Problem DNS - LAN

phil.davis · Apr 23, 2014, 3:18 PM

That will work. But if you put "!" in the IP Address field, the facebook block will happen a little quicker for users, because DNS forwarder will immediately be able to send back a "not known".

gio79 · Apr 24, 2014, 9:08 AM

Hello I have done as you suggested and you can see it in the picture but if u go https://www.facebook.com opens the page http://www.facebook.com while I did not open the page

What should I do so that when I type https://www.facebook.com?

thank you very much

gio79 · Apr 24, 2014, 12:39 PM

Hello I have a problem I do not know how I did it but now I do not work anymore …

I do a summary of my situation

I have a LAN in which the clients have DHCP enabled and have no value in the DNS

pfSense in after I enabled the DNS Forwarder and DHCP Server with the DNS values (see first image)

after going to the Dashboard I have those values of the DNS (see picture2)

My question is what to set in the General Setup (see image3)

Wondering if anyone could give me a hand

thank you very much

phil.davis · Apr 24, 2014, 3:02 PM

If you are happy to use DNS Forwarder (a good thing, IMHO) then do not put anything in the DHCP "DNS Servers" - DHCP will give the pfSense LAN IP as the DNS server.
Then put multiple real public DNS servers in General Setup - e.g. 8.8.8.8 and 8.8.4.4 (Google). Or you can use OpenDNS, or your ISP DNS servers or… - DNS Forwarder will use those to resolve queries.

gio79 · Apr 24, 2014, 3:10 PM

Hello in General setup I put these settings

gio79 · Apr 24, 2014, 3:15 PM

Hello while I put these in DNS Forwarder settings

phil.davis · Apr 24, 2014, 3:50 PM

In DHCP Server, you need to remove 8.8.8.8 from DNS Servers.
At the moment, your clients are getting 8.8.8.8 as their DNS server - so they are going straight to Google for DNS. They need to go to pfSense DNS Forwarder, then they will get the facebook.com restriction.

gio79 · Apr 25, 2014, 6:40 AM

Hello can you tell me how you can be bet all the clients on the LAN to the DNS Forwarder in pfSense?

Hello and thank you very much

johnpoz · Apr 25, 2014, 11:30 AM

"all the clients on the LAN to the DNS Forwarder in pfSense?"

This is the default configuration of pfsense dhcp server - to point to itself as dns. So what do you mean how would you do it? Leave the dns servers boxes in your dhcp server setup blank

NOTE: leave blank to use the system default DNS servers - this interface's IP if DNS forwarder is enabled, otherwise the servers configured on the General page.

Bing Bang zoom all dhcp clients of pfsense point to pfsense for dns. If your talking about them manually putting in something else - then just create a firewall rule that prevents outbound on 53 udp/tcp and only allows it to pfsense IP. Or create a forward that forwards dns to pfsense IP.

Generally speaking whatever you hand out in dhcp is what your users should be using - why would they not use what the dhcp server sends them?

gio79 · Apr 26, 2014, 8:35 AM

Hello and thanks to all

I make a list of the various settings to be made for pfSense is used as a DNS Forwarder

In the DHCP Server to enable the DHCP server on the LAN and set the DNS
In DNS Forwarder and turn it on, put in the domains of the block to facebook
In the General Setup does not put any value in the DNS
After creating the two rules on the firewall

Now I have a doubt whether in the General Setup I have set some parameters that you can see in the picture?

