Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Forwarder: Port Shut?

    DHCP and DNS
    2
    6
    2957
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlum last edited by

      I'm trying to start using the DNS Forwarder in pfSense. My internal DNS servers - which also answer recursive external queries - are on one internal subnet. Its kind of annoying to have to go in and set up rules on all the other subnets to pass traffic to the DNS servers. I was hoping to let pfSense magically proxy that traffic. However, all the DNS queries return ICMP - udp port 53 unreachable which usually means the port is shut.

      So jumping to conclusions I would guess the forwarder is behind the firewall filters and each subnet is going to need filter rules to allow DNS traffic to pfSense so the DNS Forwarder will work?
      Is there any documentation on the setup of DNS Forwarder? From what I've seen it makes it sound like you just enable the check box and it just magically works but I'm finding that not to be the case.
      So DNS Forwarder is not going to help me because I have to set up rules on every subnet anyway so I might as well not use it?

      1 Reply Last reply Reply Quote 0
      • C
        cmb last edited by

        With any service, you have to permit traffic to reach it via the firewall for it to work. There are ways to ease that process, with interface groups, or floating rules.

        1 Reply Last reply Reply Quote 0
        • T
          tlum last edited by

          Well, sounds like it won't reduce the number of rules to manually maintain so its best not to use it in this case because its an increase in complexity with no benefit [for me]. Thanks

          1 Reply Last reply Reply Quote 0
          • C
            cmb last edited by

            As I said, use interface groups or floating rules. You can do that with 1 rule.

            1 Reply Last reply Reply Quote 0
            • T
              tlum last edited by

              That being the case I can "allow" to the local DNS servers with one rule too. I think the main argument for DNS Forwarder is split horizon where you have to proxy DNS requests to different servers. Since all of my DNS queries are answered by one set of servers regardless of whether its an internal or external domain, DNS Forwarder offers no real benefit [that I can see] and would contribute to the complexity of the setup… the rules are really a wash.

              1 Reply Last reply Reply Quote 0
              • C
                cmb last edited by

                Where you already have internal DNS servers, the only benefit of the DNS forwarder is it may improve lookup performance since it'll query all its configured servers simultaneously and take the fastest response. Aside from that, it's mostly beneficial for networks that don't have any local DNS servers.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post