Pfsense 2.0 new option



  • This: "Do not use the DNS Forwarder as a DNS server for the firewall" option is new to the latest pfsense 2.0 release. What does it actually do? I don't quite understand the short message below that option. As default, I didn't check it and I saw that localhost address was indicated as the first DNS server in Dashboard.

    This: "Resolve DHCP mappings first" option is also new. Again, what does it do?



  • I'm curious too…anyone?!?



  • Bump! Anyone?



  • I'll GUESS.

    A pfSense box needs a DNS (else it can't resolve hostnames used in shell commands).  It makes sense to use the DN servers specified in the configuration. IF the pfSense box is running the DNS forwarder AND the DNS forwarder has some "local" names defined (e.g. for systems with DHCP leases or "local overrides") then you may (or may not) want the translation of those local names visible to software running on the pfSense box. If you don't want them visible you would select Do not use the DNS Forwarder as a DNS server for the firewall.

    Possible use:
    Suppose you have a local server accessible from the internet. It is accessible via a public IP and a private IP. On the public internet www.examplehost.com resolves to its public IP address. Your pfSense box has DNS forwarder enabled and a local override so www.examplehost.com resolves to the private IP address for systems downstream of the pfSense box. Do you want the pfSense box itself to use the public translation of www.examplehost.com (the pfSense box shouldn't use the DNS forwarder) or the private (the pfSense box should use the DNS forwarder)?



  • Thanks for the reply but I don't get this part "Do you want the pfSense box itself to use the public translation of www.examplehost.com (the pfSense box shouldn't use the DNS forwarder) or the private (the pfSense box should use the DNS forwarder)?"

    Can you explain further?

    What are the software in the pfsense box that need to see these local hostnames?



  • I have a web server on my home network. It is accessible from the internet by port forward on my pfSense box.
    The web server wiki and forum services to a small group of friends who work together on projects. One of those friends comes to visit regularly and partly for his convenience and partly for my experience I decided to provide him with a URL he could use "anywhere" (on the public internet and on my home network) to access the web server. My public IP address is dynamic and registered with a free DNS provider so I configured a pfSense DNS override to translate the same name to the private IP address of my local web server.

    My pfSense box sends syslog records to the box that runs the web server. I have the pfflowd package installed on my pfSense box and it sends flow records to the same box that runs my web server. In both cases I can configure the receiver of the records to be the public hostname registered with the free DNS provider in which case I want my pfSense DNS to include my local override for the public hostname so I configure the pfSense DNS to include the DNS forwarder. Or, I could use the web server's "local" hostname or IP address and tell pfSense to NOT include the DNS forwarder (because I don't need to use the DNS forwarder override).

    The trick with using DNS forwarder overrides is to remember whether pfSense is using them or not. For example, if my friend calls me to say he can't access the web server and I'm in a pfSense shell session at the time and I ping the web server to see if it is up I had better remember whether pfSense is using DNS forwarder overrides when choosing the ping destination and interpreting the ping results.



  • Having a hard time understanding since I know basic networking only. Please correct me if I'm wrong. The whole point of that option is for the pfsense box to recognize internal DNS hostnames that's why it makes localhost the first DNS lookup server?

    How about "Resolve DHCP mappings first" ?



  • BUMP!



  • @kevindd992002:

    How about "Resolve DHCP mappings first" ?

    No because local DNS names are not necessarily related to anything in DHCP.



  • @wallabybob:

    @kevindd992002:

    How about "Resolve DHCP mappings first" ?

    No because local DNS names are not necessarily related to anything in DHCP.

    What I mean by "that option" is this "Do not use the DNS Forwarder as a DNS server for the firewall". Is this as simple as what I said in my latest post above?

    The Resolve DHCM mappings first is another questions, what is that?


  • Rebel Alliance Developer Netgate

    It does exactly what it says, it resolves DHCP mappings first, before host overrides and such.



  • @jimp:

    It does exactly what it says, it resolves DHCP mappings first, before host overrides and such.

    Is this the common way to use?


  • Rebel Alliance Developer Netgate

    It's a matter of preference.

    Some people like to have their DHCP system names used no matter what, others want to use the hardcoded entries to override even the DHCP entries.

    It depends on the admin and the environment which is preferred.



  • @jimp:

    It's a matter of preference.

    Some people like to have their DHCP system names used no matter what, others want to use the hardcoded entries to override even the DHCP entries.

    It depends on the admin and the environment which is preferred.

    Ok, how about "Do not use the DNS Forwarder as a DNS server for the firewall"? Is there a more basic definition?


  • Rebel Alliance Developer Netgate

    I'm not sure how it can be more clear than exactly what it says. If that is checked, the firewall will not use the DNS forwarder as a DNS server for the firewall.

    If it's unchecked, then the firewall will use the DNS forwarder (if it's enabled) to resolve DNS queries, so it can also see the DHCP/static mappings, host overrides, and also queries all DNS servers at once.



  • Thanks.

    So the DNS forwarder IP address is localhost?


  • Rebel Alliance Developer Netgate

    Yes, when it's used by the system itself that's what it uses. The DNS Forwarder listens on every IP on the system though, so it could be any IP, but localhost is always there and never changes, so that's the safest to use from the firewall itself.


Locked