PfSense DNS Server
Solvedavion-f16 Posted messages 19182 Registration date Status Contributor Last intervention -
Hello,
I set up a PFSense firewall on a Proxmox server. Three interfaces have been configured: one WAN with interface address x.x.x.x/24, one LAN with address 192.168.1.1/24 (gateway: 192.168.1.254), and a last one for the DMZ.
I have a client machine connected to the LAN network, so I connect to the Web interface of PfSense. I enable the DNS server, but it doesn't work because I can't connect to Google, for example.
There may be a problem with the WAN gateway?
3 answers
Hello,
In fact, I think at this stage we shouldn’t reason in relation to whether we are using pfSense or not. The Linux that is there "doesn't care" and either the network configuration is correct in absolute terms, or it is not. If it is not, then we need to ask if pfSense can explain why it is not correct.
ip route
At first glance, the routing table reported in message #3 seems correct to me.
Regarding messages #4 and #5, I actually think there is a misunderstanding.
- In IP routing, we look at the destination IP and choose the route whose prefix is the most specific and contains the destination address.
- The interface involved (real, virtual, ethernet, wifi, VPN) doesn’t matter, the reasoning never changes. No need to ask existential questions or talk about WAN or LAN.
- The reasoning remains true regardless of how the route has been configured or learned. No need to wonder if the route is learned via DHCP, manually configured, or learned through a routing protocol.
- In your case, your routing table shows that there are two scenarios:
- If the IP starts with 192.168.1.* then it belongs to the network 192.168.1.0/24. Since this prefix is the most specific in the routing table, the corresponding route is used. The IPs in this prefix are directly reachable (no gateway, hence the 0.0.0.0) via ens18 because they are part of the same prefix (192.168.1.0/24).
- Otherwise, the IP belongs to the prefix 0.0.0.0/0 (default) and therefore the default route is used. This must involve a routable gateway. In this case, the gateway is 192.168.1.1 and it is reachable thanks to the other route, so everything is presumably correct. The question remains whether 192.168.1.1 exists and can act as a gateway.
ping (gateway)
Can you ping your gateway?
- If yes, move to the next test
- If not, there’s a strong chance everything else won’t work because if you can’t reach the gateway, you won’t be able to reach the rest.
- Check that you can ping your own machine. If not, you might have a firewall issue on your own machine (which is blocking the emission or reception of ICMP packets used by ping).
- Verify that the IP address of the gateway is correct. If not, you may need to revisit how it was configured (local configuration or DHCP server configuration).
ping (DNS)
Can you ping the DNS server?
ping -c2 172.0.0.53
- If yes, move to the next test
- If not, does the IP of the DNS seem correct to you?
- Note that ping is not a perfect test to know if the routing is correct (if there is no response, it could be because a firewall is blocking ping. In that case, still perform the test with nmap). If ping works, then the routing is correct.
nmap
The DNS server normally hosted on 172.0.0.53 may not respond as the DNS request might be filtered by a firewall, either on the machine you are configuring, on 172.0.0.53, or on an intermediary machine located between the two (for example, gateway 192.168.1.1).
To check if the DNS port (53) is visible from the machine you are configuring, install nmap and run:
nmap -p 53 127.0.0.53
For reference, here’s what nmap returns for my own DNS server (in my case, 192.168.0.254):
(mando@silk) (~) $ nmap -p 53 192.168.0.254 Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-13 19:32 CEST Nmap scan report for 192.168.0.254 Host is up (0.0031s latency). PORT STATE SERVICE 53/tcp open domain Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds In your case, does your machine see port 53 for 172.0.0.53?
- If yes, then the problem is presumably neither related to routing, nor to a firewall, nor to the DNS server being down. We would then need to check the DNS server logs for what’s not working.
- If not, check that the DNS server 172.0.0.53 is running.
- If it is running, check what happens if you configure another DNS server.
Test with another DNS
No matter how your DNS configuration is obtained (via DHCP or manually), you can temporarily replace your DNS server in /etc/resolv.conf so that it has:
nameserver 8.8.8.8 This corresponds to the anycast address of Google’s DNS.