Thanks to all

phil.davis · Apr 26, 2014, 10:46 AM

In the General Setup does not put any value in the DNS

If you have DHCP on WAN then check "Allow DNS server list to be overridden by DHCP/PPP on WAN" - then pfSense will get upstream DNS from the ISP DNS server/s.
If you have static IP on WAN, then put DNS server/s in the boxes in General Setup. Use the IP addresses of your ISP DNS servers, or some public DNS (Google, OpenDNS…) Then pfSense will get upstream DNS from these.
In all the above, the LAN clients will still get the pfSense LAN IP (DNS Forwarder)as their DNS server, which is what you want.

gio79 · Apr 28, 2014, 8:06 AM

Hello

I have a Static IP on the WAN, I set the DNS values in the General Setup page and I have not set any value in the boxes below (you can see in the picture)

Each client on the LAN has not set no value on relished ethernet card, if I go to Windows DOS I see that DHCP assigns an IP address and DNS as it gives me the address on the LAN to pfSense

But I can not navigate sites

Hello and thank you

johnpoz · Apr 28, 2014, 1:09 PM

Is the dns forwarder running? Can pfsense query dns using 8.8.8.8 ?

From diag, dns lookup

gio79 · Apr 28, 2014, 1:24 PM

Hello I have the DNS Forwarder active

I did the test with DNS LOOKUP and you can see the result in the image

I do not know what to do to run pfSense

Hello and thank you

johnpoz · Apr 28, 2014, 1:32 PM

Well from that way that looks, no dns forwarder is not running. Or does not know where to forward too. Or you have it not listening on the interfaces you need it to listen on, etc.
Since you got no response from 127.0.0.1 – notice mine got a response.

Post screen of dns forwarder page

gio79 · Apr 28, 2014, 1:56 PM

Hello thanks for the help but it does not work

On the DNS Forwarder I set the same values that you have set

On the General Setup what should I set?

I have to make the rules on the firewall?

Hello

johnpoz · Apr 28, 2014, 4:25 PM

Out of the box the default rules would be any any for the first lan interface.. If you add an OPT1 interface - say this 192.168.99 segment.. Then you would have to create rules on that interface to allow the traffic you want.

So in the attached you will see the firewall rules for my dmz segment. 192.168.3.0/24 in my case - this would be sim to your 192.168.99 segment

In my rules I allow traffic from the dmz segment to talk to my ntp server on my lan segment 192.168.1.0/24.. I allow traffic to my pfsense interface in that segment - in my case 192.168.3.253 for dns. And I allow traffic not going to the local networks, ie my lan and wlan segments..

What are you firewall rules on your segment? And validate that pfsense is listening on that interfaces IP for dns forwarding. Simple netstat should show it.

[2.1.2-RELEASE][root@pfsense.local.lan]/root(3): netstat -an | grep .53
tcp6 0 0 *.53 . LISTEN
tcp4 0 0 *.53 . LISTEN
udp6 0 0 *.53 .
udp4 0 0 *.53 .

So you can see *.53 here this means its listening on ALL IPs that pfsense has..

So you can see a computer on that network can query pfsense for dns - which in turn goes and asks the dns server setup on it.

sali147 · Apr 30, 2014, 7:32 AM

hello guys
I have problem with DNS, I have DHCP server on pfsense and my domain users can obtain from it,I have configured DNS server on DC also Microsoft Radius server for captive portal and DNS forwarder configured on pf,but now users when enter URL (e.g www.google.com) dns problem occur ,but when they enter 8.8.8.8 in Address Bar it opens the captive portal logon page and after authentication it brings the page.
any suggestion?

gio79 · Apr 30, 2014, 9:42 AM

Hello johnpoz

I tried to run the command
netstat-an | grep .53

but with the keyboard that I can not seem to do |

I do not know how to fix this DNS?

I did the command NSLOOKUP from a client on the LAN and I have results similar to yours except that there 's IP address of my pfSense

help help

johnpoz · Apr 30, 2014, 10:51 AM

If you did a nslookup and get the results like mine - then your dns is working..

So what exactly do you think is not working? And what kind of keyboard does not do | – normal keyboard it would same key as \ above your enter/return key -- and you don't really need to do that part - thats just so you don't get a full listing.. You could do just netstat -an

You know you could of just copied and pasted my command, etc. Did you fall off the turnip truck yesterday?