Problem DNS - LAN



  • Hello everyone, I have a problem with the DNS on my LAN .. If a PC has the values ​​set DNS on your network card then able to go to the internet, otherwise if you did not set the values ​​of the DNS does not go on the internet. ..

    I set the DNS values ​​of pfSense but in fact something be wrong without dns set sail … not the PC as DNS values ​​on pfSense I put 8.8.8.8 in general setup, since I have not flagged any item below the dns

    Has anyone had a similar problem?

    How can I fix?

    Thanks to all



  • Are you using DHCP on pfSense LAN?
    Does the LAN client get a DHCP address?
    Is DNS Forwarder enabled in pfSense?

    In a default configuration, DNC Forwarder and DHCP are both enabled on pfSense. A LAN client will get a DHCP IP address in the LAN subnet, and DHCP will give the pfSense LAN IP as the DNS server - so the LAN client will use pfSense DNS Forwarder for DNS.



  • Not a solution but you seem to have an issue fairly similar to mine https://forum.pfsense.org/index.php?topic=75781.0 - is that a recent install ?



  • Hello thanks for the reply

    On the LAN I do not have DHCP enabled
    Each PC on the LAN has a fixed address
    DNS forwarder is not activated

    I want the dns server is given by pfSense

    Hello and thank you very much



  • Then make sure DNS Forwarder is enabled on pfSense.
    In each LAN client, you will already have set a static IP. Also enter the DNS server as the pfSense LAN IP.



  • Hello

    clients on the LAN do not want to put any DNS, but all the clients on the LAN must take the DNS automatically imposed on pfSense

    This is possible to do it?

    thank you very much



  • If you are using static IP entered on each LAN client, then you must also enter the DNS. In IPv4 there is no way to just do a DHCP request to get the DNS address.
    I suggest that you use DHCP on LAN. Then in the pfSense DHCP server, allocate a static-mapped IP address to each client.
    I do it that way for all the known client systems in an office. Then each client always gets the same IP address given by DHCP, and they get DNS server also given automatically.



  • Hello

    I then activated the DHCP server on the LAN, and I have also enabled the DNS Forwarder

    Now the PCs on your LAN ethernet card have no fixed address and no DNS and everything works

    Now I want to ask if you can block certain sites using DNS that is, for example, if I type https://www.facebook.com this site should not be open …

    I have read on the forums that it is possible to make it through in DNS Forwarder but do not know how to do, you could give me a hand?

    Hello and thank you very much



  • A quick search for "how to block facebook" would bring up this thread with a few ideas, and my post of how I do it:
    https://forum.pfsense.org/index.php?topic=69860.msg383922#msg383922



  • Hello thanks for the tip

    I wanted to ask the method that you are using seems a bit complicated to do it ….

    while the method recommended by Nothing
    Why do not you use DNS forwarder and add DNS A records *. Facebook.com to 127.0.0.1 for example?
    To avoid using foreign DNS servers by the clients add a NAT rule to catch everything on TCP / UDP 53 and DNAT it to the pfsense box.
    Much simpler and cleaner than using proxy I think

    It seems easier

    As I seem to have figured out I have to do two rules on the firewall and then add that record in DNS Forwarder?

    Hello



  • Yes, if you want to block Facebook all the time, then a domain override to translate *.facebook.com to a local address that does not work will do the trick easily.
    I have the firewall rule on a schedule, so Facebook works before and after normal office hours - we encourage our staff to come in early or stay late to do their FaceBooking (is that a word?) and to actually work during office hours  :) - for that I need an alias and rule on a schedule.



  • Hello

    I went in the DNS Forwarder in pfSense

    I have to set the parameters in the Override Host or Domain in Override?

    thanks



  • Domain Overrides
    Domain put facebook.com - that will include everything ending with facebook.com
    In "IP address" put "!" - it is documented on the GUI page: "Or enter ! for lookups for this host/subdomain to NOT be forwarded anywhere."
    Now it will look those up itself. Of course they are not in the local hosts file, so it will very quickly return a not found NXDOMAIN.



  • Hello I have done in this way, is that right?




