS resolver for external IP addresses should be routed through the gateway. My question is: how do I instruct pfSense to do that? Or would everything happen in the linux box whereas nothing needs to be specified on pfSense? Apologies for the naivety of my questions; I am in molecular biology and understand very little of network plumbing...
-
@aagaag said in DNS/DHCP strategy:
it apparently uses automatically the DNS servers of the Internet provider.
No not really - what pfsense does out of the box is resolve.. It talks to the root servers, and resolves what your looking for - out of the box it does not forward to anything.. Look up the difference between a dns forwarder and resolver.
As to resolving local resources - again out of the box the dhcp server would hand out dhcp clients pfsense IP for their dns. So any client on your network asking pfsense IP for dns would be able to resolve any records that are in pfsense dns be that dhcp registration (not recommended because it restarts dns on any dhcp) static dhcp registration. And or host overrides you set in unbound.
-
@johnpoz thank you for taking the time to educate/advise me! So, I can
- leave pfSense as is, without changing anything except disabling its DHCP server
- install dnsmasq on the linux box, and configure it to:
- provide DHCP
- provide DNS for LAN addresses
- forward to pfSense every DNS query that it cannot resolve
Correct?
-
@aagaag you could if you want to.. Not sure why? What are you going to be doing on this other linux box with dhcp/dns that pfsense can not do?
But sure if just a learning exercise?
-
@johnpoz definitely a learning exercise. I would like to keep track of the network inventory in a mysql table, and use a script to modify the DNS/DHCP entries whenever equipment is expanded or replaced. My (possibly incorrect) understanding is that it would be clunky to do that in pfSense, as it would require the inventory table to be converted into XML (and it's unclear to me if uploading can be automated. But if it can be done in a reasonably robust/automated manner, then yes, by all means!
-
@aagaag said in DNS/DHCP strategy:
robust
I've a suggestion, or learning exercise :
Select the second or third option from here :
Before you activate this mode of the pfSense DHCP server, go to the bottom of the same DHCP server page, and add all (ALL) known devices to the list.
Like :
Now, no more administration. No more scripts, MySQL or whatever.
All connected and known to you devices are listed here, with one click :
As soon as a new device, unknown to you, tries to connect to your network, "DHCP" won't give it a lease ( won't give it an IP etc).
The owner and user of the device (the monocular one) will come to you .... and you've all the time to analyze the situation. If you decide so, you add a "DHCP Static Mappings" for this device.Everything is nicely stored in one place with minimal administration overhead.
If needed, you can add a firewall rule to the interface, where you only allow the IPs that are part of the list you've assigned with the "DHCP Static Mappings" list.
-
@Gertjan Thank you so much for taking the time to analyze my question and provide the screenshots. I appreciate. However, your scenario does not quite correspond to my use case. I'd rather devise a way to enter a device in a database and then automatically propagate its reserved IP, DNS name, etc.
-
G Gertjan referenced this topic on
