Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using pfSense DNS resolver to create a "pool" of names?

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gertty
      last edited by

      I'm trying to create a local DNS entry that is made up of a "pool" of external A records.

      Let's say a.foo.com, b.foo.com, c.foo.com are all valid public A records. I would like to create a DNS entry on my pfsense box so that anyone using my pfsense's DNS resolver (all my local DHCP clientS) can resolve pool.foo.com. I want it to resolve to the super-set of a|b|c.foo.com. I really don't care if the pfsense DNS resolver does a round robin between a, b, & c or joins the IPs all together. What I want to achieve is that if a client of the pfsense DNS server (all of the DHCP clients on my local subnets) trys to resolve pool.foo.com, the end result over time is that it will resolve to all of the IPs that make up a|b|c.foo.com

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        and does a.foo.com resolve on the public internet?

        If not sure create entries for a.foo.com in the override, then one for b.foo.com and c.foo.com and they will be returned roundrobin.

        you can also do a redirect for foo.com so than anything.foo.com resolves to an IP or a list of ips.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • G
          gertty
          last edited by

          @johnpoz:

          and does a.foo.com resolve on the public internet?

          If not sure create entries for a.foo.com in the override, then one for b.foo.com and c.foo.com and they will be returned roundrobin.

          you can also do a redirect for foo.com so than anything.foo.com resolves to an IP or a list of ips.

          Yes, let's say this this resolves on the public internet. I don't control the records for foo.com. The owner cycles thru IP addresses, it's not a static set, but at any given time, 2-5 IPs will be returned.
          a.foo.com -> 11.1.1.1, 11.2.2.2
          b.foo.com -> 12.1.1.1, 12.2.2.2
          c.foo.com -> 13.1.1.1, 13.2.2.2

          What I would like to do on my local pfSense is create a alias called pool.foo.com and have my local clients that use this pool.foo.com get DNS results that include the whole set on average. I don't actually care if any given DNS query returns just a.foo.com or the IPs in a.foo.com, or whatever, I just want over the long term of many resolutions of pool.foo.com to resolve to the union of the IPs in a|b|c.foo.com.

          This pool.foo.com would only be local to my DHCP clients that use my pfSense box as their DNS.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            so do you know all the IPs that get returned from a.foo.com and b.foo.com ?  that you could put them in this pool record?  Since unbound is not authoritative it does not resolve cnames for you.  You can create a cname record, but it would have to be specifically queried for cname, etc..

            but you can create a pool.foo.com override with multiple ips, and then whatever IPs you put in would get returned.

            I don't believe the gui will let you do this, but you can put in the options box

            see example…

            
            C:\>dig @192.168.9.253 pool.foo.com
            
            ; <<>> DiG 9.10.3 <<>> @192.168.9.253 pool.foo.com
            ; (1 server found)
            ;; global options: +cmd
            ;; Got answer:
            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28104
            ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
            
            ;; OPT PSEUDOSECTION:
            ; EDNS: version: 0, flags:; udp: 4096
            ;; QUESTION SECTION:
            ;pool.foo.com.                  IN      A
            
            ;; ANSWER SECTION:
            pool.foo.com.           3600    IN      A       1.1.1.1
            pool.foo.com.           3600    IN      A       1.1.1.2
            pool.foo.com.           3600    IN      A       1.1.1.3
            
            ;; Query time: 64 msec
            ;; SERVER: 192.168.9.253#53(192.168.9.253)
            ;; WHEN: Mon May 09 10:31:36 Central Daylight Time 2016
            ;; MSG SIZE  rcvd: 89
            
            C:\>dig @192.168.9.253 adfsdf.pool.foo.com
            
            ; <<>> DiG 9.10.3 <<>> @192.168.9.253 adfsdf.pool.foo.com
            ; (1 server found)
            ;; global options: +cmd
            ;; Got answer:
            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15422
            ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
            
            ;; OPT PSEUDOSECTION:
            ; EDNS: version: 0, flags:; udp: 4096
            ;; QUESTION SECTION:
            ;adfsdf.pool.foo.com.           IN      A
            
            ;; ANSWER SECTION:
            adfsdf.pool.foo.com.    600     IN      A       23.21.179.138
            adfsdf.pool.foo.com.    600     IN      A       23.21.224.150
            
            ;; AUTHORITY SECTION:
            foo.com.                600     IN      NS      ns2.digimedia.com.
            foo.com.                600     IN      NS      ns1.digimedia.com.
            