Does it work?
- If yes, the problem is likely due to the DNS server 172.0.0.53 itself. You should check its logs.
- If not, it is possible that a machine (either the one you are configuring, or the DNS server, or a machine in between) is filtering the request with its firewall.
Good luck
Thank you both very much for these explanations, it's very informative! After the various analyses done through your messages, I found the solution.
I needed to check the "Enable Forwarding Mode" option to allow the PfSense DNS server to forward DNS queries to the next server if it cannot resolve them itself.
Regarding the airplane-f16 message, I actually added the DNS address of PfSense, which is 192.168.1.1, on each "client" machine in resolv.conf. So I imagine there's a cleaner way to do this, probably directly on PfSense? I'll look into this.
So I'll continue my configuration; I still have a lot of work to do.
Have a nice day!
PS: If anyone wants more information about my configuration, especially regarding the questions from airplane-f16 that I didn't need to answer, feel free to ask!
Hello,
You can indeed modify the DHCP service configuration so that it suggests to client machines to use 192.168.1.1 as DNS.
If you have no reason to run your own DNS on pfSense, the easiest thing would be to disable the DNS service on pfSense and configure the client machines to directly use an external DNS like those from Google, CloudFlare, OpenDNS, Quad9, ... (via DHCP).
The answers to my questions are presumably unnecessary, but the DNS service on pfSense should also work in "recursive resolver" mode.
Hello,
> a LAN with address 192.168.1.1/24 (gateway: 192.168.1.254)
No gateway should be configured on the pfSense LAN interface.
And for the machines connected to this LAN, the gateway and DNS are the pfSense router, so 192.168.1.1
Make sure that the information configured in the DHCP server is consistent with this.
But why is a gateway not needed for a LAN network?
Because pfSense does not need a gateway to reach the LAN. It is the other machines on the LAN that need pfSense to access other networks (including the Internet).
I need to specify the IP address 192.168.1.1 in the DNS server settings, right?
Are you talking about the DNS configuration of pfSense? That's unrelated to the DNS configuration for clients. The DNS used by pfSense concerns the DNS resolutions that pfSense needs to perform for its own purposes (updates, etc.).
Ok, I've added the address 192.168.1.1 (with nameserver) to /etc/resolv.conf, and when I test the ping on google.fr again, it runs for a while (unlike before when the error appeared directly) and then it shows the error. If I make a request on Google directly on the web, it tells me to check my internet connection. Maybe I need to add the resolution for the server 8.8.8.8?
Are you modifying the /etc/resolv.conf file of pfSense or a machine in the LAN?
If it’s pfSense, you are not supposed to modify this file directly; this should be done through the Web UI. Furthermore, modifying this file will not affect the DNS used by the machines in the LAN. Also, if you want pfSense to use its own resolver, it should then be pointed to 127.0.0.1.
If it's on a machine in the LAN, this machine seems to be using the systemd resolution system (resolved) given the address 127.0.0.53. You are also not supposed to modify this file in this case.
I suggest putting the machines in the LAN aside for the moment; let's first check the proper functioning of pfSense.
Can you clarify:
- The DNS that you want pfSense to use for its own DNS resolutions? Its internal resolver, or an external relay?
- How you applied this configuration? Normally, it happens via the Web UI > System > General Setup. https://docs.netgate.com/pfsense/en/latest/config/general.html
- Can pfSense ping remote hosts? See the "diagnostics" menu
https://docs.netgate.com/pfsense/en/latest/diagnostics/ping.html - Can pfSense perform DNS resolution for a name like commentcamarche.net?
https://docs.netgate.com/pfsense/en/latest/diagnostics/dns.html
Hello, please note that access to Google does not work directly on the PfSense router either. I have run the commands on it:
ip route :
cat /etc/resolv.conf :
ping -c2 www.google.fr :
On PfSense, for the WAN interface, I indicated the gateway x.x.x.254 which also corresponds to the DNS server, so I set it in the DNS configuration of PfSense.