DNS server priority



  • i just installed pfsense 2.0.1 and all default options for DNS have remained.

    under the general setup tab i have a few options to enter in DNS Servers.

    i assume this is the area to add in my own DNS servers, other than what pfsense grabs from my cable modem.

    i want to use the openDNS servers (208.67.222.222, 208.67.220.220).

    i put those in there and in the drop down i selected WAN.

    the bottom two are blank and have the option none selected.

    it appears that i am using the openDNS servers (i tested it by navigating to http://welcome.opendns.com). when you are using their servers the message seen at that page is "welcome to openDNS you are now "

    even though everything seems to be operating as it should (i dont see how it is given the information below), i would still like to ask my question.

    under status–--->interfaces, i see the following:

    127.0.0.1
    68.87.72.134
    68.87.77.134
    208.67.222.222
    208.67.220.220

    is this the order pfsense is prioritizing the DNS servers?

    if that is the case, it seems that it wouldnt be using the openDNS servers unless the first two from my ISP were down.

    for those of you that have used openDNS, if you are not pointing/using their servers, http://welcome.opendns.com displays the message...

    "You aren't using OpenDNS yet.
    Let's fix that. If you haven't restarted your computer yet, please do that now."

    for my LAN devices, i want to make sure that they point to pfsense (192.168.1.1) for DNS, which is what is currently in place now.

    here is the output of a network PC

    ip- 192.168.1.215
    s- 255.255.255.0
    g- 192.168.1.1

    dns1- 192.168.1.1

    thanks.



  • If I recall correctly pfSense sends a DNS request to all the configured DNS servers and uses whatever reply comes back first.

    If you are using OpenDNS for web filtering you probably want to remove your ISPs DNS servers from your configuration: The DNS Servers entry in web page System -> General Setup should have just the OpenDNS servers and the box Allow DNS server list to be overridden by DHCP/PPP on WAN should be clear (not ticked).



  • perfect! that was it.  i now see this…

    127.0.0.1
    208.67.222.222
    208.67.220.220

    whereas before i saw the ones from the ISP.

    that option where you said to uncheck that box makes sense, but for whatever reason, i overlooked it.



  • If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.



  • @marcelloc:

    If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.

    thank you.  i disabled that option and i clicked saved, but i still see it as the first DNS server under

    status–-->interfaces

    it didnt say anything about rebooting pfsense, but do i need to wait a few minutes and check again?

    or will i always see 127.0.0.1, but the system just bypasses it?

    thanks.



  • @tomdlgns:

    or will i always see 127.0.0.1, but the system just bypasses it?

    It will not, try the reboot when possible.



  • @marcelloc:

    @tomdlgns:

    or will i always see 127.0.0.1, but the system just bypasses it?

    It will not, try the reboot when possible.

    interesting.  ever since i disabled that DNS forwarder option, i cant get anything to work.

    no internet, no webgui, nothing…

    i am off site right now.  i was connected into a workstation on the network that is running pfsense.

    since i am not on site, i cant reboot it at this time.

    (however i am still connected via logmein....) this is odd.



  • while remotely connected, i can ping the pfsense box (192.168.1.1) but something with DNS isnt working.

    C:\Users\admin>ping 192.168.1.1

    Pinging 192.168.1.1 with 32 bytes of data:
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
    Reply from 192.168.1.1: bytes=32 time<1ms TTL=64

    Ping statistics for 192.168.1.1:
       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
       Minimum = 0ms, Maximum = 0ms, Average = 0ms

    C:\Users\admin>ping google.com
    Ping request could not find host google.com. Please check the name and try again
    .

    C:\Users\admin>ping 8.8.8.8

    Pinging 8.8.8.8 with 32 bytes of data:
    Reply from 8.8.8.8: bytes=32 time=22ms TTL=52
    Reply from 8.8.8.8: bytes=32 time=22ms TTL=52
    Reply from 8.8.8.8: bytes=32 time=23ms TTL=52
    Reply from 8.8.8.8: bytes=32 time=24ms TTL=52

    Ping statistics for 8.8.8.8:
       Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
       Minimum = 22ms, Maximum = 24ms, Average = 22ms

    hmmmmmmm.  i cant web into 192.168.1.1

    is it possible to reboot pfsense via command line from a network PC?

