Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.0 new option

    Scheduled Pinned Locked Moved DHCP and DNS
    17 Posts 4 Posters 10.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kevindd992002
      last edited by

      This: "Do not use the DNS Forwarder as a DNS server for the firewall" option is new to the latest pfsense 2.0 release. What does it actually do? I don't quite understand the short message below that option. As default, I didn't check it and I saw that localhost address was indicated as the first DNS server in Dashboard.

      This: "Resolve DHCP mappings first" option is also new. Again, what does it do?

      1 Reply Last reply Reply Quote 0
      • J
        jrmitchell83
        last edited by

        I'm curious too…anyone?!?

        1 Reply Last reply Reply Quote 0
        • K
          kevindd992002
          last edited by

          Bump! Anyone?

          1 Reply Last reply Reply Quote 0
          • W
            wallabybob
            last edited by

            I'll GUESS.

            A pfSense box needs a DNS (else it can't resolve hostnames used in shell commands).  It makes sense to use the DN servers specified in the configuration. IF the pfSense box is running the DNS forwarder AND the DNS forwarder has some "local" names defined (e.g. for systems with DHCP leases or "local overrides") then you may (or may not) want the translation of those local names visible to software running on the pfSense box. If you don't want them visible you would select Do not use the DNS Forwarder as a DNS server for the firewall.

            Possible use:
            Suppose you have a local server accessible from the internet. It is accessible via a public IP and a private IP. On the public internet www.examplehost.com resolves to its public IP address. Your pfSense box has DNS forwarder enabled and a local override so www.examplehost.com resolves to the private IP address for systems downstream of the pfSense box. Do you want the pfSense box itself to use the public translation of www.examplehost.com (the pfSense box shouldn't use the DNS forwarder) or the private (the pfSense box should use the DNS forwarder)?

            1 Reply Last reply Reply Quote 0
            • K
              kevindd992002
              last edited by

              Thanks for the reply but I don't get this part "Do you want the pfSense box itself to use the public translation of www.examplehost.com (the pfSense box shouldn't use the DNS forwarder) or the private (the pfSense box should use the DNS forwarder)?"

              Can you explain further?

              What are the software in the pfsense box that need to see these local hostnames?

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                I have a web server on my home network. It is accessible from the internet by port forward on my pfSense box.
                The web server wiki and forum services to a small group of friends who work together on projects. One of those friends comes to visit regularly and partly for his convenience and partly for my experience I decided to provide him with a URL he could use "anywhere" (on the public internet and on my home network) to access the web server. My public IP address is dynamic and registered with a free DNS provider so I configured a pfSense DNS override to translate the same name to the private IP address of my local web server.

                My pfSense box sends syslog records to the box that runs the web server. I have the pfflowd package installed on my pfSense box and it sends flow records to the same box that runs my web server. In both cases I can configure the receiver of the records to be the public hostname registered with the free DNS provider in which case I want my pfSense DNS to include my local override for the public hostname so I configure the pfSense DNS to include the DNS forwarder. Or, I could use the web server's "local" hostname or IP address and tell pfSense to NOT include the DNS forwarder (because I don't need to use the DNS forwarder override).

                The trick with using DNS forwarder overrides is to remember whether pfSense is using them or not. For example, if my friend calls me to say he can't access the web server and I'm in a pfSense shell session at the time and I ping the web server to see if it is up I had better remember whether pfSense is using DNS forwarder overrides when choosing the ping destination and interpreting the ping results.

                1 Reply Last reply Reply Quote 0
                • K
                  kevindd992002
                  last edited by

                  Having a hard time understanding since I know basic networking only. Please correct me if I'm wrong. The whole point of that option is for the pfsense box to recognize internal DNS hostnames that's why it makes localhost the first DNS lookup server?

                  How about "Resolve DHCP mappings first" ?

                  1 Reply Last reply Reply Quote 0
                  • K
                    kevindd992002
                    last edited by

                    BUMP!

                    1 Reply Last reply Reply Quote 0
                    • W
                      wallabybob
                      last edited by

                      @kevindd992002:

                      How about "Resolve DHCP mappings first" ?

                      No because local DNS names are not necessarily related to anything in DHCP.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kevindd992002
                        last edited by

                        @wallabybob:

                        @kevindd992002:

                        How about "Resolve DHCP mappings first" ?

                        No because local DNS names are not necessarily related to anything in DHCP.

                        What I mean by "that option" is this "Do not use the DNS Forwarder as a DNS server for the firewall". Is this as simple as what I said in my latest post above?

                        The Resolve DHCM mappings first is another questions, what is that?

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          It does exactly what it says, it resolves DHCP mappings first, before host overrides and such.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • K
                            kevindd992002
                            last edited by

                            @jimp:

                            It does exactly what it says, it resolves DHCP mappings first, before host overrides and such.

                            Is this the common way to use?

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              It's a matter of preference.

                              Some people like to have their DHCP system names used no matter what, others want to use the hardcoded entries to override even the DHCP entries.

                              It depends on the admin and the environment which is preferred.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • K
                                kevindd992002
                                last edited by

                                @jimp:

                                It's a matter of preference.

                                Some people like to have their DHCP system names used no matter what, others want to use the hardcoded entries to override even the DHCP entries.

                                It depends on the admin and the environment which is preferred.

                                Ok, how about "Do not use the DNS Forwarder as a DNS server for the firewall"? Is there a more basic definition?

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  I'm not sure how it can be more clear than exactly what it says. If that is checked, the firewall will not use the DNS forwarder as a DNS server for the firewall.

                                  If it's unchecked, then the firewall will use the DNS forwarder (if it's enabled) to resolve DNS queries, so it can also see the DHCP/static mappings, host overrides, and also queries all DNS servers at once.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kevindd992002
                                    last edited by

                                    Thanks.

                                    So the DNS forwarder IP address is localhost?

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      Yes, when it's used by the system itself that's what it uses. The DNS Forwarder listens on every IP on the system though, so it could be any IP, but localhost is always there and never changes, so that's the safest to use from the firewall itself.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.