Sending all firewall-originated DNS through DNS forwarder
My /etc/resolv.conf has the following name servers listed:
nameserver 127.0.0.1 nameserver 22.214.171.124 nameserver 126.96.36.199
The last 2 are the DynDNS ones, that I use for DNS filtering. A side-effect is that they always return something when queried - an IP that points to a DynDNS page.
In DNS Forwarder, I have domain overrides that point queries for my internal domain to the IP of the DNS server for the internal domain names. nd for remote sites, that internal DNS server is across an OpenVPN link (=delay).
I noticed that the firewall itself does not find my local domain names to IP correctly - it tends to find the dodgy answer from DynDNS. I suspect I could fix this if /etc/resolv.conf only listed 127.0.0.1 (the DNS Forwarder). Then only DNS Forwarder could answer, no chance for the others to get in first with a dodgy answer.
I can't see any system option to disable writing the other name server IPs to resolv.conf. And there is nothing in system.inc function system_resolvconf_generate() that allows leaving these out.
a) Is only listing nameserver 127.0.0.1 likely to be the fix?
b) Is doing this going to put the system into a knot somehow? (e.g. is there some boot-time catch-22 when DNS Forwarder itself starts up that will be a gotcha?)
c) If (a) and (b) are OK, then should there be an advanced option to only list nameserver 127.0.0.1 in resolv.conf?
Hmmm - catch-22, when I remove the last 2 name server lines, DNS Forwarder itself does not know how to lookup names!
I would DNS Forwarder to know all about how to lookup anything, either internally or externally, as it does now. But I want ordinary programs on the firewall to use only DNS Forwarder to get answers.
How to achieve that?
Maybe in advanced options put:
So it will use those upstream servers? The docs claim the domain on that parameter is optional.
Yep, that works. I removed all the DNS servers from System:General Setup, and had both these unchecked:
Allow DNS server list to be overridden by DHCP/PPP on WAN
Do not use the DNS Forwarder as a DNS server for the firewall
This makes /etc/resolv.conf contain just:
domain mydomain.xyz.org nameserver 127.0.0.1
Then in DNS Forwarder, Advanced:
And in DNS Forwarder Domain Overrides I have entries for the various local domains, and local private reverse lookup zones and the IP addresses of the internal DNS servers that know how to answer queries for those (e.g. mydomain.xyz.com 10.42.11.1)
Now when I "nslookup" from the pfSense command line, it can only ask DNS Forwarder. And DNS forwarder knows how to do "default" queries using the "server=188.8.131.52" line/s. And queries for local names and reverse lookups always get resolved correctly, or NXDOMAIN returned correctly if the local name does not exist.
The missing element of this configuration is that I can't specify the gateway to use for each upstream DNS server. DNS Forwarder will be using the default route for all of them. That could be fixed by doing this a slightly different way:
a) Add a checkbox somewhere (General Setup or DNS Forwarder config page?):
"Use only the DNS Forwarder as a DNS server for the firewall"
b) When this is checked:
1) Still define routes through the specified gateways for each DNS server IP in General Setup.
2) Only put 127.0.0.1 in /etc/resolve.conf - so DNS lookups from apps on the firewall itself all go to the DNS Forwarder.
3) Write a separate /etc/resolve-for-dns-forwarder.conf that contains the IPs of the DNS servers specified in General Setup (or given by DHCP).
4) On dnsmasq command use "–resolv-file=/etc/resolve-for-dns-forwarder.conf"
This way DNS Forwarder will be told about the upstream DNS servers automatically, they are routed through the selected gateway/s, and pfSense apps will always use DNS Forwarder to do their DNS lookup work.
Does this sound like a reasonable enhancement to the system?
And to me it actually feels like the behavior that many people would want - that DNS done by apps on pfSense itself uses the same path for resolving names as any ordinary LAN client. Or is there some catch-22 that I have forgotten here?