Can't reverse lookup anymore wen going from dns Forwarder to DNS resolver



  • To make DNSBL (PFblockerNG) work I need DNS resolver instead of DNS forwarder. Wen i disable DNS forwarder and enable DNS resolver i can't do any reverse lookups anymore forward lookups do stil work.

    In general settings i have this.
    192.168.166.8 is my local bind9 dns server were i host my local domain and resolve DNS for all other dns queries. This works perfectly with DNS forwarder were i override my local domain see pictures below.

    This is how i setup DNS resolver

    Can anybody tell me what might be wrong why can't i do reverse lookups with DNS resolver?


  • Banned

    You need 166.168.192.in-addr.arpa in domain overrides (or whatever matches your local nets.)



  • I have reverse zone files setup a long time ago they work perfectly with DNS forwarder. If I send reverse queries directly to the dns it works also just not wen i use DNS resolver.


  • Banned

    I have no idea what are you trying to tell us. You are missing the domain overrides for the reverse zones, as already said.



  • Thank you!



  • I tested it and you're right it works.
    This is not needed btw in DNS forwarder.
    Thank you again!


  • Banned

    @Gé:

    This is not needed btw in DNS forwarder.

    Forwarder (as the name suggests) normally forwards all queries to specified DNS servers unless told otherwise. Resolver (as the name suggests) resolves queries on its own recursively (unless explicitly told to forward them to a specific DNS server.)



  • Thank you for clarifying that.



  • I learned something today ;)


  • LAYER 8 Global Moderator

    You know you could just point 168.192.in-addr.arpa an 10.in-addr.arpa to your local dns… Tell you for sure none of the rfc1918 space is going to resolve on the public internet that is for sure ;)  Might as well point 172.16-31 to your local dns as well ;)

    On a side note I am curious to your selection of interfaces..  So you listen on wan1 and wan2 for queries?  And you need to use all those other interfaces other than wan based ones to get to your 1 local name server?



  • Thank you for the tips and advise.

    actually that is a good idee to add the whole rfc1918 address space. Going to change that ;)

    I don't have WAN1 and/or WAN2. I do have WLAN1 & WLAN2 those are vlans were wireless clients live.

    On outgoing interfaces I selected almost all the interfaces just to be save while fiddling around with stuff. Because of your tips I changed that to DMZ interface only.

    Also in general settings I removed my local dns. Only 127.0.0.1 is set as dns server.


  • LAYER 8 Global Moderator

    my bad yeah now that look closer its wlan1 and wlan2, that makes more sense to listen on..  So yeah if pfsense is going to only ask your AD and it looks up say google, then sure you only need its query interface to the be the one to be able to get to your local nameserver.


Log in to reply