Appliance own DNS record
-
Hello everyone,
I have a PC with 6 NICs, pfsense installed and 3 IFs configured (WAN, LAN1, LAN2).
pfsense is used to provide DHCP and DNS to LAN1 and LAN2, through Kea and DNS Resolver with DNS forwarding and TLS activated.This works very great for any "public" DNS resolution.
But when I try to resolve the pfsense appliance FQDN from LAN1 or LAN2, it always return the LAN1 IP address, so LAN2 devices can't use the FQDN to access the firewall. Is there a way around that ?Basically here is the setup:
TLS is disabled for internal DNS resolution, "pfsense" is set as the hostname, and "my.network" as the domain.
IF0 WAN
IF1 LAN1 192.168.2.100/25
IF2 LAN2 192.168.2.180/26
DNS resolution for pfsense.my.network always return 192.168.2.100 wether it's originated from a device within LAN1 or LAN2.Thanks for your help
-
So you want a client on your 192.168.2.0/25 network when doing a query for pfsense.yourdomain.tld to return the 192.168.2.100 address. But if the query is from something on your 192.168.2.128/26 you want it to return 192.168.2.180
This could be done with views. But its not a clicky clicky sort of setup.. You would have to setup the views in the custom option box.
-
That is exactly what I would like yes.
I thought this would be "by design", at least for the appliance record which is on a per IF basis.Thanks for the information, I'll dig the unbound documentation regarding views then.
-
@AutorouteEnSable by what design.. What your asking for is not really a basic dns design.. Providing different responses based upon source IP of the query is bit more complex than you might think
I having a hard time working out an actual need as well.. What exactly what you be accessing by the fqdn on pfsense anyway, other than the gui..
If you want to resolve interface X IP to a fqdn, then create one.. For example I setup my other interfaces to reflect the vlan I have them in.. Really no need for it - but if I am on the 192.168.x network and don't recall exactly what vlan I called that, etc. I can just do a ptr to pfsense IP on that network.. Even if I forget what IP pfsense is on network x, simple look to what gateway the client has set would tell me that. But all of my pfsense IPs other than wan end in .253
$ dig -x 192.168.3.253 +short sg4860.dmz.home.arpa.
If for some odd ball reason I would want to talk to pfsense gui, sure I could use that different fqdn but quite possible the browser would complain that the fqdn is not listed in the san of the cert, unless you did that.
Other than firewall rules, you can talk to the gui on any IP of pfsense sure. But why do you need to, if your on your local network you can for sure just talk to the lan IP, or you can if you allow it. There is no difference really in if client on some vlan access via that vlan IP or the lan IP on pfsense..
While you can for sure do what you want with views, seems like a lot of effort for not much reason behind it.