DNS server priority
-
i just installed pfsense 2.0.1 and all default options for DNS have remained.
under the general setup tab i have a few options to enter in DNS Servers.
i assume this is the area to add in my own DNS servers, other than what pfsense grabs from my cable modem.
i want to use the openDNS servers (208.67.222.222, 208.67.220.220).
i put those in there and in the drop down i selected WAN.
the bottom two are blank and have the option none selected.
it appears that i am using the openDNS servers (i tested it by navigating to http://welcome.opendns.com). when you are using their servers the message seen at that page is "welcome to openDNS you are now "
even though everything seems to be operating as it should (i dont see how it is given the information below), i would still like to ask my question.
under status–--->interfaces, i see the following:
127.0.0.1
68.87.72.134
68.87.77.134
208.67.222.222
208.67.220.220is this the order pfsense is prioritizing the DNS servers?
if that is the case, it seems that it wouldnt be using the openDNS servers unless the first two from my ISP were down.
for those of you that have used openDNS, if you are not pointing/using their servers, http://welcome.opendns.com displays the message...
"You aren't using OpenDNS yet.
Let's fix that. If you haven't restarted your computer yet, please do that now."for my LAN devices, i want to make sure that they point to pfsense (192.168.1.1) for DNS, which is what is currently in place now.
here is the output of a network PC
ip- 192.168.1.215
s- 255.255.255.0
g- 192.168.1.1dns1- 192.168.1.1
thanks.
-
If I recall correctly pfSense sends a DNS request to all the configured DNS servers and uses whatever reply comes back first.
If you are using OpenDNS for web filtering you probably want to remove your ISPs DNS servers from your configuration: The DNS Servers entry in web page System -> General Setup should have just the OpenDNS servers and the box Allow DNS server list to be overridden by DHCP/PPP on WAN should be clear (not ticked).
-
perfect! that was it. i now see this…
127.0.0.1
208.67.222.222
208.67.220.220whereas before i saw the ones from the ISP.
that option where you said to uncheck that box makes sense, but for whatever reason, i overlooked it.
-
If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.
-
If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.
thank you. i disabled that option and i clicked saved, but i still see it as the first DNS server under
status–-->interfaces
it didnt say anything about rebooting pfsense, but do i need to wait a few minutes and check again?
or will i always see 127.0.0.1, but the system just bypasses it?
thanks.
-
@tomdlgns:
or will i always see 127.0.0.1, but the system just bypasses it?
It will not, try the reboot when possible.
-
@tomdlgns:
or will i always see 127.0.0.1, but the system just bypasses it?
It will not, try the reboot when possible.
interesting. ever since i disabled that DNS forwarder option, i cant get anything to work.
no internet, no webgui, nothing…
i am off site right now. i was connected into a workstation on the network that is running pfsense.
since i am not on site, i cant reboot it at this time.
(however i am still connected via logmein....) this is odd.
-
while remotely connected, i can ping the pfsense box (192.168.1.1) but something with DNS isnt working.
C:\Users\admin>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64
Reply from 192.168.1.1: bytes=32 time<1ms TTL=64Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msC:\Users\admin>ping google.com
Ping request could not find host google.com. Please check the name and try again
.C:\Users\admin>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=22ms TTL=52
Reply from 8.8.8.8: bytes=32 time=22ms TTL=52
Reply from 8.8.8.8: bytes=32 time=23ms TTL=52
Reply from 8.8.8.8: bytes=32 time=24ms TTL=52Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 22ms, Maximum = 24ms, Average = 22mshmmmmmmm. i cant web into 192.168.1.1
is it possible to reboot pfsense via command line from a network PC?
EDIT- i just tried IE and i can login to pfsense using IE. should i reboot the box or is there something else i should try before i attempt to reboot it?
-
is it possible to reboot pfsense via command line from a network PC?
yes it's in menu option.
interesting. ever since i disabled that DNS forwarder option, i cant get anything to work.
you need firewall rules to allow access to dns service on lan.
-
is it possible to reboot pfsense via command line from a network PC?
yes it's in menu option.
interesting. ever since i disabled that DNS forwarder option, i cant get anything to work.
you need firewall rules to allow access to dns service on lan.
it is in the menu option from a remote PC on the network? i dont follow.
also, if i needed rules to allow DNS server on the LAN, it would have been nice to know that prior to unchecking that box. ;D
-
ok, i just enabled DNS forwarder to make sure sites can resolve. this is probably something that i should work on while i am on site.
-
@tomdlgns:
for my LAN devices, i want to make sure that they point to pfsense (192.168.1.1) for DNS, which is what is currently in place now.
So why would tomdlgns want to disable the DNS forwarder as suggested:
@marcelloc:If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.
-
If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.
Don't do this unless you really know what you're doing, it'll break DNS on all LAN clients in the default out of the box setup.
-
So why would tomdlgns want to disable the DNS forwarder as suggested:
@marcelloc:If you want to remove 127.0.0.1 from list, disable dns forwarder in services menu.
he wants to use only opendns servers:
i want to use the openDNS servers (208.67.222.222, 208.67.220.220).
-
he wants to use only opendns servers:
i want to use the openDNS servers (208.67.222.222, 208.67.220.220).
Right, but his LAN clients are configured to use pfSense as their name server:
@tomdlgns:for my LAN devices, i want to make sure that they point to pfsense (192.168.1.1) for DNS, which is what is currently in place now.
If pfSense doesn't have DNS forwarder (or equivalent) enabled how will his LAN clients get name service from pfSense?
-
tomdlgns did not specified a complete scenario, he just asked how to use his opendns servers.
The way he asked, creating lan rules to allow dns queries to 208.67.222.222 and 208.67.220.220 will work.
-
tomdlgns did not specified a complete scenario, he just asked how to use his opendns servers.
The way he asked, creating lan rules to allow dns queries to 208.67.222.222 and 208.67.220.220 will work.
How do I do this?
That was the next part of my question, but I didn't want to tackle it until I got home.
My goal is to have network computers point to 192.168.1.1 for DNA, the pfSense box, and I want to use opendns servers.
I am using opendns servers now, but if a network user inputs 8.8.8.8 or other third party servers in their nic settings, they will bypass the opendns servers.
Basically, I want to intercept all DNA lookps just before they leave the network. I was able to do this with dd wrt firmware on a Lindsay's router before I switched to pfSense.
Thanks
-
This way you need to block dns queries on lan rules and enable dns forwarder.
-
This way you need to block dns queries on lan rules and enable dns forwarder.
sure, but is there a guide to do this? if i knew how to do it, i wouldnt have posted in here.
:)
-
Do you need help creating rules or changing dns servers?