Hostname resolves from "Admin Interface (webGUI)" but not from "Gust" machine



  • Hello All,

    I'm having a little trouble getting DNS to work as I would expect it so I'm hoping someone can point me in the right direction.

    The short version is we're trying to move some devices from our "public" network to behind pFsense in a "private" network.  Until I create a host override with the new private IP, I need to be able to have devices behind pFsense resolve the public IP.

    E.g.:

    server1.foo.com
      - Current IP: 192.168.15.10
      - Desired IP: 10.10.10.10
    server2.foo.com
      - Current IP: 192.168.15.11
      - Desired IP: 10.10.10.11
    server3.foo.com
      - Current IP: 192.168.15.12
      - Desired IP: 10.10.10.11

    Currently all servers resolve the 192 addresses from an external DNS server.  I'd like to move server1.foo.com behind pFsense, add a host override so that server1.foo.com resolves to the 10 address for all clients in the 10 address, which works fine.  However, server1 is unable to resolve the server2 and server3 addresses unless I add a host override.

    The domain assigned to pFsense is foo.com, as are basically all of our devices.

    Without the host override, I am able to login to the Web GUI and resolve server2.foo.com to the 192 address without issue.  When I connect to server1 and perform an nslookup I receive a "Can't find server2.foo.com: No Answer" response.

    Manually adding host overrides does seem to be a valid workaround, but I have hundreds of addresses to add, and a fully functioning DNS server, so I'd like to avoid duplicating work if at all possible.

    I think the issue may have something to do with the assigned domain of pFsense, however, I receive the same behavior when pFsense is configured as a Resolver or a Forwarder…

    Any help is greatly appreciated.

    Thanks!



  • I will be a bit confused, because in your post you have 192.168 and 10 addresses that are all in private space, but you talk about the public IP of devices.
    Anyway, do you have a domain override in pfSense for "foo.com" that points to the authoritative DNS server for "foo.com".
    If you add the domain override, then pfSense should lookup name.foo.com by:
    a) If there is a specific host override for name.foo.com then return it.
    b) Send a DNS lookup request to the "foo.com" DNS server, as specified in the domain override, and return whatever answer that gives.

    On your servers, as they move into private space, you should be able to point them to pfSense for DNS and they will learn the appropriate public/private IP for their friends as the transition happens.



  • Hi Phil,

    Well, I suppose technically speaking it's all "private" since none of it routes outside of the corporate network, however, subjectively speaking, since the 192 address space is reachable by everyone in the company, and to use common terminology, it's considered "public" space within our organization.  The 10 space is truly private as it only exists in my environment behind pFsense.

    But I think you answered my question, the domain override tells pFsense to look at X dns server for all addresses in the foo.com domain.

    I think that's the piece of the puzzle I was missing, thanks a ton!