Trying to set up local DNS with DNS Forwarder but kind of confused/having troubl
-
And when I run 'nslookup fruitsalad.localdomain' on one of my client systems (not the server), it's checking google's 8.8.8.8.. so it's not working.
Assuming pfSense is declared as DNS for local devices (LAN clients) where does this 8.8.8.8 come from?
- Is it DNS setting pushed by DHCP?
- Is it set as DNS for pfSense itself (in general setup)?
- stupid question but is your DNS forwarder service (dnsmasq) up and running (sorry for asking :-[)
[i]dig may provide you with more inputs than nslookup ;) but we have already some result here: what you configure in DNS forwarder is not used 8) so no surprise if it doesn't work.
-
Yeah I set the DNS server information (8.8.8.8) in the general set up. I wasn't sure if using the DNS Forwarder took precedence over that or what. I guess I'm just confused about what the hell DNS Forwarder is even for. Like, why not just use normal DNS? I don't know. I'm just going to configure a good old fashioned DNS server on my other server and use that I guess. Sometimes I love pfSense and other time's I really don't like it.
-
I'm not using pfSense DNS neither ;) (nor DHCP or whatever not strictly related to firewaling)
I believe that naming is somewhat confusing (forwarder :o) but this aside, this is netmasq inside, it registers DHCP devices and allows to maintain A and CNAME records (using overrides) thus I guess it should work.
Did you configure pfSense (still in overrides section) to "own" your localdomain domain using "domains overrides"?
Well, looking at this further (I don't use it for the time being), I realize I misunderstood the way it works :-( -
"I'm just going to configure a good old fashioned DNS server on my other server and use that I guess. "
I find that highly unlikely if you don't understand what a forwarder or resolver is.
If your handing out 8.8.8.8 to your clients via dhcp.. Does not matter what your on pfsense, because your not using it. If you use the forwarder it will send client queries that are seen on pfsense IP address to what you setup in the general tab, ie 8.8.8.8 but will use what over rides you setup.
Same goes for the resolver, except it will not forward the queries anywhere it will do the queries directly to the authoritative servers for the domains your looking up. Ie RESOLVER..
But if your clients never query pfsense for dns then does not matter what you setup in over rides be it on the forwarder or the resolver.
-
Hum, I was also wondering whenever DHCP was pushing 8.8.8.8 as DNS for clients but based on the answer, 8.8.8.8 is only used as DNS server for pfSense itself (in system / general setup)
I also assumed (am I wrong) that " Do not use the DNS Forwarder as a DNS server for the firewall" option is not enabled ;) -
Ok now randomly it seems to be working. I think maybe I just needed to release/renew the DHCP stuff. I didn't so it just updated when my lease expired. I also added the pfsense box's IP address in the DNS Server's field under the DHCP server settings and that's probably the change I needed, and then I should have refreshed my DHCP data.
-
I also added the pfsense box's IP address in the DNS Server's field under the DHCP server settings and that's probably the change I needed, and then I should have refreshed my DHCP data.
No doubt about this: if DHCP does tell devices that DNS is pfSense, whatever you set in pfSense DNS is ignored ;)
-
"I'm just going to configure a good old fashioned DNS server on my other server and use that I guess. "
I find that highly unlikely if you don't understand what a forwarder or resolver is.
If your handing out 8.8.8.8 to your clients via dhcp.. Does not matter what your on pfsense, because your not using it. If you use the forwarder it will send client queries that are seen on pfsense IP address to what you setup in the general tab, ie 8.8.8.8 but will use what over rides you setup.
Same goes for the resolver, except it will not forward the queries anywhere it will do the queries directly to the authoritative servers for the domains your looking up. Ie RESOLVER..
But if your clients never query pfsense for dns then does not matter what you setup in over rides be it on the forwarder or the resolver.
Yeah, I do actually understand how DNS works and everything. I just wasn't sure about pfSense's various components worked – DNS Forwarder vs DNS Resolver. I'm used to working with BIND. I wasn't sure if the DNS Forwarder worked by simply filtering the traffic and redirecting DNS queries if they matched the stuff specified in the host/domain override sections.
-
At least, this teaches me that trying to debug through forum deserves to cross-check from the very beginning that even obvious settings are in place.
I was far from thinking that DNS you intend to fix was not used client side.This said, I do share that when you're used to work with bind or other DNS servers, dnsmasq, furthermore though pfSense GUI is somewhat confusing and having both DNS forwarder and resolver doesn't help. I'm happily running DNS elsewhere :P
-
"Yeah, I do actually understand how DNS works and everything"
Sorry I just find that really hard to believe - no offense.
