Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Doctoring in pfsense

    Scheduled Pinned Locked Moved DHCP and DNS
    24 Posts 4 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yakatz @A Former User
      last edited by

      @sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or alias as dnsmasq calls it) allows Split DNS to work with no additional configuration.

      ? 2 Replies Last reply Reply Quote 0
      • ?
        A Former User @yakatz
        last edited by

        @yakatz
        are you using the forwarder on the wan? or am i mixing the functionality of that up

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User @A Former User
          last edited by

          @sparkyMcpenguin said in DNS Doctoring in pfsense:

          @yakatz said in DNS Doctoring in pfsense:

          @sparkyMcpenguin All static IPs. We are current;y using unbound, so no upstream DNS servers.

          my logic with redundancy in my dns resolver choices is "i dont trust just one source". if that source gets corrupted or altered (lol sorta like what youre trying to do, but you're doing it for a legitimate thing) then im sure there's billions more ip addresses out there to tell everyone else that your IP result is incorrect(?)

          when i added more than one DNS i also changed my ASN check settings to 1 hour (just cause i want it to update faster - i assume the default 24 hours would cause ... 24 hours wait time for the change to take effect, for verifying the cache in unbound)

          in regards to my 'redundancy' comment, the further logic being maybe helping to prevent ARP poisoning? just two cents

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User @yakatz
            last edited by

            @yakatz said in DNS Doctoring in pfsense:

            @sparkyMcpenguin That is what I meant too. We are not using any dynamic DNS from outside. We have static IPs allocated by our ISP going to internal servers with 1:1 NAT. To restate, many of the systems allow our customers to create their own DNS records pointing to our IP addresses. The firewall has no way to know what these DNS records are in advance, but DNS Doctoring (or alias as dnsmasq calls it) allows Split DNS to work with no additional configuration.

            what about a 'Proxy ARP' VIP under firewall for east host? wikipedia page for reference Proxy ARP

            this and (maybe needed not quite sure - but u did say 'dnsmasq') having the forwarder (i see it say dnsmasq a lot on there i just dont use it) on the wan

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.