How to use LAN side DNS?



  • I need to use internal DNS servers but the device keeps sending the DNS request to the WAN. Is there a way to change this behavior so that those requests can be sent to the LAN side.

    Mike



  • sure, put your LAN DNS service IP(s) in the appropriate settings in the GUI.  i think you also have to uncheck the box so it won't let the ISP settings override.



  • Yup, that's what I have. I have both a public DNS and my internal for testing. Only the public DNS is ever used as the request keeps going to the WAN interface.

    The 'Allow DNS server list to be overridden by DHCP/PPP on WAN' option is unchecked.



  • Any other thoughts? It must be a fairly regular question but I can't seem to find the answer.



  • Well. Don't put a public DNS in one of the fields ;)



  • @GruensFroeschli:

    Well. Don't put a public DNS in one of the fields ;)

    I realized the requests were going to the WAN interface by watching the packets. I then entered a public DNS just to confirm and of course that worked. That's the only reason I tried a public DNS but the question remains the same, how do I force pfsense to use the DNS servers on the LAN?



  • @lewis:

    I realized the requests were going to the WAN interface by watching the packets. I then entered a public DNS just to confirm and of course that worked.

    I find this confusing. You are trying to use a DNS on your LAN and complaining it doesn't work so you specify a public DNS and now say it works!

    @lewis:

    That's the only reason I tried a public DNS but the question remains the same, how do I force pfsense to use the DNS servers on the LAN?

    As already suggested:
    @GruensFroeschli:

    Well. Don't put a public DNS in one of the fields ;)

    From the web GUI, System -> General Setup, item DNS Servers make sure BOTH boxes specify your DNS server on the LAN.

    This seems so obvious but you don't seem to have done it. Perhaps there is something about what you are trying to do that you haven't told us. For example, are you trying to get pfSense to tell its DHCP clients to use your LAN DNS server or are you trying to get your DHCP clients to use pfSense as their DNS and pfSense to use your LAN DNS server (in which case that LAN server presumably goes out to the WAN when it has to)?



  • This seems so obvious but you don't seem to have done it.
    Perhaps there is something about what you are trying to do that you haven't told us.

    As I've already posted, I have done this. Not sure why you didn't see that.

    For example, are you trying to get pfSense to tell its DHCP clients to use your LAN DNS
    server or are you trying to get your DHCP clients to use pfSense as their DNS and
    pfSense to use your LAN DNS server (in which case that LAN server presumably
    goes out to the WAN when it has to)?

    I want to use pfsense for one single thing, remote users getting to my pbx. I don't need it to do anything else. While I could use public dns servers, which I probably will end up having to do, I would prefer using LAN side DNS servers so that I can better control things that the public doesn't need to see, only the VPN users.

    I don't need remote users to have access to the LAN, I need them only to have access to one single server on the LAN, using SIP/RTP ports and that's it.

    I've not figured out why the LAN side DNS servers won't be see, which is of course, why I've posted my request for help. It is an unusual situation from what I gather which is why I am looking for input.

    What ever you need to know, I'm happy to share in order to get help but please do read that I have tried the suggestions already :).

    Thanks.



  • I let this thread go for a while because its not clear to me precisely what you are complaining about and my attempt to clarify didn't yield an answer so I left some space for someone else to jump in.

    Please provide an diagram of the significant parts of the network and clarify whether your complaint refers to DNS requests from pfSense, DNS requests from other systems on the LAN, DNS requests from VPN users or some other DNS requests. In particular, your original issue statement said "the device keeps sending DNS requests …" and I can't see anywhere in this thread where you have said which device "the device" is. I admit one of your replies said "How do I force pfSense to use the DNS servers of the LAN" but its not clear to me what the origin of those DNS requests is. The origin of those requests (depending on how it is configured, pfSense may act as a DNS server itself) may determine the answer to your question.



  • What he wants is:

    1. custom shortcuts for example type in router and it takes you to the pf router and server26 and you go to server26 (dont know if pf can do if so that would be something of interest to me)

    2. use internal DNS servers so that he can control where people are allowed to go, in that case do what was posted earlier by danswartz, put your lan dns servers ip addresses under dns servers, might need to create a static route

    OR

    3. ???



  • @XIII:

    What he wants is:

    1. custom shortcuts for example type in router and it takes you to the pf router and server26 and you go to server26 (dont know if pf can do if so that would be something of interest to me)

    Under Services -> DNS forwarder it is possible to add your own DNS entries as well as DNS servers for particular domains.

    2. use internal DNS servers so that he can control where people are allowed to go, in that case do what was posted earlier by danswartz, put your lan dns servers ip addresses under dns servers, might need to create a static route

    Using internal DNS servers doesn't control where people can go, it only controls the name to address translations. If you know someone's phone number you don't need a telephone directory to call them.

    OR

    3. ???

    ???



  • @wallabybob:

    Using internal DNS servers doesn't control where people can go, it only controls the name to address translations. If you know someone's phone number you don't need a telephone directory to call them.

    actually it does, i can make it to where typing in 'help" in my browser takes you to forum.pfsense.org or if you get a denial page (opendns.org) with a custom dns server one can make it so that certain dns names are redirected. remember the dns flaw that was made public a while ago? this was pointed out…
    but yes if they know the address its worthless but not many people know help.com's ip (phone #)


Log in to reply