Local DNS resolution on pfSense box



  • Hi everybody,

    maybe an easy problem, but I'm afraid to bust our company's DNS resolution, so I better ask before! :-)

    Our pfSense acts as firewall/internet gateway/openvpn server/…
    It doesn't act as a DHCP server, local DNS server

    Our local DNS server a.b.c.d and a.b.c.e use the pfSense box for public DNS resolution (is this called DNS forwarding?)
    Our local windows domain looks like mysite.mycompany.com

    Here's my little problem:
    I would like to teach our pfSense to make local DNS resolution - just for itself, not for the company. Means: I go to a pfSense shell, type something like

    host somecomputername
    

    the output should be something like

    somecomputername.mysite.mycompany.com has address w.x.y.z
    

    btw: resolv.conf on one of our typical linux servers looks like this:

    # cat /etc/resolv.conf 
    nameserver a.b.c.d
    nameserver a.b.c.e
    search mysite.mycompany.com
    

    Any ideas?

    Thanks a lot and many greets
    Stephan


  • Rebel Alliance Global Moderator

    So you can do a domain override to point your mysite.mycompany.com domain to your local name servers.  This way pfsense using itself to do resolution will know vs asking the public to go and ask your servers for mysite.mycompany.com

    This will have nothing to do with your local dns.. Only for pfsense to be able to resolve your internal stuff.

    And you have it setup correctly.. if your running AD, your clients should only use your local AD dns and dhcp..



  • Hey John,

    thanks a lot for your answer - and sorry for my late reply!

    @johnpoz:

    So you can do a domain override to point your mysite.mycompany.com domain to your local name servers.  This way pfsense using itself to do resolution will know vs asking the public to go and ask your servers for mysite.mycompany.com

    yeah, that did the trick - 90% of it ;-)
    Adding the domain override lead to this situation:

    When I do this on the pfSense shell, everthing works fine:

    
    # host somecomputername.mysite.mycompany.com
    somecomputername.mysite.mycompany.com has address w.x.y.z
    
    

    But when I search just for a local comptername, it doesn't:

    
    # host somecomputername
    Host somecomputername not found: 3(NXDOMAIN)
    
    

    This is why I added the line

    search mysite.mycompany.com
    

    to

    /etc/resolv.conf
    

    so everthing works fine!

    But this change doesn't seem to be persistent. Is there a way to configure this search domain through WebGUI or through any other way?

    Thanks a lot and many greets
    Stephan


  • Rebel Alliance Global Moderator

    your search domain would be the domain pfsense is in..




  • @johnpoz:

    your search domain would be the domain pfsense is in..

    Unfortunately that doesn' work for me. Domain is set correctly, but there no "search" entry in my resolv.conf… :-(


  • Rebel Alliance Global Moderator

    nonsense.. What version of pfsense are you running?

    Here I changed mine… Boom resolv.conf changed




  • @johnpoz:

    nonsense.. What version of pfsense are you running?

    Here I changed mine… Boom resolv.conf changed

    I see! In my config I set the checkbox "Allow DNS server list to be overridden by DHCP/PPP on WAN" so that I get my public DNS servers from my ISP. In this case, also the search domain seems to be "overridden" with nothing. When I uncheck this box I get the same behaviour like your box.
    But: Now I am forced to set the public DNS servers manually, otherwise the pfsense box itself can't resolve public names. :-( This configuration is ok for me, but better would be getting the DNS servers from my ISP. Is there a solution?

    Thanks for your patience and many greets
    Stephan


  • Rebel Alliance Global Moderator

    dude if your using the resolver.. You wouldn't use outside dns…

    All your pfsense box needs to do is point to itself, and the resolver would look up stuff directly.

    Pfsense has default to using the resolver for quite some time.  Are you using the resolver or the forwarder?  If resolver the only entry pfsense should have is itself, 127.0.0.1

    Why would getting your dns from your isp be better??  More often then not the their dns blows ;)  And you are almost always better off using what you want to use as your forwarder or just being your own resolver is a much better solution all the way around.  Which is what pfsense defaults too.