DNS Tools: Configuring DNS Forwarding in pfSense

DNS Forwarding: A Useful DNS Tool

A DNS forwarder is a DNS tool which enables a network to skip the normal DNS resolution process and instead forward certain DNS requests to specified DNS servers, asking them to do the resolution work for it. Under pfSense, the DNS forwarder allows pfSense to act as a DNS server with a number of different features. It is a useful DNS tool in that it allows pfSense to resolve DNS requests using hostnames obtained by DHCP service, static DHCP mappings, or manually entered information. The DNS forwarder can also forward all DNS requests for a particular domain to a server specified manually.

DNS Tools: Configuring Common DNS Forwarding Options

DNS tools

Configuring DNS forwarding in pfSense 2.1

Like most DNS tools, some configuration is required. To configure the DNS forwarder, first navigate to Services -> DNS Forwarder. Check the “Enable DNS forwarder” check box. If you check “Register DHCP leases in DNS forwarder“, then matches that specify their hostname when requesting a DHCP lease will be registered in the DNS forwarder, so that their name can be resolved (these are the hosts that appear in the list at Status -> DHCP Leases or, if it is an IPv6 address, DHCPv6 Leases). If “Register DHCP static mappings in DNS Forwarder” is checked, then DHCP static mappings will be registered in the DNS forwarder (these hosts are found by navigating to Services -> DHCP Server and scrolling down to “DHCP Static Mappings for this interface“).

At “Host Overrides“, (near the bottom of the page) specify individual hosts to be served as DNS records by clicking the “plus” button to add a record. Devices in this list are checked first, so even if a record exists elsewhere, the record here takes precedence and is immediately returned. Scrolling even further down the page and just below “Host Overrides“, you will see the “Domain Overrides” section. Here you can specify a DNS server for a particular domain by clicking the “plus” button to add a record. These records are checked immediately after the individual records are defined above. Thus, a match here will take precedence over records that may exist elsewhere.

Configuring Additional Options

DNS tools

Additional options of the DNS Forwarder under pfSense 2.1

As with most DNS tools, here are some other options available. If you check “Resolve DHCP mappings first“, then DHCP mappings will be resolved before the list specified in “Host Overrides“. This only affects the name given for a reverse lookup. As of pfSense 2.1, the “DNS Query Forwarding” subsection contains three options. Checking “Query DNS servers sequentially” causes pfSense DNS Forwarder (dnsmasq) to query the DNS servers sequentially in the order specified at System -> General Setup under the DNS Servers tab, rather than all at once in parallel. Checking the “Require domain” checkbox will prevent DNS Forwarder from forwarding A or AAAA queries for plain names (without dots or domain parts) to upstream name servers. If the name is not known from /etc/hosts or DHCP, then a “not found” answer is returned. Finally, checking “Do not forward private reverse lookups” prevents DNS forwarder from forwarding reverse DNS lookups for private addresses (those defined as such in RFC 1918) to upstream name servers. Any entries in the “Domain Overrides” section forwarding “n.n.n.in-addr.arpa” private names to a specific server are still forwarded. If the IP to name is not known from /etc/hosts, DHCP or a specific domain override, then a “not found” answer is returned.

At “Listen Port“, you can specify a port used for responding to DNS queries (the default is 53), which is useful if another service needs to bind to TCP/UDP port 53. Under “Interfaces“, you can choose the IPs that will be used by the DNS Forwarder for responding to queries from clients. The default behavior is to respond to queries on every available IPv4 and IPv6 address. Each interface is listed twice; e.g. “WAN” and “WAN IPv6 Link-Local“; thus you can limit responses to those clients on a specific interface or clients on a specific interface with an IPv6 address. “Localhost” is also an option. If you check “Strict Interface Binding“, the DNS Forwarder will only bind to the interfaces containing the iP addresses selected in the “Interfaces” list box. This option does not work with IPv6. Finally, under “Advanced” you can enter any additional options you would like to add to the dnsmasq configuration, separated by a space or newline.

When you’re done configuring options in this section, press the “Save” button to save the changes, and on the next screen, press the “Apply changes” button.

External Links:

Undersanding DNS Forwarding at www.dnsmadeeasy.com

DNS Forwarder at doc.pfsense.org

Link Ads:

Be Sociable, Share!

Speak Your Mind


© 2013 David Zientara. All rights reserved. Privacy Policy