  • That will work. But if you put "!" in the IP Address field, the facebook block will happen a little quicker for users, because DNS forwarder will immediately be able to send back a "not known".



  • Hello I have done as you suggested and you can see it in the picture but if u go https://www.facebook.com opens the page http://www.facebook.com while I did not open the page

    What should I do so that when I type https://www.facebook.com?

    thank you very much




  • Hello I have a problem I do not know how I did it but now I do not work anymore …

    I do a summary of my situation

    I have a LAN in which the clients have DHCP enabled and have no value in the DNS

    pfSense in after I enabled the DNS Forwarder and DHCP Server with the DNS values ​​(see first image)

    after going to the Dashboard I have those values ​​of the DNS (see picture2)

    My question is what to set in the General Setup (see image3)

    Wondering if anyone could give me a hand

    thank you very much








  • If you are happy to use DNS Forwarder (a good thing, IMHO) then do not put anything in the DHCP "DNS Servers" - DHCP will give the pfSense LAN IP as the DNS server.
    Then put multiple real public DNS servers in General Setup - e.g. 8.8.8.8 and 8.8.4.4 (Google). Or you can use OpenDNS, or your ISP DNS servers or… - DNS Forwarder will use those to resolve queries.



  • Hello in General setup I put these settings




  • Hello while I put these in DNS Forwarder settings






  • In DHCP Server, you need to remove 8.8.8.8 from DNS Servers.
    At the moment, your clients are getting 8.8.8.8 as their DNS server - so they are going straight to Google for DNS. They need to go to pfSense DNS Forwarder, then they will get the facebook.com restriction.



  • Hello can you tell me how you can be bet all the clients on the LAN to the DNS Forwarder in pfSense?

    Hello and thank you very much


  • Rebel Alliance Global Moderator

    "all the clients on the LAN to the DNS Forwarder in pfSense?"

    This is the default configuration of pfsense dhcp server - to point to itself as dns.  So what do you mean how would you do it?  Leave the dns servers boxes in your dhcp server setup blank

    NOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.

    Bing Bang zoom all dhcp clients of pfsense point to pfsense for dns.  If your talking about them manually putting in something else - then just create a firewall rule that prevents outbound on 53 udp/tcp and only allows it to pfsense IP.  Or create a forward that forwards dns to pfsense IP.

    Generally speaking whatever you hand out in dhcp is what your users should be using - why would they not use what the dhcp server sends them?



  • Hello and thanks to all

    I make a list of the various settings to be made for pfSense is used as a DNS Forwarder

    • In the DHCP Server to enable the DHCP server on the LAN and set the DNS
    • In DNS Forwarder and turn it on, put in the domains of the block to facebook
    • In the General Setup does not put any value in the DNS
    • After creating the two rules on the firewall

    Now I have a doubt whether in the General Setup I have set some parameters that you can see in the picture?

    Thanks to all




    • In the General Setup does not put any value in the DNS

    If you have DHCP on WAN then check "Allow DNS server list to be overridden by DHCP/PPP on WAN" - then pfSense will get upstream DNS from the ISP DNS server/s.
    If you have static IP on WAN, then put DNS server/s in the boxes in General Setup. Use the IP addresses of your ISP DNS servers, or some public DNS (Google, OpenDNS…) Then pfSense will get upstream DNS from these.
    In all the above, the LAN clients will still get the pfSense LAN IP (DNS Forwarder)as their DNS server, which is what you want.



  • Hello

    I have a Static IP on the WAN, I set the DNS values ​​in the General Setup page and I have not set any value in the boxes below (you can see in the picture)

    Each client on the LAN has not set no value on relished ethernet card, if I go to Windows DOS I see that DHCP assigns an IP address and DNS as it gives me the address on the LAN to pfSense

    But I can not navigate sites

    Hello and thank you





  • Rebel Alliance Global Moderator

    Is the dns forwarder running?  Can pfsense query dns using 8.8.8.8 ?

    From diag, dns lookup




  • Hello I have the DNS Forwarder active

    I did the test with DNS LOOKUP and you can see the result in the image

    I do not know what to do to run pfSense

    Hello and thank you



  • Rebel Alliance Global Moderator

    Well from that way that looks, no dns forwarder is not running. Or does not know where to forward too.  Or you have it not listening on the interfaces you need it to listen on, etc.
    Since you got no response from 127.0.0.1 – notice mine got a response.

