Trying to set up local DNS with DNS Forwarder but kind of confused/having troubl
-
I am running latest pfSense and I have an internal webserver on 10.0.0.2 and I want to set up DNS so anyone in my home network can access my webserver by typing fruitsalad.com. The /etc/hosts entry on my Debian (Wheezy) webserver is "127.0.0.1 fruitsalad.com"
Now I am slightly confused about how to properly implement DNS. Should my server's host name simply be fruitsalad rather than fruitsalad.com?
Then, using pfSense's DNS Forwarder (dnsmasq), I put a host entry in and here are the details: Host=fruitsalad, Domain=fruitsalad.com, IP=10.0.0.2
I applied the new settings and also restarted dnsmasq but when I try to go to fruitsalad.com, it goes to the actual website, and "fruitsalad" just goes to google search.
So what the heck am I doing wrong?
-
Flush the DNS cache on the client.
-
Flush the DNS cache on the client.
I should have specified that I already did that several times.
-
It may not solve your issue for the time being but there is something I would like to clarify:
when I read fruitsalad.com, I don't see any host but one domain fruitsalad belonging to com TLD (TLD standing for Top Level Domain)Then if you configure host=fruitsalad domain=fruitsalad.com, FQDN is fruitsalad.fruitsalad.com
Notice that not owning com TLD, you are not supposed to configure:
host=fruitsalad domain=com;D ;D ;D
So, to me, although is could work with what you try to achieve, you are facing one first issue (misconfiguration) with your server:
127.0.0.1 fruitsalad.com should rather be
127.0.0.1 something.fruitesalad.com somethingThen you should populate your DNS accordingly.
Once your host is correctly configured (locally and in DNS), you may want to access your web site (and this has nothing to do, directly, with your hostname)
your web server may have virtual web servers or not and have one default service. (e.g. www).
All are configured as CNAME in your DNSIf your goal is to access, let say, http://www.fruitsalad.com when typing http://fruitsalad.com , this is achieved configuring your DNS with wildcard (*) pointing to this IP (10.0.0.2)
At least this is the way I perceive it (and the way I deal with such requirement)
-
Chris,
Thanks for the reply, and I sort of suspected that I misconfigured things. I understand DNS for the most part and what an FQDN is but for some reason I still get hung up on what I should and should not do when setting up my domain names..
So I just went back into my server and changed the host name to read 127.0.0.1 fruitsalad fruitsalad.localdomain. This of course, really only matters to the server itself right? It has no effect on how I configure the DNS server right?
So now I just went to the DNS Forwarder setting in pfSense and changed the entry so it is now host=fruitsalad and domain=localdomain. I applied the changes and restarted dnsmasq and flushed my computer's DNS cache and it still does not go to my webserver when I type in "http://fruitsalad.localdomain"
Also, I don't think I can edit any DNS records or anything since the DNS forwarder isn't really the same as the real DNS service (I don't think).
-
From my standpoint, one important aspect, when trying to debug, is to not stack everything but address each layer.
You are modifying DNS but check behaviour using HTTP (i.e. your browser).
I do understand this is the ultimate goal but in order to be sure that issue is (or not) at DNS level, I would rather use nslookup (f.i.)Using your browser may work but depends on how your HTTP stack is build. e.g. if you are using HTTP proxy, then what matters is how proxy will resolve names.
Back to your point:
when you write "dns forwarder", I assume you mean "dns resolver" isn't it?
Thus you are configuring host in the "dns overrides" section ???
Is your web server using DHCP and therefore register (if configured to do so) in DNSwhat if you try
nslookup fruitsalad.localdomainfrom your workstation?
-
example - this is how you should test. Where 192.168.1.253 is my pfsense and that is what my client is using for dns. BTW the long response time is because I am vpn'd in to my home network where pfsense is and have to bounce off proxy in FL to get there.. So chicago to fl back to chicago makes for shitty latency ;)
-
when you write "dns forwarder", I assume you mean "dns resolver" isn't it?
Thus you are configuring host in the "dns overrides" section ???
Is your web server using DHCP and therefore register (if configured to do so) in DNSwhat if you try
nslookup fruitsalad.localdomainfrom your workstation?
In pfSense, there are two different DNS things under the Services menu. One is called DNS Forwarder, which is the dnsmasq service; and then there is DNS Resolver which looks almost the same as the DNS Forwarder page. I can't really tell what the heck the difference is. So far, I've only been using the DNS Forwarder (dnsmasq) service in an attempt to get DNS working. I really could have just said screw it and installed BIND on pfSense or turned my server into a DNS server but I figured I would try to figure out how to get it working in pfSense first so I could learn something.
And when I run 'nslookup fruitsalad.localdomain' on one of my client systems (not the server), it's checking google's 8.8.8.8.. so it's not working.
-
"it's checking google's 8.8.8.8.. so it's not working."
Welll no freaking Shit ;) ehhehehe
-
And when I run 'nslookup fruitsalad.localdomain' on one of my client systems (not the server), it's checking google's 8.8.8.8.. so it's not working.
Assuming pfSense is declared as DNS for local devices (LAN clients) where does this 8.8.8.8 come from?
- Is it DNS setting pushed by DHCP?