    EDIT- i just tried IE and i can login to pfsense using IE.  should i reboot the box or is there something else i should try before i attempt to reboot it?



  • is it possible to reboot pfsense via command line from a network PC?

    yes it's in menu option.

    interesting.  ever since i disabled that DNS forwarder option, i cant get anything to work.

    you need firewall rules to allow access to dns service on lan.



  • @marcelloc:

    is it possible to reboot pfsense via command line from a network PC?

    yes it's in menu option.

    interesting.  ever since i disabled that DNS forwarder option, i cant get anything to work.

    you need firewall rules to allow access to dns service on lan.

    it is in the menu option from a remote PC on the network?  i dont follow.

    also, if i needed rules to allow DNS server on the LAN, it would have been nice to know that prior to unchecking that box.  ;D



  • ok, i just enabled DNS forwarder to make sure sites can resolve.  this is probably something that i should work on while i am on site.



  • @tomdlgns:

    for my LAN devices, i want to make sure that they point to pfsense (192.168.1.1) for DNS, which is what is currently in place now.

    So why would tomdlgns want to disable the DNS forwarder as suggested:
    @marcelloc:

    If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.



  • @marcelloc:

    If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.

    Don't do this unless you really know what you're doing, it'll break DNS on all LAN clients in the default out of the box setup.



  • @wallabybob:

    So why would tomdlgns want to disable the DNS forwarder as suggested:
    @marcelloc:

    If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.

    he wants to use only opendns servers:

    i want to use the openDNS servers (208.67.222.222, 208.67.220.220).



  • @marcelloc:

    he wants to use only opendns servers:

    i want to use the openDNS servers (208.67.222.222, 208.67.220.220).

    Right, but his LAN clients are configured to use pfSense as their name server:
    @tomdlgns:

    for my LAN devices, i want to make sure that they point to pfsense (192.168.1.1) for DNS, which is what is currently in place now.

    If pfSense doesn't have DNS forwarder (or equivalent) enabled how will his LAN clients get name service from pfSense?



  • tomdlgns did not specified a complete scenario, he just asked how to use his opendns servers.

    The way he asked, creating lan rules to allow dns queries to 208.67.222.222 and 208.67.220.220 will work.



  • @marcelloc:

    tomdlgns did not specified a complete scenario, he just asked how to use his opendns servers.

    The way he asked, creating lan rules to allow dns queries to 208.67.222.222 and 208.67.220.220 will work.

    How do I do this?

    That was the next part of my question, but I didn't want to tackle it until I got home.

    My goal is to have network computers point to 192.168.1.1 for DNA, the pfSense box, and I want to use opendns servers.

    I am using opendns servers now, but if a network user inputs 8.8.8.8 or other third party servers in their nic settings, they will bypass the opendns servers.

    Basically, I want to intercept all DNA lookps just before they leave the network. I was able to do this with dd wrt firmware on a Lindsay's router before I switched to pfSense.

    Thanks



  • This way you need to block dns queries on lan rules and enable dns forwarder.



  • @marcelloc:

    This way you need to block dns queries on lan rules and enable dns forwarder.

    sure, but is there a guide to do this?  if i knew how to do it, i wouldnt have posted in here.

    :)



  • Do you need help creating rules or changing dns servers?



  • @marcelloc:

    Do you need help creating rules or changing dns servers?

    under the general tab, right now, i have the openDNS servers and the local host address

    127.0.0.1
    208.67.222.222
    208.67.220.220

    with the help from you guys in this thread, i have been able to eliminate the ISP DNS Servers from that list.

    it appears that is working w/o any issues.

    the next step is to create rules, i suppose that is next, that will allow me to intercept DNS lookups.  that might not be the right word/phrase.

    but what i would like to accomplish is to force a certain set of DNS servers to be used regardless of what the user has used on their device.



