Netgate SG-1000 microFirewall

Author Topic: one pfsense DNS resolver to use another pfsense as DNS server???  (Read 119 times)

0 Members and 1 Guest are viewing this topic.

Offline CadilLACi

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
one pfsense DNS resolver to use another pfsense as DNS server???
« on: February 06, 2018, 07:06:49 am »
Hi there!

I got 2 pfsense VM-s, one in the main office(192.168.12.1) , one in the branch office(10.0.0.1). they are connected via openvpn tunnel.

I got DNS resolver(unbound) set up in both locations. In the main office, I got a lot of host overrides, that I use to mask global DNS entries when connecting to the network.

I would like to set up the branch office DNS resolver to query the main office for DNS lookups, so that I don't have to mirror my host overrides.

In the branch office, if I run "dig hostoverride.mydomain.etc @192.168.12.1", it returns the CORRECT A record just fine. So i can query the main office DNs server from there just fine, and the host overrides work.

In the branch office, the topmost DNS server in system/general setup is 192.168.12.1, the main office pfsense box. If i run diagnostics/DNS lookup, and query
hostoverride.mydomain.local, it returns the CORRECT A record just fine. In system/genereal_setup, disable dns forwarder is clicked, so the branch office pfsense box itself does not usse it's own DNS resolver. So the branch office pfsense box can query the DNS server of the main office pfsense box just fine.

However, if in the branch office I run a command prompt "dig hostoverride.mydomain.etc @10.0.0.1", so I query it's own DNS resolver, I get no answers.
Global DNS resolutions work, host overrides work, but I just CAN'T GET the branch office DNS resolver to use the main office DNS resolver as an upstream server.

I could give out the IP of the main office pfsense box as a DNs server DHCP option, but that seems too crude.  can't the 2 dens forwarders handle it between eachother?

I am sure I am doing something fundamentally wrong, but i just can'tget my head around it.

Please enlighten me!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: one pfsense DNS resolver to use another pfsense as DNS server???
« Reply #1 on: February 06, 2018, 08:35:30 am »
Resolvers do not use upstream dns, other than the roots walking down to the authoritative servers for the domain in question.

You could setup a domain override on the downstream to point to the upstream for specific domains.  But if you really just want the downstream to go ask the upstream, then set that unbound to just forward or use the forwarder.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline CadilLACi

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: one pfsense DNS resolver to use another pfsense as DNS server???
« Reply #2 on: February 06, 2018, 09:32:18 am »
Hi!

Doesn't the Enable forwarding Mode checkbox do the same for th DNS resolver?


Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: one pfsense DNS resolver to use another pfsense as DNS server???
« Reply #3 on: February 06, 2018, 10:02:25 am »
Yes if you enable forwarder mode in unbound, the check then it will no longer resolve but forward.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline CadilLACi

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: one pfsense DNS resolver to use another pfsense as DNS server???
« Reply #4 on: February 21, 2018, 09:04:55 am »
Okay, I managed to solve this!!!

After turning up the log level to 5 and filtering the messages correctly, I ran into this:

sanitize: "removing public name with private address"

Turns out, the DNs query was made, the right address was returned and then thrown out the window, becouse it was a private address!!!!

Check out this post: https://blog.jenningsga.com/pfsense-dns-resolver-and-private-domains/

so adding this to the custom options solved the problems:

server:
private-domain: mydomain.net    ;D ;D ;D ;D ;D

Hope it helps someone other than me!




Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15193
  • Karma: +1414/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: one pfsense DNS resolver to use another pfsense as DNS server???
« Reply #5 on: February 21, 2018, 09:55:56 am »
Yes out of the box pfsense uses rebinding protection

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)