pfSense and DNS

A

amrogers3

Gawd
Joined
Nov 7, 2010
Messages
641
So from my understanding pfSense has several ways to assign DNS servers.

There is a "General Setup" tab where you can put in DNS, there is also the "DHCP Server" page where you can push DNS to clients.

I don't want clients assigned DNS via DHCP, so how can I make clients use the DNS servers listed in "General Setup". I understand this is for the router and not used by the LAN so not sure how to make my clients use these DNS servers.

I have openDNS servers listed in General Setup but my clients are completely bypassing the openDNS servers.

Screen%20Shot%202016-02-13%20at%2010.14.33%20AM_zpsdlutvnnc.png
 
Hmm, why don't you just put the same DNS servers in the DHCP info? Not to be an ass, but it really sounds like you are saying "I want to tell my clients what DNS server to use, and there is this really easy way to do it via DHCP, but I don't want to do it that way for some reason" I think I'm just misunderstanding what you are asking for though.

I don't know if you can prevent a client from using a specific DNS if they enter one in manually, short of blacklisting specific IPs, forcing all traffic to go through an internal proxy, or getting down into some packet sniffing.
 
No worries Brian, I get what you are saying. Thanks for the post.

It's my limited knowledge of pfSense that is creating confusion. I have been googling and googling can can't figure out what purpose the dns servers on the general setup tab are for.

It seems like they would be used for resolution but the clients are completely bypassing them.

And yes pushing DNS to them from the DHCP server definitely works but I'm trying to lock down firewall so that clients can only communicate with gateway.
 
The General DNS is what the pfsense devices uses. The dhcp dns is what the clients behind it will use.
 
So like Brian was saying earlier, I have to push DNS out through the DHCP server settings in order for clients to use the openDNS servers?
 
Set the DHCP server to push out opendns for DNS and you should be good.
 
You might be able to set firewall rules to redirect all outbound traffic from the LAN on the DNS port to your preferred DNS server(s).
 
I would set them through DHCP, but also create a firewall rule to block port 53 UDP and TCP to all other IPs but those ones. If someone tries to change it, it just wont work.
 
Last edited:
UDP 53 is DNS (yes, TCP for zone transfers or large queries). 25 TCP is smtp.

You can redirect outbound to or only allow DNS to your preferred.
 
squishy said:
UDP 53 is DNS (yes, TCP for zone transfers or large queries). 25 TCP is smtp.

You can redirect outbound to or only allow DNS to your preferred.
Click to expand...

Errr yeah not sure why I said 25, was having a brain fart there. I meant to say 53.
 
I don't think anyone really answered your question, and it might be a bit unclear what you want to do. But I'll explain some things as I think you're just not sure of how DNS resolving works in pfSense.

You can set OpenDNS to as the DNS servers in General Setup, that's fine. You'll want to make certain "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked under General Setup too or whatever your ISP assigns as DNS will be overridden.

After this, you have two options. If you have at least 2.2.2 (and probably this is true in 2.2.1) you can use Unbound DNS server on pfSense. This is what I'd recommend. Unbound is awesome. You'll find it in DNS Resolver. If you want to use that, check out DNS Forwarder and make sure "Enable DNS forwarder" is unchecked. If you want to use DNS Forwarder, check that and make certain "Enable DNS Resolver" under Services > DNS Resolver is unchecked.

So as far as Unbound set up goes, we need to do a few things really quick. Services > DNS Resolver. Enable it. Set Network interfaces to LAN and Localhost and Opt1 if you have it and it's LAN side. Or any other interfaces that are *inside* (LAN side) of your network. No WAN interfaces should be check here. Use CRTL to select multiples. Outgoing should remain "all".

I don't think OPENDNS supports DNSSEC, leave unchecked probably. DNS Query Forwarding needs to be checked. This means that instead of using DNS root servers, it'll use DNS servers you've defined in General Setup. That's it, save and apply, make sure everything is right after the reload on that page.

Then in DHCP Server, you're going set your DNS Servers there to whatever IP your pfSense box is. Maybe 192.168.1.1 or whatever. You'll only need that one IP in. Save and Apply. You'll need to do this for any LAN side Interfaces,

So to directly answer one of your questions in post 3, the DNS servers listed in General Setup are for pfSense use. If you use Unbound (DNS Resolver) or DNS Forwarder it'll then use those servers. Unless you have reason to do otherwise, I'd recommend setting up like I've outlined using DNS Resolver, it's really good.

After you've setup DHCP Server to assign pfSense IP as DNS Server for your network reload the NIC on a client machine or just reboot. Once you've done that you'll see that for DNS Server that client is assigned your pfSense IP.







 
You must log in or register to reply here.
Back
Top