  • You could add the following firewall rule (On Firewall -> Rules, click on the LAN tab, click on the lowermost "+": Action=Block, Disabled='not ticked', Interface=LAN, Protocol=TCP/UDP, Source=any, Destination=( not='ticked', Type=LAN address,) Destination port range=DNS, Log='ticked')

    This will block any attempt by a system connected to the LAN interface to access (by TCP or UDP) a DNS Server (port 53) on any IP address other than the pfSense LAN IP address and will log in the system log any such attempt.

    If you have other firewall rules on the LAN interface you need to check that a rule higher up the list doesn't allow this rule to be bypassed. (Rules are processed from the top down, processing stops on the first match.)

    The logging gives some information to help track down offenders.



  • thanks, i will try this.

    if i do this, can i disable the DNS forwarder option?

    my LAN PCs are using 192.168.1.1 for the DNS server, which is what i want, but i didnt set that under the DHCP settings for the LAN interface.

    is it pulling that by default?

    also, i dont mind leaving the DNS forwarder option as is, i dont want to break anything, but i also dont see the need to have 127.0.0.1 as a DNS server.

    thank you for your help.



  • @tomdlgns:

    if i do this, can i disable the DNS forwarder option?

    No because @tomdlgns:

    my LAN PCs are using 192.168.1.1 for the DNS server, which is what i want,

    @tomdlgns:

    but i didnt set that under the DHCP settings for the LAN interface.

    DNS entries on DHCP page will override default of pfSense xxx interface.

    @tomdlgns:

    i also dont see the need to have 127.0.0.1 as a DNS server.

    Is there a problem with pfSense using DNS forwarder for name resolution?

    Suppose you didn't have 127.0.0.1 on pfSense DNS list. This would mean all DNS requests from pfSense would go to OpenDNS. OpenDNS does not know how to resolve names of systems on your local network. Do you want pfSense applications to not have access to name resolutions of "local" systems.

    How would pfSense



  • @wallabybob:

    @tomdlgns:

    if i do this, can i disable the DNS forwarder option?

    No because @tomdlgns:

    my LAN PCs are using 192.168.1.1 for the DNS server, which is what i want,

    @tomdlgns:

    but i didnt set that under the DHCP settings for the LAN interface.

    DNS entries on DHCP page will override default of pfSense xxx interface.

    @tomdlgns:

    i also dont see the need to have 127.0.0.1 as a DNS server.

    Is there a problem with pfSense using DNS forwarder for name resolution?

    Suppose you didn't have 127.0.0.1 on pfSense DNS list. This would mean all DNS requests from pfSense would go to OpenDNS. OpenDNS does not know how to resolve names of systems on your local network. Do you want pfSense applications to not have access to name resolutions of "local" systems.

    How would pfSense

    no, there is no problem with pfsense using 127.0.0.1 to lookup local name resolution.  if that is what it is doing, then i will leave it alone.

    thank you.

    i wasnt sure exactly what it did, which is why i asked.

    if i create the rules posted above, pfsense will force openDNS servers regardless of what the user has set on their device, correct?

    that is mainly what i am looking to do.

    thanks.



  • @tomdlgns:

    if i create the rules posted above, pfsense will force openDNS servers regardless of what the user has set on their device, correct?

    It was a single rule and it needs to be correctly positioned with respect to other rules you might have.

    Here's how the overall thing works: pfSense uses only OpenDNS and the pfSense DNS forwarder for name resolution. The firewall blocks any attempt by a system connected to the LAN interface to use a DNS server other than pfSense. Note the firewall doesn't "automatically" change an attempt by a LAN system to use (say) Google name server into an attempt to use OpenDNS. An attempt by a LAN client to use anything other than the pfSense box as their name server will be blocked generally resulting in some sort of error report which will probably send the user to tech support (you?) who will investigate and find they are attempting to break the usage rules and appropriate discipline can follow.

