How to namserver hosting in pfSense 2.1?



  • Hi:

    I would like to host two nameservers in two different pfSense 2.1 boxes to resolve domain names from outside and inside (authoritative and recursive both). But what I have read is the pfSense package DNS Server /TinyDNS has no dnscache, meaning it cannot serve as recursive.

    Since I am more to command line and pfSense 2.1 GUI is too exhaustive for me, can anyone guide me or point to a link how can one host a nameserver using GUI of pfSense 2.1?

    Thanks in advance.


  • Rebel Alliance Developer Netgate

    There isn't a guide anywhere for that currently -however- in 2.1 this is quite possible.

    In the DNS forwarder settings, select ONLY your internal interfaces, and check "strict binding"

    Run tinydns bound to the WAN IP

    Then tinydns can catch the authoritative requests on the WAN IP, and the DNS forwarder will catch the recursive requests from the inside.

    The DNS Forwarder interface binding options are new for 2.1.

    Alternately, you can bind the DNS forwarder to a different port (e.g. 5353) and then use a port forward to redirect traffic from your recursive query sources on any interface to it.


  • Rebel Alliance Global Moderator

    "authoritative and recursive both"

    Be careful running recursive dns on your public interface..  These can be used quite easy for amplification attacks, and is becoming more and more common.  Running a recursive name server open to the public can be a dangerous endeavor - please be sure you want to do that.

    US-CERT just recently updated their alert on this http://www.us-cert.gov/ncas/alerts/TA13-088A

    If your sure or your wan is limited exposure and not really public then the above advice works.


  • Rebel Alliance Developer Netgate

    If you WAN handles only authoritative, and internal interfaces only recursive (as I described), that won't be an issue.



  • @jimp:

    There isn't a guide anywhere for that currently -however- in 2.1 this is quite possible.

    In the DNS forwarder settings, select ONLY your internal interfaces, and check "strict binding"

    Run tinydns bound to the WAN IP

    Then tinydns can catch the authoritative requests on the WAN IP, and the DNS forwarder will catch the recursive requests from the inside.

    The DNS Forwarder interface binding options are new for 2.1.

    Alternately, you can bind the DNS forwarder to a different port (e.g. 5353) and then use a port forward to redirect traffic from your recursive query sources on any interface to it.

    Thanks Jim for your useful input.

    In the meantime, I am bit confused about the "Enable recursive DNS responder" for the setup that you stated. You mentioned to make the tinydns authoritative server to listen only to wan and dns forwarder to the remaining internal interfaces. But the next to the "Enable recursive DNS responder" is "Interface to Listen". Whether it is a recursive nameser to listen or authoritative one for WAN?


  • Rebel Alliance Developer Netgate

    In tinydns, "Enable recursive DNS responder" means to enable dnscache, its partner in crime that handles recursive queries.

    They can't both bind to the same IP, so you tell tinydns to bind to some interface/IPs, and you have dnscache bind to others.

    I much prefer the pfSense DNS forwarder (dnsmasq) because it actually works. It's not dnscache's fault it's mostly broken, but few have been interested in fixing that part of the package to get all of the files/syntax correct. And now that it's not really necessary, it may be better to just remove that option.