The pfSense Store

Author Topic: DNS Forwarder: Port Shut?  (Read 1543 times)

0 Members and 1 Guest are viewing this topic.

Offline tlum

  • Jr. Member
  • **
  • Posts: 51
    • View Profile
DNS Forwarder: Port Shut?
« on: June 21, 2012, 07:42:27 pm »
I'm trying to start using the DNS Forwarder in pfSense. My internal DNS servers - which also answer recursive external queries - are on one internal subnet. Its kind of annoying to have to go in and set up rules on all the other subnets to pass traffic to the DNS servers. I was hoping to let pfSense magically proxy that traffic. However, all the DNS queries return ICMP - udp port 53 unreachable which usually means the port is shut.

So jumping to conclusions I would guess the forwarder is behind the firewall filters and each subnet is going to need filter rules to allow DNS traffic to pfSense so the DNS Forwarder will work?
Is there any documentation on the setup of DNS Forwarder? From what I've seen it makes it sound like you just enable the check box and it just magically works but I'm finding that not to be the case.
So DNS Forwarder is not going to help me because I have to set up rules on every subnet anyway so I might as well not use it?

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: DNS Forwarder: Port Shut?
« Reply #1 on: June 21, 2012, 09:19:26 pm »
With any service, you have to permit traffic to reach it via the firewall for it to work. There are ways to ease that process, with interface groups, or floating rules.

Offline tlum

  • Jr. Member
  • **
  • Posts: 51
    • View Profile
Re: DNS Forwarder: Port Shut?
« Reply #2 on: June 21, 2012, 09:49:28 pm »
Well, sounds like it won't reduce the number of rules to manually maintain so its best not to use it in this case because its an increase in complexity with no benefit [for me]. Thanks

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: DNS Forwarder: Port Shut?
« Reply #3 on: June 22, 2012, 01:14:27 pm »
As I said, use interface groups or floating rules. You can do that with 1 rule.

Offline tlum

  • Jr. Member
  • **
  • Posts: 51
    • View Profile
Re: DNS Forwarder: Port Shut?
« Reply #4 on: June 22, 2012, 06:27:28 pm »
That being the case I can "allow" to the local DNS servers with one rule too. I think the main argument for DNS Forwarder is split horizon where you have to proxy DNS requests to different servers. Since all of my DNS queries are answered by one set of servers regardless of whether its an internal or external domain, DNS Forwarder offers no real benefit [that I can see] and would contribute to the complexity of the setup... the rules are really a wash.

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6326
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: DNS Forwarder: Port Shut?
« Reply #5 on: June 23, 2012, 09:54:50 am »
Where you already have internal DNS servers, the only benefit of the DNS forwarder is it may improve lookup performance since it'll query all its configured servers simultaneously and take the fastest response. Aside from that, it's mostly beneficial for networks that don't have any local DNS servers.