How to test authoritative DNS



  • Hello everyone,

    I am relatively new to pfSense and I am currently trying to configure a pfSense box as an authoritative DNS server for my domain. The pfsense box will be replacing the existing firewall and authoritative DNS server, but right now the domain records point to the existing server as the authoritative DNS for mydomain.com.

    In pfsense, I installed the dns-server (tinydns) package and configured it to bind to my public IP address. Then I added a new record dnstest.mydomain.com, and finally I added a rule in the firewall to allow traffic on port 53 UDP. I also disabled DNS forwarder because I want this machine to be an authoritative DNS only.

    However, I'm running into issues trying to test the DNS settings. From a Windows computer on a different network, I tried using nslookup to look up dnstest.mydomain.com, specifying the public IP address of the pfSense box, but the requests are timing out.

    nslookup dnstest.mydomain.com pfsense_ip
    DNS request timed out
         timeout was 2 seconds.
    Server: Unknown
    Address: pfsense_ip
    

    I looked in the tinydns logs and found entries like this:

    2014-12-17 21:02:55.515036500         0.0.0.0:6263 A        not_authority            dnstest.mydomain.com.home
    

    So the DNS requests are clearly reaching the box, but pfsense is not responding to them. Is this because it somehow knows that the domain records specify a different server as the authoritative DNS? If so, is there any way to test it without changing the domain record to point to the pfsense IP address? I don't want to switch it until I can confirm that it fully works.

    Thanks in advance!


  • LAYER 8 Global Moderator

    notice the .home in your query..  Your server is not authoritative for that domain ;)

    not_authority            dnstest.mydomain.com**.home**

    Do a query for your domain your authoritative for ;)

    add a . the end of your query and you should not auto add your suffix search from your pc.

    On a side note - running dns to the public net is a business you really should not want to get into to be honest.  Hosting dns for your own internal domains for your own internal network sure ok.  But once you open dns up to the public your asking for issues if you ask me.  its much easier to let the companies that do this for their bread and butter do it, if you can not just host it off your registrar for low use domains.

    DNS should have more than 1 for example.  And should be geographically and network diversified.  You can have companies like dnsmade easy host your domains for pennies a year.  $29 a year gets you like 10 domains, 400 records, 5 million queries a month.  Vanity dns so it looks like your nameservers are actually yours in your own domain, etc.  They are anycast nameservers in like 16 global locations.  Have unbelievable uptime, etc. etc..  They partnered with Tier one network providers, etc.  You just really can not host your own dns for anywhere close to reliability and speed for anything close to the costs.

    Let the guys that do dns for a living do it, why put yourself through the headaches that can come with public facing dns to be honest..



  • Thanks for the reply - I'm wondering though, how does tinydns magically know which domain(s) it is authoritative for? Does it actually query the domain records over the Internet to check, and then ignore queries for domains it knows it's not authoritative for?

    As for hosting our own DNS, I'm sure you are right in that it may be better to use an outside service for the job. However, I'm just a student volunteer helping to set up this pfsense box for a school network, so unfortunately it's not really a decision I can control. We've been hosting our own DNS on an existing FreeBSD server for years without issue, so my job is to simply make the pfsense box do the same jobs that the old server did. Plus, this is an environment where spending any amount of money results in a paperwork nightmare and endless waiting for approval, so I'd rather avoid it.


  • LAYER 8 Global Moderator

    Again you did a query for a domain that doesn't even exist most likely

    dnstest.mydomain.com**.home**

    Is not

    dnstest.mydomain.com

    If setup tiny to be authoritative for mydomain.com, and created an A record for dnstest in that domain..  Doing a query for dnstest.mydomain.com**.home** tiny will tell you pretty much F off ;) if you didn't set it up for recursive.

    As to what its authoritative for - it would only be authoritative for the zones you created on it..


Log in to reply