    Post screen of dns forwarder page




  • Hello thanks for the help but it does not work

    On the DNS Forwarder I set the same values ​​that you have set

    On the General Setup what should I set?

    I have to make the rules on the firewall?

    Hello


  • Rebel Alliance Global Moderator

    Out of the box the default rules would be any any for the first lan interface.. If you add an OPT1 interface - say this 192.168.99 segment.. Then you would have to create rules on that interface to allow the traffic you want.

    So in the attached you will see the firewall rules for my dmz segment.  192.168.3.0/24 in my case - this would be sim to your 192.168.99 segment

    In my rules I allow traffic from the dmz segment to talk to my ntp server on my lan segment 192.168.1.0/24.. I allow traffic to my pfsense interface in that segment - in my case 192.168.3.253 for dns.  And I allow traffic not going to the local networks, ie my lan and wlan segments..

    What are you firewall rules on your segment?  And validate that pfsense is listening on that interfaces IP for dns forwarding.  Simple netstat should show it.

    [2.1.2-RELEASE][root@pfsense.local.lan]/root(3): netstat -an | grep .53
    tcp6      0      0 *.53                  .                    LISTEN
    tcp4      0      0 *.53                  .                    LISTEN
    udp6      0      0 *.53                  .
    udp4      0      0 *.53                  .

    So you can see *.53 here this means its listening on ALL IPs that pfsense has..

    So you can see a computer on that network can query pfsense for dns - which in turn goes and asks the dns server setup on it.






  • hello guys
    I have problem with DNS, I have DHCP server on pfsense and my domain users can obtain from it,I have configured DNS server on DC also Microsoft Radius server for captive portal and DNS forwarder configured on pf,but now users when enter URL (e.g www.google.com) dns problem occur ,but when they enter 8.8.8.8 in Address Bar it opens the captive portal logon page and after authentication it brings the page.
    any suggestion?



  • Hello johnpoz

    I tried to run the command
    netstat-an | grep .53

    but with the keyboard that I can not seem to do |

    I do not know how to fix this DNS?

    I did the command NSLOOKUP from a client on the LAN and I have results similar to yours except that there 's IP address of my pfSense

    help help


  • Rebel Alliance Global Moderator

    If you did a nslookup and get the results like mine - then your dns is working..

    So what exactly do you think is not working?  And what kind of keyboard does not do |  – normal keyboard it would same key as \ above your enter/return key -- and you don't really need to do that part - thats just so you don't get a full listing.. You could do just netstat -an

    You know you could of just copied and pasted my command, etc.  Did you fall off the turnip truck yesterday?




  • Hello I decided to reset the machine pfSense and start from scratch to figure out where the problem is


  • Rebel Alliance Global Moderator

    So that was 30 minutes ago.. You should be up and running already, it takes all of like 5 minutes to get pfsense up and running from scratch..  Unless your dicking with something - the default settings would have you up and running with dns, dhcp bing bang zoom.



  • Hello I have noticed one thing on my LAN, excluding pfSense I have this situation:

    • If I put a PC in DHCP and DNS worthless router assigns me an IP address because the DHCP is enabled on the router and DNS as I 212 216 112 112 who are my ISP's DNS, and in this situation I go on the internet no problem

    • If I put a pc and I go to set the IP address without DNS but I do not surf on the internet

    Now I'm redoing the pfSense machine and reboot from scratch and slowly we see that the problems I


  • Rebel Alliance Global Moderator

    "- If I put a pc and I go to set the IP address without DNS but I do not surf on the internet"

    How exactly do you think you can surf the internet without dns?? So duh!!  if you don't set dns internet wouldn't work.



  • Hello

    I installed pfSense from scratch and I saw that there was a mistake when I went to set the LAN card on pfSense, in fact, put the Gateway, and it would not let me run anything …. in fact if I went on Status - Gateway I Gateway is the the WAN to the LAN, the LAN I deleted that everything works now via DNS Forwarder can block facebook

    Hello and thanks to all