Can someone briefly describe how DNS in the pfsense works?



  • I have three-port (sort of)setup:

    WAN = port 0
    LAN = port 1 192.168.1.1 with PIA
    OPT = port 2 192.168.10.1, no VPN service

    the system/general setup/DNS = opendns DNS servers.
    LAN service/DHCP servers/DNS servers = private Internet Access DNS servers (PIA)
    OPT service/DHCP servers/DNS servers = blank

    Dynamic DNS service = DNS-O-matic, it updates well without error.

    DNS forwarder = disabled
    DNS resolver = enabled

    I have squid proxy and squidguard = enabled

    If I plug my computer to LAN port, it works as expected: PIA DNS servers are being used, and Squid proxy works, my external IP is PIA IP.

    However, if I plug the computer to OPT port, It does not behave as i would expect: PIA DNS servers are still being used (instead of openDNS DNS servers), the squid proxy is not being used (expected) and openDNS content filtering service is not being used either. The IP address is the my ISP IP address( expected).

    So, With OPT interface, my external IP address is correct, dns-o-matic updates correctly, the problem is the DNS servers. How can i force the OPT interface to use the system DNS servers? I have tried to put the same openDNS DNS servers under services/DHCP service/OPT/DNS servers, it behaves the same.

    I would like the OPT interface to be using the system DNS servers AND openDNS content filtering service.

    Any idea?

    thanks in advance!


  • LAYER 8 Global Moderator

    "I have squid proxy and squidguard = enabled"

    You do understand that when using a proxy the client asks the proxy to go www.domain.tld and the proxy looks it up right..

    If your using the resolver then what you set in the general setup is not even used… The resolver does not forward queries anywhere it resolves them!

    If you want to use some external dns vs an actual resolver, then go back to the forwarder..  Setup the dns you want it to forward too, and point pfsense to itself and or your externals you want to use.

    Or just don't use a proxy and have your clients point directly to what dns you want to use.



  • Thanks John! you have always been helpful. It is the beauty of this forum.

    @johnpoz:

    "I have squid proxy and squidguard = enabled"

    You do understand that when using a proxy the client asks the proxy to go www.domain.tld and the proxy looks it up right..

    TBH, I did not know this.

    If your using the resolver then what you set in the general setup is not even used… The resolver does not forward queries anywhere, it resolves them!

    I eventually understood the difference between them!! thanks

    If you want to use some external dns vs an actual resolver, then go back to the forwarder..  Setup the dns you want it to forward too, and point pfsense to itself and or your externals you want to use.

    This is what I did, and it does exactly what i want it to. Thanks!!

    Or just don't use a proxy and have your clients point directly to what dns you want to use.

    NO, I want the squid to be running only on the VPN interface, which is the LAN, as the openDNS does not work with VPN IPs such as PIA's.

    Thanks John!!


  • LAYER 8 Global Moderator

    well if you use forwarder on pfsense and forward dns queries to 1.2.3.4.. If you ask it it will just go ask 1.2.3.4, if your running a proxy on pfsense and its using pfsense for its dns, those will get forwarded to 1.2.3.4

    What would be the point of a client that is using a proxy asking for dns for??  Its not the one going there, the proxy is.  So in a browser when you have proxy setup.. And you put in the address bar www.pfsense.org it says hey proxy I want to go to www.pfsense.org, the proxy looks it up, goes and gets it and hands it back to your client.

    The only time a proxy client would use its own dns if where he is going to is set to be direct, and not use the proxy.


  • Banned

    "If your using the resolver then what you set in the general setup is not even used… "

    But I read under "Services" - "DNS Resolver"

    "...If Forwarding, is enabled, the DNS Resolver will use the DNS servers entered in System: General setup or those obtained via DHCP or PPP on WAN if the "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked."

    Hmmm, Resolver can forward, or?


  • LAYER 8 Netgate

    I would enable forwarding mode of the resolver and use it over the forwarder. dnsmasq is on the way out. unbound is in. Use the new bits.


  • LAYER 8 Global Moderator

    only advantage that I can see to the old one is can send queries to all your forwarded dns at the same time and use the fastest response, I do believe unbound works this way?  But not sure on that.



  • @2chemlud:

    "If your using the resolver then what you set in the general setup is not even used… "

    But I read under "Services" - "DNS Resolver"

    "...If Forwarding, is enabled, the DNS Resolver will use the DNS servers entered in System: General setup or those obtained via DHCP or PPP on WAN if the "Allow DNS server list to be overridden by DHCP/PPP on WAN" is checked."

    Hmmm, Resolver can forward, or?

    I found those instructions are very confusing. I never understood what does what, and what doesn't do what. The documentation does not help either, i mean the wiki. It only tells you how to set up, but never explained why and why not.

    I really hope someone can write it up in a simple english, as i am a not English speaker. I can hardly understand what John said in his previous post. I have tried so hard. Regardless, i would like to have some general explanatory documentation.



  • @tigs:

    I really hope someone can write it up in a simple english, as i am a not English speaker. I can hardly understand what John said in his previous post. I have tried so hard. Regardless, i would like to have some general explanatory documentation.

    Have you tried posting on the international (foreign language) part of the forum?


  • LAYER 8 Global Moderator

    if you do not understand the difference between a forwarder and a resolver why is pfsense documentation responsibility to explain that too you?  why don't you look that up in your native language.


Log in to reply