- Is it set as DNS for pfSense itself (in general setup)?
- stupid question but is your DNS forwarder service (dnsmasq) up and running (sorry for asking :-[)
[i]dig may provide you with more inputs than nslookup ;) but we have already some result here: what you configure in DNS forwarder is not used 8) so no surprise if it doesn't work.
-
Yeah I set the DNS server information (8.8.8.8) in the general set up. I wasn't sure if using the DNS Forwarder took precedence over that or what. I guess I'm just confused about what the hell DNS Forwarder is even for. Like, why not just use normal DNS? I don't know. I'm just going to configure a good old fashioned DNS server on my other server and use that I guess. Sometimes I love pfSense and other time's I really don't like it.
-
I'm not using pfSense DNS neither ;) (nor DHCP or whatever not strictly related to firewaling)
I believe that naming is somewhat confusing (forwarder :o) but this aside, this is netmasq inside, it registers DHCP devices and allows to maintain A and CNAME records (using overrides) thus I guess it should work.
Did you configure pfSense (still in overrides section) to "own" your localdomain domain using "domains overrides"?
Well, looking at this further (I don't use it for the time being), I realize I misunderstood the way it works :-( -
"I'm just going to configure a good old fashioned DNS server on my other server and use that I guess. "
I find that highly unlikely if you don't understand what a forwarder or resolver is.
If your handing out 8.8.8.8 to your clients via dhcp.. Does not matter what your on pfsense, because your not using it. If you use the forwarder it will send client queries that are seen on pfsense IP address to what you setup in the general tab, ie 8.8.8.8 but will use what over rides you setup.
Same goes for the resolver, except it will not forward the queries anywhere it will do the queries directly to the authoritative servers for the domains your looking up. Ie RESOLVER..
But if your clients never query pfsense for dns then does not matter what you setup in over rides be it on the forwarder or the resolver.
-
Hum, I was also wondering whenever DHCP was pushing 8.8.8.8 as DNS for clients but based on the answer, 8.8.8.8 is only used as DNS server for pfSense itself (in system / general setup)
I also assumed (am I wrong) that " Do not use the DNS Forwarder as a DNS server for the firewall" option is not enabled ;) -
Ok now randomly it seems to be working. I think maybe I just needed to release/renew the DHCP stuff. I didn't so it just updated when my lease expired. I also added the pfsense box's IP address in the DNS Server's field under the DHCP server settings and that's probably the change I needed, and then I should have refreshed my DHCP data.
-
I also added the pfsense box's IP address in the DNS Server's field under the DHCP server settings and that's probably the change I needed, and then I should have refreshed my DHCP data.
No doubt about this: if DHCP does tell devices that DNS is pfSense, whatever you set in pfSense DNS is ignored ;)
-
"I'm just going to configure a good old fashioned DNS server on my other server and use that I guess. "
I find that highly unlikely if you don't understand what a forwarder or resolver is.
If your handing out 8.8.8.8 to your clients via dhcp.. Does not matter what your on pfsense, because your not using it. If you use the forwarder it will send client queries that are seen on pfsense IP address to what you setup in the general tab, ie 8.8.8.8 but will use what over rides you setup.
Same goes for the resolver, except it will not forward the queries anywhere it will do the queries directly to the authoritative servers for the domains your looking up. Ie RESOLVER..
But if your clients never query pfsense for dns then does not matter what you setup in over rides be it on the forwarder or the resolver.
Yeah, I do actually understand how DNS works and everything. I just wasn't sure about pfSense's various components worked – DNS Forwarder vs DNS Resolver. I'm used to working with BIND. I wasn't sure if the DNS Forwarder worked by simply filtering the traffic and redirecting DNS queries if they matched the stuff specified in the host/domain override sections.
-
At least, this teaches me that trying to debug through forum deserves to cross-check from the very beginning that even obvious settings are in place.
I was far from thinking that DNS you intend to fix was not used client side.This said, I do share that when you're used to work with bind or other DNS servers, dnsmasq, furthermore though pfSense GUI is somewhat confusing and having both DNS forwarder and resolver doesn't help. I'm happily running DNS elsewhere :P
-
"Yeah, I do actually understand how DNS works and everything"
Sorry I just find that really hard to believe - no offense.
Bind is no different then dnsmasq or unbound - dns is dns is dns.. Your either a forwarder or a resolver these are standard basic dns terms. Just like caching.
Only thing that is different is a couple of feature sets and the config files.. Bind is more designed to be an authoritative server while dnsmasq and unbound more meant to just do queries. While they can have their own entries, they are not really authoritative centric servers like BIND that can do xfers to slaves, etc. etc.
If you need to be authoritative for zones then sure run something else.. If you need your clients to lookup www.pfsense.org then dnsmasq or unbound is all you need. There are things that dnsmasq does better than unbound and there are things unbound does better - like dnssec support for example ;) Both have their place - that pfsense supports either of them is just more options for the user.. You can install bind of pfsense if you want as well, or tinydns, etc.
-
If you configure your local DNS to resolve something, then set your clients to ask 8.8.8.8 to resolve names, then start this thread asking why it's not working, NO, you don't "understand how DNS works and everything." Next step, claim you found a bug in pfSense.