            ;; Query time: 249 msec
            ;; SERVER: 192.168.9.253#53(192.168.9.253)
            ;; WHEN: Mon May 09 10:31:43 Central Daylight Time 2016
            ;; MSG SIZE  rcvd: 126
            
            C:\>
            
            

            now if you wanted you could use redirect vs transparent.. Then anything.pool.foo.com would also return these IPs….  If you use transparent if you look up something other than pool you would get back what the public net says about that record..  Above is example of transparent zone..

            If you want round robin type responses where the order changes.. then add
            rrset-roundrobin: yes

            Under the server: line in the custom box.  Then you get back like below

            
            C:\>dig @192.168.9.253 pool.foo.com +short
            1.1.1.3
            1.1.1.1
            1.1.1.2
            
            C:\>dig @192.168.9.253 pool.foo.com +short
            1.1.1.1
            1.1.1.2
            1.1.1.3
            
            C:\>dig @192.168.9.253 pool.foo.com +short
            1.1.1.2
            1.1.1.3
            1.1.1.1
            
            

            unboundexample.png
            unboundexample.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • G
              gertty
              last edited by

              @johnpoz:

              so do you know all the IPs that get returned from a.foo.com and b.foo.com ?  that you could put them in this pool record?  Since unbound is not authoritative it does not resolve cnames for you.  You can create a cname record, but it would have to be specifically queried for cname, etc..

              Hmm, I don't and I didn't want this to be static so it could deal with old/new IPs over time as the owner of the domain changes them. But given what you said about CNAME, I think I'm stuck.

              What I'm trying to do is have the OpenVPN client pick a new IP every time it starts up. The VPN service I'm using has names per location (london.vpn4u.com, chicago.vpn4u.com, etc) which resolve to a set of IPs that change as the servers get busier or get taken offline.

              I am trying to pick 3-4 locations and have my local pfSense box or its DHCP clients sorta randomly pick an IP from one of these locations every time the vpn client starts up.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                why don't you just create a cname on the public side that resolves to all your host names??

                Not sure why you want/think you need to do this in pfsense resolver???

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • G
                  gertty
                  last edited by

                  @johnpoz:

                  why don't you just create a cname on the public side that resolves to all your host names??

                  Not sure why you want/think you need to do this in pfsense resolver???

                  I don't follow what you mean by "cname on the public side".  I don't control the SOA record for the domain I'm trying to do this with.  I think I need to do this in the pfsense resolver because that's the thing I do have control over and I can force all the pfsense DHCP clients to use the  pfSense resolver as their DNS server.

                  It sounds like I'm using the wrong tool for the job. Is there a host file or some other override I can use to map a made up name "vpnpool.lan" to a set of someone else's publicly available hostnames?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    unbound is not an authoritative server, you can not point a name you create to other name, ie cname and expect it to resolve correctly.

                    If you want to do that you need an authoritative name server.  Create a public domain you want to use, then create a cname record and point it to whatever other names you want it to resolve too.

                    I agree your using the wrong tool.. No a host file doesn't work that way either..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • G
                      gertty
                      last edited by

                      @johnpoz:

                      Create a public domain you want to use, then create a cname record and point it to whatever other names you want it to resolve too.

                      I agree your using the wrong tool.. No a host file doesn't work that way either..

                      Oh man. I hate being dense. I've done this before (CNAME in my own domain to another hostname), I'm embarrassed I didn't think of it. Thanks for spoon-feeding me the answer, I'll just skulk away now  :'(

                      1 Reply Last reply Reply Quote 0
                      • merdoksM
                        merdoks Banned
                        last edited by

                        This post is deleted!
                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.