PFSense Seems To Require Access to External DNS?
We are running a firewalled management network - due to project overhang we need to run the management network on a double NAT for short period.
DNS is restricted on our network.
When running a PFSense as a client on the main network it seems to require connectivity to external DNS to work correctly, pick up update availability etc. From the logs of other firewall rules, I can see that the PFSense instance is calling out to a range of DNS servers - is there a definitive list of these IP Addresses and what is their exact purpose please?
that the PFSense instance is calling out to a range of DNS servers - is there a definitive list of these IP Addresses and what is their exact purpose please?
pfSense, out of the box, has a resolver.
So, for starters, it can/will/might use any of these.
These 13 root servers will only give solution about which tld server to use next.
One will be chosen (out of many thousand available), and that one will be used to get the (at least 2) domain server server IP addresses to do the final request (example) what is the A record of www.facebook.com. For this example, the domain name servers of facebook were needed.
This process is the classic way of doing DNS.
The potential list involved of DNS servers ? Dono. A couple of million ?
If "visiting facebook DNS servers to visit facebook web servers" isn't possible, you could consider transforming the pfSense resolver into a forwarder.
and then set these as shown :
Note : Leave the Python settings as is.
When saved and applied, from now on, pfSense will ask '22.214.171.124' to handle it's DNS needs.
If a LAN client is using pfSEnse as a DNS source, then these requests will also get send to 126.96.36.199 (forwarded).
Keep in mind : devices connected to the LAN(s) of pfSense might use resolving also, or forward to their own favourite DNS servers ( 188.8.131.52 ? ) or doing DoH etc etc, so you will still see DNS traffic going out of pfSense, not originating from pfSense, but from one of the devices on its LAN(s).
Yes if you set Unbound in forwarding mode you can just point it at the local DNS servers on the network.