All systems on LAN resolve to WAN IP address



  • I'm sure I'm missing something otherwise trivial, but I can't see to nail this one down.

    I am using the DNS resolver in pfsense, with the domain set to example.com - all interfaces selected for both "Network Interfaces" and "Outgoing Network Interfaces", and registering both DHCP leases and static DHCP mappings in the resolver. Everything under "Advanced" is default.

    If I'm on systemA.example.com, and I try to ping, nslookup, etc systemB.example.com, it gets pointed to the WAN IP address for pfsense (for which there is a public DNS entry for example.com). If I'm on the LAN, I would expect systemA.example.com to be able to resolve systemB.example.com (or just 'systemB') correctly, however that's not the behavior I'm seeing.

    Where should I be looking to see what I've got configured incorrectly?

    As a follow up, if I later also want to have example2.com on a separate LAN that pfsense is serving - is it enough to override the domain name  for the DHCP server on that network to be able to resolve both domains for incoming requests, or does that entail a more advanced configuration?


  • LAYER 8 Global Moderator

    To be honest is BAD idea to use the same domain as some public domain as your local networks domain.  Why not use a subdomain say local.example.com so then you would have systemA.local.example.com which is easy to distinguish from your public space of example.com that I would have to assume has some authoritative nameservers out out on the public net.

    I could see if you have wildcard entry in this domain pointing to your public IP that could cause you all kinds of grief



  • Well assume I want to be able to access both systemA and systemB externally as well. Moving to local.example.com would break that ability.

    I'm not saying that every system on the LAN would be externally accessible, but it would be preferable to be able to use "systemA.example.com" both internally and externally.


  • LAYER 8 Global Moderator

    how so??  but lets say you want to have systemA.example.com on the public point to your public IP, then internally just create a host override that points systemA.example.com to your local IP.

    You need to figure out where your resolving these hosts to your public from, my guess would be you have a wild card and your systems trying to resolve systemA.example.com is using the public vs the local.  Be it you don't have a correct override setup, the client has it cached before you set it up or the client is doing queries to the outside vs your local.



  • I'm at work at the moment so I can't try this out, but am I understanding you correctly in that:

    1. If I have public wildcard DNS record, I must use host overrides for any request for a given hostname to resolve to the correct system instead of the public IP.

    2. Assuming #1 is correct, if I remove the wildcard public DNS entry, "normal" DNS resolution would work - meaning internally  "systemA.example.com" would resolve to the proper host on the LAN.

    3. At that point if I want systemA to be externally accessible, I would need to setup an override.


  • LAYER 8 Global Moderator

    Dude…  Do you have a record for systemA in your external?  Or just a wildcard?

    Anything you want to resolve public you need records for, you can use a wildcard if you want.  But anything you want to resolve locally to private IP you need override for or it will resolve what the public has for it.


Log in to reply