    It might be possible to have a NAT type firewall rule (or rules)  to automatically change a "violating" DNS access into a conforming DNS access.

    This configuration doesn't do anything to block access to name servers providing service on non-standard ports. If you find such name servers then you could add appropriate firewall rules.



  • @wallabybob:

    @tomdlgns:

    if i create the rules posted above, pfsense will force openDNS servers regardless of what the user has set on their device, correct?

    It was a single rule and it needs to be correctly positioned with respect to other rules you might have.

    Here's how the overall thing works: pfSense uses only OpenDNS and the pfSense DNS forwarder for name resolution. The firewall blocks any attempt by a system connected to the LAN interface to use a DNS server other than pfSense. Note the firewall doesn't "automatically" change an attempt by a LAN system to use (say) Google name server into an attempt to use OpenDNS. An attempt by a LAN client to use anything other than the pfSense box as their name server will be blocked generally resulting in some sort of error report which will probably send the user to tech support (you?) who will investigate and find they are attempting to break the usage rules and appropriate discipline can follow.

    It might be possible to have a NAT type firewall rule (or rules)  to automatically change a "violating" DNS access into a conforming DNS access.

    This configuration doesn't do anything to block access to name servers providing service on non-standard ports. If you find such name servers then you could add appropriate firewall rules.

    i am not sure how do it in pfsense, i was able to do it with my linksys router that had DD-WRT flashed on it.

    basically, i could set anything i wanted on a network computer for the DNS servers…

    i did several tests.  i used bogus IP addresses on the client PC and i was still able to browse the internet.

    if i went to welcome.opendns.com i saw the message that confirmed i was using their servers.

    the network i was running at the time was 192.168.1.0 /24 and this was the DNS i was using on the client PC: 192.168.250.3 (just something random to make sure the firewall was ignoring the DNS server i had in my network settings) and DNS still worked because it forced openDNS servers to be used.

    i used this command in the dd-wrt router to intercept DNS that client machines were trying to use.

    "Configure DNSMasq for OpenDNS DNS forwarding
    Go to Services tab » Services sub tab » Services Management section » DNSMasq sub section
    Enable both DNSMasq and Local DNS options
    In the Additional DNSMasq Options text box, enter:
    no-resolv
    strict-order
    server=208.67.222.222
    server=208.67.222.220
    Click Apply Settings

    and

    You can prevent users from using their own DNS servers (and hence get around content filtering) by intercepting DNS queries and forcing them to use the DNS servers you specify.
    Go to Administration tab » Commands sub tab
    In the Commands text box, enter:
    iptables -t nat -A PREROUTING -i br0 -p udp –dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
    Click Save Firewall (note: your WAN interface will be restarted)"

    just in case someone reads this later, these are NOT directions for the pfsense firewall. i just wanted to point out how i was intercepting DNS lookups with dd-wrt.

    the rule that was posted above might work, but i'd like to confirm that i am on the same page before i create rules in pfsense.



  • Create a firewall rule on lan

    Proto udp dest port 53

    First, a rule to Allow dns to your server and then a rule That blocks any conection to port 53

    The rule on lan That Allow internet access must be after dns rules.



  • @tomdlgns:

    i used this command in the dd-wrt router to intercept DNS that client machines were trying to use.

    I suspect an equivalent in pfSense would be to set up a port forward rule on the LAN interface as follows:
    On Firewall -> NAT, Port Forward tab click "+" at the bottom to add the rule (default values not specified here): Interface=LAN, Protocol=TCP/UDP, Destination=(not box ticked, Type=(Address=LAN address, Destination port range from: DNS)), Redirect target IP = <pfsense lan="" ip="" address="">Click Save then go to Diagnostics -> States, click on Reset States tab, read the explanation then click on the Reset button and test the new port forward rule.

    I haven't tested this. I expect it would forward any TCP/UDP access to port 53 (DNS) on an address other than the LAN IP address to the LAN IP address.</pfsense>


Locked