Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Use custom DNS in static mappings but still use the dns resolver for host overrides

    DHCP and DNS
    5
    7
    334
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aGeekhere
      last edited by

      Hi all, currently i have pfsense set to use cloudflare filtering dns servers, i have setup Static DHCP Mapping and would like to use custom DNS Servers for them.

      The issue is when i add a custom DNS server for an ip address say 1.1.1.1 it will bypass the dns resolver and my host overrides stop working.
      My setup
      System General Setup DNS Server Settings i have
      1.1.1.3
      1.0.0.3

      Services DNS Resolver General Settings
      ticked Enable Forwarding Mode
      ticked Use SSL/TLS for outgoing DNS Queries to Forwarding Servers
      ticked Register DHCP leases in the DNS Resolver
      ticked Register DHCP static mappings in the DNS Resolver

      Host Overrides
      mysite ddns.net 192.168.1.50

      What i want to achieve is to use the dns resolver so that my host overrides work but use different DNS for some ip addresses and servers.

      Any advice?

      Never Fear, A Geek is Here!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @aGeekhere
        last edited by

        @aGeekhere said in Use custom DNS in static mappings but still use the dns resolver for host overrides:

        What i want to achieve is to use the dns resolver so that my host overrides work

        This the default behavior, all DHCP LAN(s) clients will use pfSense as their DNS. If host overrides are defined locally (!) in your Resolver (unbound), then - and only then - these will be taken in account.
        You can set up the resolver (unbound) so it forwards to, for example "1.1.1.1".
        Now you have best of both worlds.

        Informing a LAN device, when it requests a DHCP lease, that its DNS is "1.1.1.1" will completely short-cuts the pfSense resolver, thus not taken into account all the local DNS settings, like host overrides. The resolver will never 'see' the DNS request from this client as the request isn't send to pfSense.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        A 1 Reply Last reply Reply Quote 0
        • A
          aGeekhere @Gertjan
          last edited by

          @Gertjan said in Use custom DNS in static mappings but still use the dns resolver for host overrides:

          This the default behavior, all DHCP LAN(s) clients will use pfSense as their DNS. If host overrides are defined locally (!) in your Resolver (unbound), then - and only then - these will be taken in account.
          You can set up the resolver (unbound) so it forwards to, for example "1.1.1.1".
          Now you have best of both worlds.

          Sorry i do not quite understand, how can i configure some clients to use 1.1.1.1 and still be able to use the host overrides?

          Never Fear, A Geek is Here!

          bmeeksB 1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks @aGeekhere
            last edited by bmeeks

            @aGeekhere said in Use custom DNS in static mappings but still use the dns resolver for host overrides:

            Sorry i do not quite understand, how can i configure some clients to use 1.1.1.1 and still be able to use the host overrides?

            You cannot do this. The only way for host overrides to work is when configured within either the DNS Resolver or DNS Forwarder in pfSense (unless you have a completely separate physical DNS server). And your clients must be configured to pass their DNS queries to pfSense.

            @Gertjan gave you the proper solution, but perhaps you do not understand the distinction between a resolver and forwarder in DNS. Search for those two terms (and how each works differently) on Google, and then @Gertjan's answer should be more clear.

            To recap his solution: configure the DNS Resolver on pfSense to forward requests it is not authoritative for to 1.1.1.1 or any other public DNS provider you choose. But note you only need to configure this forwarding if you want to use external DNS filtering. The DNS Resolver on pfSense in its default state will resolve queries for clients using the DNS root servers (and thus never needs any forwarding server configured). But since you seem to want to take advantage of the DNS filtering provided by Cloudflare, you would configure forwarding. Configure your host overrides in the DNS Resolver on pfSense. Configure all of your clients to use pfSense for DNS.

            With the above setup, your clients will send all DNS requests directly to pfSense. The DNS Resolver on pfSense will check first to see if the client is asking for a host covered by a host override entry. If true, the override entry IP address is returned for that host. If false, then the DNS Resolver will pass the query up the line to the configured forwarder (1.1.1.1 from your example). The "filtered" DNS answer from 1.1.1.1 will then be returned to your LAN client. From your original description this seems to be exactly what you want.

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @bmeeks
              last edited by SteveITS

              I think OP wants some devices (kids) to forward to 1.1.1.3 and the rest to forward to 1.1.1.1.

              An option might be another DNS server running somewhere on LAN that also has the overrides.

              Unbound has its “view” concept but I don’t know if that can affect forwarding.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              A 1 Reply Last reply Reply Quote 0
              • A
                aGeekhere @SteveITS
                last edited by

                @SteveITS
                That is correct, I want some users to use 1.1.1.3 others to use 1.1.1.1 but still have the host overrides work, going to re read the message above to see if i can get it to work

                Never Fear, A Geek is Here!

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @aGeekhere
                  last edited by

                  @aGeekhere this question gets asked all the time - what your asking is problematic without a separate cache for the views or different clients, etc..

                  If client ask for something that would be blocked by filter dns, but they are set to ask non filtered dns - now that is cached. If client that should be filtered then asked they would get back what is in the cache.

                  Bind can run multiple caches - but not sure something you can configure from the gui.

                  You could prob get what your wanting out of running both unbound and dnsmasq (forwarder) with them listening on different ports, and then have your clients point to say 1.1.1.3 or whatever that gets redirected to the new port unbound or forwarder is listening on to resolve your local resources, and then just forwards on to 1.1.1.3

                  Simpler solution to be honest would just run say pihole or something that pointed your clients you want to filter to that.. Then setup a conditional forward on it to forward to pfsense to resolve your local domain.tld resources, and if not in that domain just forward to 1.1.1.3. Thats would I would do.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.