Does pfsense support natting DNS glue records

  • My pfsense has several private subnets, including one for my DMZ which contains web and dns servers.

    I noticed when doing some DNS testing that I'm now having an issue where the glue records provided by the TLD and by my own nameservers don't match, because the nameservers are returning their private ip's.  I ran several dns tests previously and didn't notice this issue, so I'm not sure if I just overlooked it in the report or if it's a new problem.

    Anyhow, I've been searching all over the place but haven't been able to figure out if this is a config issue, or if I might have to move the dns servers out of the private subnet (which I would really like to avoid).

    Any advice?

  • I believe you speak of Services -> DNS Forwarder -> Register DHCP leases in DNS forwarder

  • I'll take a look at that, although I'm not sure if it will be applicable since I'm not using DHCP.

    I found a link which seems to describe the problem I'm facing, but it's pretty vague about solving it.  It says:

    ..if you set up a public-facing DNS server behind a NAT firewall and the server has glue records that reference private IP addresses. A typical NAT firewall doesn’t translate the IP address in glue records, so the DNS server passes out referrals to servers that can’t be touched from outside the firewall.

    I've tried changing the glue records (A) to use the public ip's, but unfortunately the DNS is running on windows active directory which automatically changes them back.

    Right now the TLD is showing a public ip of: (which is correct).
    However, when the nameserver itself is queried at that ip it identifies itself as coming from 192.168.x.x

    All the servers in the DMZ are setup using virtual ip's (in the public range) and are then 1:1 natted to addresses in the DMZ private subnet.  All of the typical nat'ing works properly for these machines, except for these nameserver glue records.

  • Search the forum for NAT Reflection.

    You will not be able to do reflection for 1:1 hosts but you can port forward on the WAN interface on top of the 1:1 items for the needed ports.

    Alternatively setup another DNS server on the internal network and point the internal hosts to it which overrides the DNS IP address to the internal address.

Log in to reply