Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Proper DNS

    DHCP and DNS
    4
    18
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sdp0024
      last edited by

      Recently installed on VM host and everything works great.

      One small issue is that I cannot access local web server using public FQDN. Only accessible from outside local networks from another location.

      Don't have DNS forwarder or resolver enabled nor do I understand how to configure them.
      ![Screen Shot 2015-08-19 at 11.00.40 AM.png](/public/imported_attachments/1/Screen Shot 2015-08-19 at 11.00.40 AM.png)
      ![Screen Shot 2015-08-19 at 11.00.40 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-19 at 11.00.40 AM.png_thumb)

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

        Protip: Use method #2.

        1 Reply Last reply Reply Quote 0
        • S
          sdp0024
          last edited by

          Ports aren't forwarded. Is this still valid link?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What do you mean ports aren't forwarded?

            You are using either 1:1 NAT, Port forwarding, or are not describing your network clearly.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              sdp0024
              last edited by

              It's external 443 is 443 internally. I guess this is called 1:1

              1 Reply Last reply Reply Quote 0
              • S
                sdp0024
                last edited by

                Doesn't look like it worked.

                Attached settings screenshot.

                ![Screen Shot 2015-08-19 at 11.21.54 AM.png](/public/imported_attachments/1/Screen Shot 2015-08-19 at 11.21.54 AM.png)
                ![Screen Shot 2015-08-19 at 11.21.54 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-19 at 11.21.54 AM.png_thumb)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  No.  You don't have to change the port for it to be a port forward.

                  You need DNS that resolves to the external address for external clients and the internal address for internal clients.  Whether you use DNS Resolver/Forwarder or another DNS server is up to you.

                  Is the host you're testing from configured to use pfSense as its DNS Server.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • S
                    sdp0024
                    last edited by

                    My computer is using pfsense for DNS as well as our app server.

                    Generated by NetworkManager

                    nameserver 192.168.1.1
                    nameserver 8.8.8.8
                    nameserver 8.8.4.4
                    nameserver 4.2.2.2

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      You have to only use DNS servers that return the results you need.  Change that to just use pfSense.

                      You can use multiple internal name servers but they all have to be configured to return the same results for the same queries from the same clients.

                      (Actually that's google and level 3 I think)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • S
                        sdp0024
                        last edited by

                        Ok, changed DHCP to only hand out local DNS of 192.168.1.1 and removed the google DNS and Verizon DNS from the app server.

                        Still cannot navigate to www.parks-properties.com, cloud.* or crm.*

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          When you look up the name on the client what address do you get?

                          Did you release/renew on the client?

                          I have no idea what cloud.* or crm.* are.  Sorry.

                          And the only thing that matters in this case is what the client is set to use as the DNS server.  it needs to have the internal IP address of the server in question in the answer.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            So does 192.168.1.1 know about www.parks-properties.com

                            You want that to resolve to something local to you?

                            That resolves on the public internet to
                            ;; ANSWER SECTION:
                            www.parks-properties.com. 86400 IN      CNAME  parks-properties.com.
                            parks-properties.com.  300    IN      A      108.226.16.69

                            If you want your clients to resolve something local..  Then using either the forwarder or resolver in pfsense create host over rides or let it registered your dhcp

                            example - here is a local machine that resolves
                            C:>nslookup                           
                            Default Server:  pfSense.local.lan     
                            Address:  192.168.9.253

                            storage.local.lan                     
                            Server:  pfSense.local.lan             
                            Address:  192.168.9.253

                            Name:    storage.local.lan             
                            Address:  192.168.9.8

                            If I want www.parks-properties.com to resolve to say 10.0.0.1 then I just put in a simple over ride

                            hostoverrides.png
                            hostoverrides.png_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • S
                              sdp0024
                              last edited by

                              Both client and app server using pfsense for DNS (192.168.1.1)

                              I've put in host overrides for
                              www / parks-properties.com / 192.168.1.90
                              crm / parks-properties.com / Alias for www.parks-properties.com
                              cloud / parks-properties.com / Alias for www.parks-properties.com

                              crm.parks-properties.com & cloud.parks-properties.com are also hosted on the same app server with their own directories.

                              Thank you all for helping with this as well. I really appreciate it.

                              ![Screen Shot 2015-08-19 at 12.59.56 PM.png](/public/imported_attachments/1/Screen Shot 2015-08-19 at 12.59.56 PM.png)
                              ![Screen Shot 2015-08-19 at 12.59.56 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-19 at 12.59.56 PM.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • S
                                sdp0024
                                last edited by

                                Looks like subdomains work just not the www.parks-properties.com or parks-properties.com

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  what are you saying is not working.  From cmd line do simple nslookup or dig or drill or host whatever your fav dns tool is.

                                  So I setup alias for crm

                                  C:>nslookup

                                  www.parks-properties.com
                                  Server:        192.168.9.253
                                  Address:        192.168.9.253#53

                                  Name:  www.parks-properties.com
                                  Address: 10.0.0.1

                                  crm.parks-properties.com
                                  Server:        192.168.9.253
                                  Address:        192.168.9.253#53

                                  Name:  crm.parks-properties.com
                                  Address: 10.0.0.1

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    sdp0024
                                    last edited by

                                    I can now access crm.parks-properties.com & cloud.parks-properties.com locally but not our website either using www or parks-properties.com

                                    No a huge issue as I can always access from wan location but would prefer to be able to access as well from LAN since data speeds will be so much better.

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      This isn't rocket science.

                                      get a DNS utility called dig or drill and find out where the problem is.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        I am with you derelict.. Dig is a tool I use every single day.. He doesn't have to get anything quite sure his OS comes with a way to query dns from a cmd line.. Pretty sure nslookup no matter how bad it is in windows can still just do a simple query.

                                        sdp0024.. Please do a query for what you feel is not working, as per my examples.  If something is not working, have you cleared your local cache?

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.