Bind is no different then dnsmasq or unbound - dns is dns is dns.. Your either a forwarder or a resolver these are standard basic dns terms. Just like caching.
Only thing that is different is a couple of feature sets and the config files.. Bind is more designed to be an authoritative server while dnsmasq and unbound more meant to just do queries. While they can have their own entries, they are not really authoritative centric servers like BIND that can do xfers to slaves, etc. etc.
If you need to be authoritative for zones then sure run something else.. If you need your clients to lookup www.pfsense.org then dnsmasq or unbound is all you need. There are things that dnsmasq does better than unbound and there are things unbound does better - like dnssec support for example ;) Both have their place - that pfsense supports either of them is just more options for the user.. You can install bind of pfsense if you want as well, or tinydns, etc.
-
If you configure your local DNS to resolve something, then set your clients to ask 8.8.8.8 to resolve names, then start this thread asking why it's not working, NO, you don't "understand how DNS works and everything." Next step, claim you found a bug in pfSense.
-
If you configure your local DNS to resolve something, then set your clients to ask 8.8.8.8 to resolve names, then start this thread asking why it's not working, NO, you don't "understand how DNS works and everything." Next step, claim you found a bug in pfSense.
I guess it appears that's what I am doing… and I apologize for that. I do understand the basic concept of DNS but I am also fairly green when it comes to network administration. I have a degree but I lack a lot of actual hands-on configuration skills, which is what I am powering through now. Its hard because I have kids and a full time job that I am hoping to get out of some day to move into the IT industry and hopefully make a better living. That's my hope for the future.
Now while I was frustrated with pfSense, I never claimed there was a bug with it. I was getting confused about the difference between the resolver and the forwarder configuration pages in pfSense. And now I've learned apparently that pfSense has moved to use the resolver rather than the forwarder. I understand the basic idea of forwarding dns queries internally vs asking for them externally. However, I get tripped up on the various settings especially when it involves looking through multiple pages of pfSense, many of which have the same things that can be configured elsewhere. I didn't want to become angry and just stop using pfSense, I want to get used to it and understand how it does things while I also continue to learn and improve my knowledge with the underlying concepts of the technologies I am using.
All I wanted to do was get my internal computers to ask pfSense for DNS resolution when someone tries to access "fruitsalad.localdomain" and everything else goes to 8.8.8.8. And for the record, I now have 10.0.0.1 (my pfsense box) listed as the first entry in the DNS servers list, and then 8.8.8.8 in the second field. This seems to work and now I can access my internal webserver from my internal network when I go to fruitsalad.localdomain.
-
"access "fruitsalad.localdomain" and everything else goes to 8.8.8.8. And for the record"
That would be forwarder mode, be it with the forwarder only dnsmasq or resolver (unbound) in forwarder mode and an override.
Here is a problem with putting 2 dns in your client. If it asks psfsense your fine - but if it happens to ask 8.8.8.8 for fruitsalad.localdomain your screwed.. If you ask googledns for fruitsalad.local what do you think you get - thats right NX.. What does your client do when it sees NX.. it stops asking, it doesn't go ask the other one. It says oh my dns said that is NX.. no need to ask another one, he should be telling me the same thing.. Now if that first ns didn't answer sure ok go ask the other one maybe that one is down - but if returns NX your done. How do you expect to do any sort of PTRs for your local stuff asking google for 192.168.1.100 for example
Your clients rarely need 2 dns unless your pointing to 2 name servers that have the same stuff. Be it a public server like googledns and your isp or 2 local name serves that both have same records for .localdomain.
If what you want is to ask google dns for pfsense.org and cnn.com then point to pfsense, set it up with forwarder mode and put in a host over ride for fruitsalad.localdomain. If pfsense is down your not going to the internet anyway..
-
I would use the DNS Resolver in 2.2.2, put overrides in for local hostnames, and give the local pfSense IP address to my local clients to use. If having two is important, then by all means have two local DNS servers.
The name servers configured on the clients must all return the same answers to the same queries from the same sources for the same information. If there are two name servers configured like that, great. If not, you will get different behavior depending on which server the client decides to use.
There are terms used like "primary and secondary" when it comes to DNS resolvers. There is no such thing. If a client has more than one DNS server defined it can do anything it wants with them. Query one then the other in any order. Query both at the same time and accept the first answer it receives. Query one, wait for a timeout period, then query the next in any order. It is completely up to the client and they all behave differently so, I say again, all the servers set in the client have to return the same answers to the same questions from the same sources.
